Edit tour

Windows Analysis Report
UoEDaAjHGW.exe

Overview

General Information

Sample name:	UoEDaAjHGW.exe renamed because original name is a hash value
Original sample name:	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
Analysis ID:	1590569
MD5:	948d8d109d5498949cb6df8ddf011187
SHA1:	a34388517b5d91508739469cfcb99415a0aaeeb3
SHA256:	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422
Tags:	exeuser-threatcat_ch
Infos:

Detection

PureLog Stealer, Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

UoEDaAjHGW.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\UoEDaAjHGW.exe" MD5: 948D8D109D5498949CB6DF8DDF011187)

UoEDaAjHGW.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\UoEDaAjHGW.exe" MD5: 948D8D109D5498949CB6DF8DDF011187)

UoEDaAjHGW.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\UoEDaAjHGW.exe" MD5: 948D8D109D5498949CB6DF8DDF011187)

schtasks.exe (PID: 7516 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Exccelworkbook.exe (PID: 7568 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 948D8D109D5498949CB6DF8DDF011187)

Exccelworkbook.exe (PID: 7708 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 948D8D109D5498949CB6DF8DDF011187)

Exccelworkbook.exe (PID: 7716 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 948D8D109D5498949CB6DF8DDF011187)

schtasks.exe (PID: 7748 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Exccelworkbook.exe (PID: 7648 cmdline: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe MD5: 948D8D109D5498949CB6DF8DDF011187)

Exccelworkbook.exe (PID: 7940 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 948D8D109D5498949CB6DF8DDF011187)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Exccelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-869aeiQec514992", "StartupKey": "pdfdocument", "Tag": "CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2069342889.0000000004339000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2206980718.000000000345B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000008.00000002.2255644177.0000000004E15000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2092577682.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2267284095.000000000A17D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000004.00000002.2086684469.0000000000720000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2066570250.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2127024359.00000000029CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: UoEDaAjHGW.exe PID: 7268	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: UoEDaAjHGW.exe PID: 7268	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: UoEDaAjHGW.exe PID: 7472	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Exccelworkbook.exe PID: 7568	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Exccelworkbook.exe PID: 7568	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Exccelworkbook.exe PID: 7648	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Exccelworkbook.exe PID: 7716	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.UoEDaAjHGW.exe.5db0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.UoEDaAjHGW.exe.4357590.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.UoEDaAjHGW.exe.5db0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.UoEDaAjHGW.exe.4357590.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.UoEDaAjHGW.exe.46eb318.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.UoEDaAjHGW.exe.46eb318.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d8:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a99f2:$x4: Uninstalling... good bye :-( 0x2ab1e7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.UoEDaAjHGW.exe.46eb318.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fa4:$f1: FileZilla\recentservers.xml 0x2a8fe4:$f2: FileZilla\sitemanager.xml 0x2a9026:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a9272:$b1: Chrome\User Data\ 0x2a92c8:$b1: Chrome\User Data\ 0x2a95a0:$b2: Mozilla\Firefox\Profiles 0x2a969c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb720:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a97f4:$b4: Opera Software\Opera Stable\Login Data 0x2a98ae:$b5: YandexBrowser\User Data\ 0x2a991c:$b5: YandexBrowser\User Data\ 0x2a95f0:$s4: logins.json 0x2a9326:$a1: username_value 0x2a9344:$a2: password_value 0x2a9630:$a3: encryptedUsername 0x2fb664:$a3: encryptedUsername 0x2a9654:$a4: encryptedPassword 0x2fb682:$a4: encryptedPassword 0x2fb600:$a5: httpRealm
0.2.UoEDaAjHGW.exe.46eb318.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9adc:$s3: Process already elevated. 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords 0x2fcd4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
4.2.UoEDaAjHGW.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
4.2.UoEDaAjHGW.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.UoEDaAjHGW.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab7f2:$x4: Uninstalling... good bye :-( 0x2acfe7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
4.2.UoEDaAjHGW.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada4:$f1: FileZilla\recentservers.xml 0x2aade4:$f2: FileZilla\sitemanager.xml 0x2aae26:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab072:$b1: Chrome\User Data\ 0x2ab0c8:$b1: Chrome\User Data\ 0x2ab3a0:$b2: Mozilla\Firefox\Profiles 0x2ab49c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd520:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f4:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ae:$b5: YandexBrowser\User Data\ 0x2ab71c:$b5: YandexBrowser\User Data\ 0x2ab3f0:$s4: logins.json 0x2ab126:$a1: username_value 0x2ab144:$a2: password_value 0x2ab430:$a3: encryptedUsername 0x2fd464:$a3: encryptedUsername 0x2ab454:$a4: encryptedPassword 0x2fd482:$a4: encryptedPassword 0x2fd400:$a5: httpRealm
4.2.UoEDaAjHGW.exe.400000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8dc:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2feb4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.UoEDaAjHGW.exe.4a08938.2.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.UoEDaAjHGW.exe.4a08938.2.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d8:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a99f2:$x4: Uninstalling... good bye :-( 0x2ab1e7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.UoEDaAjHGW.exe.4a08938.2.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fa4:$f1: FileZilla\recentservers.xml 0x2a8fe4:$f2: FileZilla\sitemanager.xml 0x2a9026:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a9272:$b1: Chrome\User Data\ 0x2a92c8:$b1: Chrome\User Data\ 0x2a95a0:$b2: Mozilla\Firefox\Profiles 0x2a969c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb720:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a97f4:$b4: Opera Software\Opera Stable\Login Data 0x2a98ae:$b5: YandexBrowser\User Data\ 0x2a991c:$b5: YandexBrowser\User Data\ 0x2a95f0:$s4: logins.json 0x2a9326:$a1: username_value 0x2a9344:$a2: password_value 0x2a9630:$a3: encryptedUsername 0x2fb664:$a3: encryptedUsername 0x2a9654:$a4: encryptedPassword 0x2fb682:$a4: encryptedPassword 0x2fb600:$a5: httpRealm
0.2.UoEDaAjHGW.exe.4a08938.2.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9adc:$s3: Process already elevated. 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords 0x2fcd4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
7.2.Exccelworkbook.exe.409cb38.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.Exccelworkbook.exe.409cb38.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.Exccelworkbook.exe.409cb38.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab7f2:$x4: Uninstalling... good bye :-( 0x2acfe7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.Exccelworkbook.exe.409cb38.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada4:$f1: FileZilla\recentservers.xml 0x2aade4:$f2: FileZilla\sitemanager.xml 0x2aae26:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab072:$b1: Chrome\User Data\ 0x2ab0c8:$b1: Chrome\User Data\ 0x2ab3a0:$b2: Mozilla\Firefox\Profiles 0x2ab49c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd520:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f4:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ae:$b5: YandexBrowser\User Data\ 0x2ab71c:$b5: YandexBrowser\User Data\ 0x2ab3f0:$s4: logins.json 0x2ab126:$a1: username_value 0x2ab144:$a2: password_value 0x2ab430:$a3: encryptedUsername 0x2fd464:$a3: encryptedUsername 0x2ab454:$a4: encryptedPassword 0x2fd482:$a4: encryptedPassword 0x2fd400:$a5: httpRealm
7.2.Exccelworkbook.exe.409cb38.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8dc:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2feb4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab7f2:$x4: Uninstalling... good bye :-( 0x2acfe7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada4:$f1: FileZilla\recentservers.xml 0x2aade4:$f2: FileZilla\sitemanager.xml 0x2aae26:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab072:$b1: Chrome\User Data\ 0x2ab0c8:$b1: Chrome\User Data\ 0x2ab3a0:$b2: Mozilla\Firefox\Profiles 0x2ab49c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd520:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f4:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ae:$b5: YandexBrowser\User Data\ 0x2ab71c:$b5: YandexBrowser\User Data\ 0x2ab3f0:$s4: logins.json 0x2ab126:$a1: username_value 0x2ab144:$a2: password_value 0x2ab430:$a3: encryptedUsername 0x2fd464:$a3: encryptedUsername 0x2ab454:$a4: encryptedPassword 0x2fd482:$a4: encryptedPassword 0x2fd400:$a5: httpRealm
0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8dc:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2feb4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
7.2.Exccelworkbook.exe.409cb38.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.Exccelworkbook.exe.409cb38.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d8:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a99f2:$x4: Uninstalling... good bye :-( 0x2ab1e7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.Exccelworkbook.exe.409cb38.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fa4:$f1: FileZilla\recentservers.xml 0x2a8fe4:$f2: FileZilla\sitemanager.xml 0x2a9026:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a9272:$b1: Chrome\User Data\ 0x2a92c8:$b1: Chrome\User Data\ 0x2a95a0:$b2: Mozilla\Firefox\Profiles 0x2a969c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb720:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a97f4:$b4: Opera Software\Opera Stable\Login Data 0x2a98ae:$b5: YandexBrowser\User Data\ 0x2a991c:$b5: YandexBrowser\User Data\ 0x2a95f0:$s4: logins.json 0x2a9326:$a1: username_value 0x2a9344:$a2: password_value 0x2a9630:$a3: encryptedUsername 0x2fb664:$a3: encryptedUsername 0x2a9654:$a4: encryptedPassword 0x2fb682:$a4: encryptedPassword 0x2fb600:$a5: httpRealm
7.2.Exccelworkbook.exe.409cb38.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9adc:$s3: Process already elevated. 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords 0x2fcd4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x5f06f8:$x1: Quasar.Common.Messages 0x600a5b:$x1: Quasar.Common.Messages 0x60d012:$x4: Uninstalling... good bye :-( 0x60e807:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x60c5c4:$f1: FileZilla\recentservers.xml 0x60c604:$f2: FileZilla\sitemanager.xml 0x60c646:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x60c892:$b1: Chrome\User Data\ 0x60c8e8:$b1: Chrome\User Data\ 0x60cbc0:$b2: Mozilla\Firefox\Profiles 0x60ccbc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x65ed40:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x60ce14:$b4: Opera Software\Opera Stable\Login Data 0x60cece:$b5: YandexBrowser\User Data\ 0x60cf3c:$b5: YandexBrowser\User Data\ 0x60cc10:$s4: logins.json 0x60c946:$a1: username_value 0x60c964:$a2: password_value 0x60cc50:$a3: encryptedUsername 0x65ec84:$a3: encryptedUsername 0x60cc74:$a4: encryptedPassword 0x65eca2:$a4: encryptedPassword 0x65ec20:$a5: httpRealm
7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x4c6736:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x60d0fc:$s3: Process already elevated. 0x5f03f7:$s4: get_PotentiallyVulnerablePasswords 0x5da478:$s5: GetKeyloggerLogsDirectory 0x6001ba:$s5: GetKeyloggerLogsDirectory 0x5f041a:$s6: set_PotentiallyVulnerablePasswords 0x66036e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x5ac4f8:$x1: Quasar.Common.Messages 0x5bc85b:$x1: Quasar.Common.Messages 0x2ab7f2:$x4: Uninstalling... good bye :-( 0x5c8e12:$x4: Uninstalling... good bye :-( 0x2acfe7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ... 0x5ca607:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada4:$f1: FileZilla\recentservers.xml 0x5c83c4:$f1: FileZilla\recentservers.xml 0x2aade4:$f2: FileZilla\sitemanager.xml 0x5c8404:$f2: FileZilla\sitemanager.xml 0x2aae26:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x5c8446:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab072:$b1: Chrome\User Data\ 0x2ab0c8:$b1: Chrome\User Data\ 0x5c8692:$b1: Chrome\User Data\ 0x5c86e8:$b1: Chrome\User Data\ 0x2ab3a0:$b2: Mozilla\Firefox\Profiles 0x5c89c0:$b2: Mozilla\Firefox\Profiles 0x2ab49c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd520:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x5c8abc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x61ab40:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f4:$b4: Opera Software\Opera Stable\Login Data 0x5c8c14:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ae:$b5: YandexBrowser\User Data\ 0x2ab71c:$b5: YandexBrowser\User Data\ 0x5c8cce:$b5: YandexBrowser\User Data\
0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x482536:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8dc:$s3: Process already elevated. 0x5c8efc:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x5ac1f7:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x596278:$s5: GetKeyloggerLogsDirectory 0x5bbfba:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x5ac21a:$s6: set_PotentiallyVulnerablePasswords 0x2feb4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues> 0x61c16e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 36 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe, ParentProcessId: 7716, ParentProcessName: Exccelworkbook.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, ProcessId: 7748, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UoEDaAjHGW.exe", ParentImage: C:\Users\user\Desktop\UoEDaAjHGW.exe, ParentProcessId: 7472, ParentProcessName: UoEDaAjHGW.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, ProcessId: 7516, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T09:37:09.148001+0100	2035595	1	Domain Observed Used for C2 Detected	94.156.177.117	9792	192.168.2.5	49709	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T09:37:09.148001+0100	2027619	1	Domain Observed Used for C2 Detected	94.156.177.117	9792	192.168.2.5	49709	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Exccelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-869aeiQec514992", "StartupKey": "pdfdocument", "Tag": "CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: UoEDaAjHGW.exe	Virustotal: Detection: 40%			Perma Link
Source: UoEDaAjHGW.exe	ReversingLabs: Detection: 31%

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2206980718.000000000345B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255644177.0000000004E15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2267284095.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2086684469.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2066570250.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2127024359.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UoEDaAjHGW.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UoEDaAjHGW.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7716, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UoEDaAjHGW.exe

Joe Sandbox ML: detected

Source: UoEDaAjHGW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: UoEDaAjHGW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 94.156.177.117:9792 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 94.156.177.117:9792 -> 192.168.2.5:49709

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: twart.myfirewall.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 94.156.177.117:9792

Source: global traffic

TCP traffic: 192.168.2.5:49373 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: twart.myfirewall.org
Source: global traffic	DNS traffic detected: DNS query: ipwho.is
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: Exccelworkbook.exe, 0000000A.00000002.4494011427.000000000138C000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.10.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Exccelworkbook.exe, 0000000A.00000002.4494011427.0000000001372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eny
Source: Exccelworkbook.exe, 0000000A.00000002.4496248076.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: Exccelworkbook.exe, 0000000A.00000002.4496248076.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.isd
Source: Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/d
Source: UoEDaAjHGW.exe, 00000004.00000002.2095172457.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000003129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000003129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000002F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.5:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2206980718.000000000345B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255644177.0000000004E15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2267284095.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2086684469.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2066570250.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2127024359.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UoEDaAjHGW.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UoEDaAjHGW.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7716, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_031517E0	0_2_031517E0
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_03153210	0_2_03153210
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_031BE0CC	0_2_031BE0CC
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DDA558	0_2_05DDA558
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DD68B0	0_2_05DD68B0
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DDF538	0_2_05DDF538
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DDF100	0_2_05DDF100
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DD5D40	0_2_05DD5D40
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DDDCF8	0_2_05DDDCF8
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DDDCE8	0_2_05DDDCE8
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DDD8C0	0_2_05DDD8C0
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DD689F	0_2_05DD689F
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DD4B30	0_2_05DD4B30
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DD4B20	0_2_05DD4B20
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_076D75E8	0_2_076D75E8
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_076D9F50	0_2_076D9F50
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_076D4590	0_2_076D4590
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 4_2_0159F03C	4_2_0159F03C
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_0122E0CC	7_2_0122E0CC
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_02803210	7_2_02803210
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_028017E0	7_2_028017E0
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D6A558	7_2_06D6A558
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D65D40	7_2_06D65D40
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D668B0	7_2_06D668B0
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D6D437	7_2_06D6D437
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D6F538	7_2_06D6F538
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D6F100	7_2_06D6F100
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D6DCF8	7_2_06D6DCF8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D6DCE8	7_2_06D6DCE8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D64B30	7_2_06D64B30
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D64B20	7_2_06D64B20
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D6D8C0	7_2_06D6D8C0
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D6689F	7_2_06D6689F
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D6683F	7_2_06D6683F
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D775E8	7_2_06D775E8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D79F50	7_2_06D79F50
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D775E0	7_2_06D775E0
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D74590	7_2_06D74590
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_0835500C	7_2_0835500C
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_08352BF8	7_2_08352BF8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_08352BE8	7_2_08352BE8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_014EE0CC	8_2_014EE0CC
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_017617E0	8_2_017617E0
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_01763110	8_2_01763110
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_03399508	8_2_03399508
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_03390130	8_2_03390130
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_0339012B	8_2_0339012B
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_033994F8	8_2_033994F8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_0583500C	8_2_0583500C
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_05832BE8	8_2_05832BE8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_05832BF8	8_2_05832BF8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_02EEF03C	10_2_02EEF03C
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_0812B2C0	10_2_0812B2C0
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_08127E48	10_2_08127E48
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 13_2_0192F03C	13_2_0192F03C
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 13_2_05BB3CE8	13_2_05BB3CE8

Source: UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs UoEDaAjHGW.exe
Source: UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004339000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs UoEDaAjHGW.exe
Source: UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs UoEDaAjHGW.exe
Source: UoEDaAjHGW.exe, 00000000.00000002.2064502542.000000000130E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UoEDaAjHGW.exe
Source: UoEDaAjHGW.exe, 00000000.00000002.2092577682.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs UoEDaAjHGW.exe
Source: UoEDaAjHGW.exe, 00000000.00000002.2066570250.0000000003331000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs UoEDaAjHGW.exe
Source: UoEDaAjHGW.exe, 00000000.00000002.2066570250.0000000003331000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs UoEDaAjHGW.exe
Source: UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000720000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs UoEDaAjHGW.exe
Source: UoEDaAjHGW.exe	Binary or memory string: OriginalFilenameWfdx.exe< vs UoEDaAjHGW.exe

Source: UoEDaAjHGW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/5@3/2

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UoEDaAjHGW.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\025351e291-5d1041-4fa37-932c7-869aeiQec514992
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03

Source: UoEDaAjHGW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UoEDaAjHGW.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UoEDaAjHGW.exe	Virustotal: Detection: 40%
Source: UoEDaAjHGW.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

File read: C:\Users\user\Desktop\UoEDaAjHGW.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UoEDaAjHGW.exe "C:\Users\user\Desktop\UoEDaAjHGW.exe"
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Users\user\Desktop\UoEDaAjHGW.exe "C:\Users\user\Desktop\UoEDaAjHGW.exe"
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Users\user\Desktop\UoEDaAjHGW.exe "C:\Users\user\Desktop\UoEDaAjHGW.exe"
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Users\user\Desktop\UoEDaAjHGW.exe "C:\Users\user\Desktop\UoEDaAjHGW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Users\user\Desktop\UoEDaAjHGW.exe "C:\Users\user\Desktop\UoEDaAjHGW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: UoEDaAjHGW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UoEDaAjHGW.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: UoEDaAjHGW.exe

Static file information: File size 3794944 > 1048576

Source: UoEDaAjHGW.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x39c000

Source: UoEDaAjHGW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Code function: 0_2_05DD4236 push dword ptr [ebp+01h]; ret	0_2_05DD423B
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_06D64236 push dword ptr [ebp+01h]; ret	7_2_06D6423B
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_083576E0 push esp; ret	7_2_0835CC01
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_0835CC70 pushfd ; ret	7_2_0835CC71
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_033DE0E8 push eax; ret	8_2_033DE0F5
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_033DD6B5 push eax; ret	8_2_033DD6B6
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_033DD508 push eax; mov dword ptr [esp], ecx	8_2_033DD51C
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_033DDFF0 push eax; ret	8_2_033DE023
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_057F5A0C push eax; retf	8_2_057F5A0D
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_058376E0 push esp; ret	8_2_0583CC01
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 8_2_0583CC70 pushfd ; ret	8_2_0583CC71

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

File created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	File opened: C:\Users\user\Desktop\UoEDaAjHGW.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: UoEDaAjHGW.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7568, type: MEMORYSTR

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: A4D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: B4D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: BB90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: CB90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: D020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: 1590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 9430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: A430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: AAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: BAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: BF30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 9E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: AE60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: B500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: C500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: C950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 1920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 36B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 1D20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Window / User API: threadDelayed 6749			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Window / User API: threadDelayed 2947			Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe TID: 7292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe TID: 7496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 7840	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 7868	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Exccelworkbook.exe, 0000000A.00000002.4492746292.00000000012E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Exccelworkbook.exe, 0000000A.00000002.4511918169.000000000598A000.00000004.00000020.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4511918169.0000000005995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Memory written: C:\Users\user\Desktop\UoEDaAjHGW.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Users\user\Desktop\UoEDaAjHGW.exe "C:\Users\user\Desktop\UoEDaAjHGW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Users\user\Desktop\UoEDaAjHGW.exe "C:\Users\user\Desktop\UoEDaAjHGW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Users\user\Desktop\UoEDaAjHGW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Users\user\Desktop\UoEDaAjHGW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UoEDaAjHGW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\UoEDaAjHGW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.5db0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4357590.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.5db0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4357590.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2069342889.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092577682.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2206980718.000000000345B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255644177.0000000004E15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2267284095.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2086684469.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2066570250.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2127024359.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UoEDaAjHGW.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UoEDaAjHGW.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7716, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.5db0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4357590.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.5db0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4357590.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2069342889.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092577682.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.46eb318.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.UoEDaAjHGW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4a08938.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.409cb38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.4a08938.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.409cb38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Exccelworkbook.exe.3d3b318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UoEDaAjHGW.exe.46eb318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2206980718.000000000345B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255644177.0000000004E15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2267284095.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2086684469.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2066570250.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2127024359.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UoEDaAjHGW.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UoEDaAjHGW.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 7716, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
UoEDaAjHGW.exe	40%	Virustotal		Browse
UoEDaAjHGW.exe	32%	ReversingLabs	Win32.Virus.Virut
UoEDaAjHGW.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	32%	ReversingLabs	Win32.Virus.Virut

Source	Detection	Scanner	Label	Link
http://ipwho.isd	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/d	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
ipwho.is	195.201.57.90	true	false	high
twart.myfirewall.org	94.156.177.117	true	false	high
198.187.3.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
twart.myfirewall.org	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/d	Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000002F82000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354sCannot	UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	UoEDaAjHGW.exe, 00000004.00000002.2095172457.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipwho.is	Exccelworkbook.exe, 0000000A.00000002.4496248076.000000000313A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	UoEDaAjHGW.exe, 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, UoEDaAjHGW.exe, 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipwho.isd	Exccelworkbook.exe, 0000000A.00000002.4496248076.000000000313A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipwho.is	Exccelworkbook.exe, 0000000A.00000002.4496248076.0000000003129000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.117	twart.myfirewall.org	Bulgaria		43561	NET1-ASBG	false
195.201.57.90	ipwho.is	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590569
Start date and time:	2025-01-14 09:36:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UoEDaAjHGW.exe renamed because original name is a hash value
Original Sample Name:	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/5@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 465 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.22.50.131, 2.22.50.144, 184.28.90.27, 4.175.87.197, 13.107.246.45, 23.1.237.91, 20.3.187.198, 4.245.163.56
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:36:57	API Interceptor	1x Sleep call for process: UoEDaAjHGW.exe modified
03:37:02	API Interceptor	12439506x Sleep call for process: Exccelworkbook.exe modified
09:37:01	Task Scheduler	Run new task: pdfdocument path: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.117	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse
94.156.177.117	QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe	Get hash	malicious	Quasar	Browse
195.201.57.90	SPt4FUjZMt.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLine	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	WfKynArKjH.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, RedLine	Browse	/?output=json
	ubes6SC7Vd.exe	Get hash	malicious	Unknown	Browse	ipwhois.app/xml/
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json
	Clipper.exe	Get hash	malicious	Unknown	Browse	/?output=json
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	195.201.57.90
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	195.201.57.90
	QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	UXxZ4m65ro.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	ny9LDJr6pA.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	jaTDEkWCbs.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	2Mi3lKoJfj.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	YJaaZuNHwI.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	108.181.61.49
	msgde.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
bg.microsoft.map.fastly.net	PRODUKTY.EXE.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	199.232.210.172
	2330118683179179335.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	199.232.210.172
	009.vbe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	577119676170175151.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	199.232.210.172
	possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msg	Get hash	malicious	Unknown	Browse	199.232.214.172
	3ClBcOpPUX.exe	Get hash	malicious	CyberGate	Browse	199.232.210.172
	40#U0433.doc	Get hash	malicious	Unknown	Browse	199.232.214.172
	KymUijfvKi.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
twart.myfirewall.org	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	127.0.0.4
	QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe	Get hash	malicious	Quasar	Browse	127.0.0.4
	Zam#U00f3wienie 89118 _ Metal-Constructions.pdf.com.exe	Get hash	malicious	Quasar	Browse	45.88.3.229
	Pedido09669281099195.com.exe	Get hash	malicious	DarkTortilla, Quasar	Browse	213.159.74.80
	doc_Pedido 02024091622008176.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	doc_Zapytanie - Oferta POLSKA 91044PL.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	doc_Zapytanie - Oferta KH 09281.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	doc_rfq Oferta KH 09281.pdf.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	Client.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	rNuevoPedidoPO-00843.pdf.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	195.201.57.90
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	https://ipfs.io/ipfs/bafkreidfpb2invnj4i76skys5sfmk3hycbkxhquyb7d6uhnbls3gwf4a5q	Get hash	malicious	HTMLPhisher	Browse	178.63.67.153
	https://tinyurl.com/ch268ddp	Get hash	malicious	Unknown	Browse	116.202.167.133
	https://mmrtb.com/bonus/com-se-5609/global-bb.php?c=4yzi190z6iz1&k=9b48c9184ff290e347cb73c9f3a90c2b&country_code=SE&carrier=Spring%20Mobil&country_name=Sweden&region=Stockholms%20Lan&city=Stockholm&isp=Tele2%20SWIPnet&lang=sv&os=Windows%2010&osv=&browser=Chrome&browserv=131&brand=Desktop&model=Desktop&marketing_name=Desktop&tablet=4&rheight=768&rwidth=768&e=	Get hash	malicious	Unknown	Browse	148.251.120.78
NET1-ASBG	kzQ25HVUbf.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	YvVDV4cbjy.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	EozUxz4ybi.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	oAUBqI6vQ7.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	IpykYx5iwz.exe	Get hash	malicious	Remcos, GuLoader	Browse	94.156.177.164
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	94.156.177.117
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	95.87.199.40
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	93.123.77.220
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	009.vbe	Get hash	malicious	AgentTesla	Browse	195.201.57.90
	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	195.201.57.90
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	195.201.57.90
	https://performancemanager10.successfactors.com/sf/hrisworkflowapprovelink?workflowRequestId=V4-0-a1-iHQRWD3bQis7XhhWNKzjfWwnvURbEsN0CxUc27Zt3ml0ag&company=oceanagoldT2&username=dave.oliver@oceanagold.com	Get hash	malicious	Unknown	Browse	195.201.57.90
	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	195.201.57.90
	https://ipfs.io/ipfs/bafkreidfpb2invnj4i76skys5sfmk3hycbkxhquyb7d6uhnbls3gwf4a5q	Get hash	malicious	HTMLPhisher	Browse	195.201.57.90
	http://pub-575fb9d74c7a46f0828b37cda8dd9c40.r2.dev/docu/e_protocol.html?e	Get hash	malicious	HTMLPhisher	Browse	195.201.57.90
	https://eb-ri18.vercel.app/verset.html	Get hash	malicious	HTMLPhisher	Browse	195.201.57.90
	https://metahorizonsfacebooksupport.tempisite.com/italy39	Get hash	malicious	HTMLPhisher	Browse	195.201.57.90
	http://ubiquitous-twilight-c9292b.netlify.app/	Get hash	malicious	Unknown	Browse	195.201.57.90

Process:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kKW99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:HDImsLNkPlE99SNxAhUe/3
MD5:	E50ACA67478896773A94233A17B573F1
SHA1:	E1E6BBDEB18F1FAA7C161ACB60D184271A039E3D
SHA-256:	D3E02E9023C5C27E52286C2020C5866170338C79A86D90EA901C6BC00C864381
SHA-512:	6A262B0C9730895905A2FC459CFE41C263D75E07E391C324C998BC8DD2497E06BCDF91D5EB9CBEDE643795D8639C67059D59FE038E829E499CB358D98CD38928
Malicious:	false
Reputation:	low
Preview:	p...... ........S}.._f..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Exccelworkbook.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UoEDaAjHGW.exe.log

Download File

Process:	C:\Users\user\Desktop\UoEDaAjHGW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Download File

Process:	C:\Users\user\Desktop\UoEDaAjHGW.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3794944
Entropy (8bit):	7.978462745878396
Encrypted:	false
SSDEEP:	49152:7REIID3HchpnsFxF091txtO9fIkT/SvVp241xdbsvhIK7Nj7ktaJA40WQv6JNnqu:7+TIxtO9fIt7xUxkt+A4Nnqy1aaW4
MD5:	948D8D109D5498949CB6DF8DDF011187
SHA1:	A34388517B5D91508739469CFCB99415A0AAEEB3
SHA-256:	68FE78C0A8961DA3A1121F95EBE63003C9A7C359EDF68542D971D92632357422
SHA-512:	91C910B08A0E7A759211D915CCB3D14B8C5318C3AC7FB0B8D558D4804E569C1AE7317925539E30BF5325F06C2BDC5C3BDDEEB425AE37C2800709CBCCAA1E4A6A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0...9..&......z.9.. ....9...@.. .......................@:...........@.................................(.9.O.....9.."................... :...................................................... ............... ..H............text.....9.. ....9................. ..`.rsrc...."....9..$....9.............@..@.reloc....... :.......9.............@..B................\.9.....H........T...E......q........C9.........................................>.-.r...ps....zV.-.r...ps....z.o......(.......0.. ........(....r...p(....s......s....}.....(.....{....(....o.....{.....o.....{....r=..p"..@A...s ...o!....{.... ....("...o#....{.....o$....{....rm..po%....{.....o&...."...@"..PAs'...((.....().... .... ....s...(+....(,....{....o-.....r...po....tX...(/....r...p(%....r...po0.....(1....(2.....(3...:.(......o0...6.{.....o4...J..(5...(6...(.....0..........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.978462745878396
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	UoEDaAjHGW.exe
File size:	3'794'944 bytes
MD5:	948d8d109d5498949cb6df8ddf011187
SHA1:	a34388517b5d91508739469cfcb99415a0aaeeb3
SHA256:	68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422
SHA512:	91c910b08a0e7a759211d915ccb3d14b8c5318c3ac7fb0b8d558d4804e569c1ae7317925539e30bf5325f06c2bdc5c3bddeeb425ae37c2800709cbccaa1e4a6a
SSDEEP:	49152:7REIID3HchpnsFxF091txtO9fIkT/SvVp241xdbsvhIK7Nj7ktaJA40WQv6JNnqu:7+TIxtO9fIt7xUxkt+A4Nnqy1aaW4
TLSH:	030633457580D903C8B21BF94831E3B85FB45C995A20D3875BE97DFFF836B932A42922
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0...9..&......z.9.. ....9...@.. .......................@:...........@................................

File Icon


Icon Hash:	f0aea8aaaa8ee80f

Static PE Info

General

Entrypoint:	0x79de7a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6785EAB5 [Tue Jan 14 04:40:21 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
and dword ptr [eax], eax
inc eax
add byte ptr [ebx], ah
add byte ptr [eax+eax], ah
and eax, 26005E00h
add byte ptr [edx], ch
add byte ptr [eax], ch
add byte ptr [ecx], ch
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [edx+003E9999h], bl
add byte ptr [eax], al
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x39de28	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39e000	0x22e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x39bea8	0x39c000	c8a6562797373c097b9293d5207048ba	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x39e000	0x22e0	0x2400	a22c060ea630d5700b1b9536f5d727f1	False	0.8780381944444444	data	7.377416070993208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a2000	0xc	0x200	4b62e2667c1c4529179fa5f498243005	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x39e0c8	0x1e50	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9755154639175257
RT_GROUP_ICON	0x39ff28	0x14	data	1.05
RT_VERSION	0x39ff4c	0x38e	data	0.4351648351648352

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T09:37:09.148001+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	94.156.177.117	9792	192.168.2.5	49709	TCP
2025-01-14T09:37:09.148001+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	94.156.177.117	9792	192.168.2.5	49709	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 09:37:08.180967093 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:08.185766935 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:08.185839891 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:08.190814972 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:08.195646048 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:09.138442039 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:09.138458967 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:09.138514042 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:09.143208027 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:09.148000956 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:09.449568987 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:09.500891924 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:10.446002960 CET	49711	443	192.168.2.5	195.201.57.90
Jan 14, 2025 09:37:10.446048975 CET	443	49711	195.201.57.90	192.168.2.5
Jan 14, 2025 09:37:10.446103096 CET	49711	443	192.168.2.5	195.201.57.90
Jan 14, 2025 09:37:10.447243929 CET	49711	443	192.168.2.5	195.201.57.90
Jan 14, 2025 09:37:10.447257996 CET	443	49711	195.201.57.90	192.168.2.5
Jan 14, 2025 09:37:11.291492939 CET	443	49711	195.201.57.90	192.168.2.5
Jan 14, 2025 09:37:11.291559935 CET	49711	443	192.168.2.5	195.201.57.90
Jan 14, 2025 09:37:11.296565056 CET	49711	443	192.168.2.5	195.201.57.90
Jan 14, 2025 09:37:11.296586990 CET	443	49711	195.201.57.90	192.168.2.5
Jan 14, 2025 09:37:11.297075987 CET	443	49711	195.201.57.90	192.168.2.5
Jan 14, 2025 09:37:11.312057972 CET	49711	443	192.168.2.5	195.201.57.90
Jan 14, 2025 09:37:11.355330944 CET	443	49711	195.201.57.90	192.168.2.5
Jan 14, 2025 09:37:11.504069090 CET	443	49711	195.201.57.90	192.168.2.5
Jan 14, 2025 09:37:11.504151106 CET	443	49711	195.201.57.90	192.168.2.5
Jan 14, 2025 09:37:11.504232883 CET	49711	443	192.168.2.5	195.201.57.90
Jan 14, 2025 09:37:11.565417051 CET	49711	443	192.168.2.5	195.201.57.90
Jan 14, 2025 09:37:11.767077923 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:11.772403002 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:11.772459984 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:11.777316093 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:12.194520950 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:12.297947884 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:12.382888079 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:37:12.594662905 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:28.496092081 CET	49373	53	192.168.2.5	162.159.36.2
Jan 14, 2025 09:37:28.501012087 CET	53	49373	162.159.36.2	192.168.2.5
Jan 14, 2025 09:37:28.501116991 CET	49373	53	192.168.2.5	162.159.36.2
Jan 14, 2025 09:37:28.516171932 CET	53	49373	162.159.36.2	192.168.2.5
Jan 14, 2025 09:37:28.985361099 CET	49373	53	192.168.2.5	162.159.36.2
Jan 14, 2025 09:37:28.992762089 CET	49373	53	192.168.2.5	162.159.36.2
Jan 14, 2025 09:37:29.000109911 CET	53	49373	162.159.36.2	192.168.2.5
Jan 14, 2025 09:37:29.000178099 CET	49373	53	192.168.2.5	162.159.36.2
Jan 14, 2025 09:37:37.391515017 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:37:37.398474932 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:38:02.407083988 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:38:02.412755013 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:38:27.422631025 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:38:27.427728891 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:38:52.438182116 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:38:52.443129063 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:39:17.563143969 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:39:17.568382978 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:39:42.579746962 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:39:42.584614038 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:40:07.650302887 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:40:07.655558109 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:40:32.781789064 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:40:32.786673069 CET	9792	49709	94.156.177.117	192.168.2.5
Jan 14, 2025 09:40:57.797470093 CET	49709	9792	192.168.2.5	94.156.177.117
Jan 14, 2025 09:40:57.802335978 CET	9792	49709	94.156.177.117	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 09:37:08.153918982 CET	51085	53	192.168.2.5	1.1.1.1
Jan 14, 2025 09:37:08.170584917 CET	53	51085	1.1.1.1	192.168.2.5
Jan 14, 2025 09:37:10.430293083 CET	60104	53	192.168.2.5	1.1.1.1
Jan 14, 2025 09:37:10.437259912 CET	53	60104	1.1.1.1	192.168.2.5
Jan 14, 2025 09:37:28.495487928 CET	53	49412	162.159.36.2	192.168.2.5
Jan 14, 2025 09:37:29.025904894 CET	65460	53	192.168.2.5	1.1.1.1
Jan 14, 2025 09:37:29.035470009 CET	53	65460	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 09:37:08.153918982 CET	192.168.2.5	1.1.1.1	0xbd60	Standard query (0)	twart.myfirewall.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 09:37:10.430293083 CET	192.168.2.5	1.1.1.1	0x469c	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false
Jan 14, 2025 09:37:29.025904894 CET	192.168.2.5	1.1.1.1	0xd23e	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 09:37:08.170584917 CET	1.1.1.1	192.168.2.5	0xbd60	No error (0)	twart.myfirewall.org		94.156.177.117	A (IP address)	IN (0x0001)	false
Jan 14, 2025 09:37:09.609150887 CET	1.1.1.1	192.168.2.5	0x553e	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 09:37:09.609150887 CET	1.1.1.1	192.168.2.5	0x553e	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 09:37:10.437259912 CET	1.1.1.1	192.168.2.5	0x469c	No error (0)	ipwho.is		195.201.57.90	A (IP address)	IN (0x0001)	false
Jan 14, 2025 09:37:29.035470009 CET	1.1.1.1	192.168.2.5	0xd23e	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	195.201.57.90	443	7716	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 08:37:11 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2025-01-14 08:37:11 UTC	223	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 08:37:11 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2025-01-14 08:37:11 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	03:36:56
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\UoEDaAjHGW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UoEDaAjHGW.exe"
Imagebase:	0xb00000
File size:	3'794'944 bytes
MD5 hash:	948D8D109D5498949CB6DF8DDF011187
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2069342889.0000000004339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2092577682.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2066570250.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2095201998.000000000A4D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2069342889.0000000004377000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:36:59
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\UoEDaAjHGW.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\UoEDaAjHGW.exe"
Imagebase:	0x3e0000
File size:	3'794'944 bytes
MD5 hash:	948D8D109D5498949CB6DF8DDF011187
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:36:59
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\UoEDaAjHGW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UoEDaAjHGW.exe"
Imagebase:	0xa10000
File size:	3'794'944 bytes
MD5 hash:	948D8D109D5498949CB6DF8DDF011187
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.2086684469.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.2086684469.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:37:01
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
Imagebase:	0x3d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:37:01
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:37:01
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Imagebase:	0x2a0000
File size:	3'794'944 bytes
MD5 hash:	948D8D109D5498949CB6DF8DDF011187
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2127024359.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2169614404.0000000009431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2169614404.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2144856101.0000000003D3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:37:01
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Imagebase:	0xad0000
File size:	3'794'944 bytes
MD5 hash:	948D8D109D5498949CB6DF8DDF011187
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.2206980718.000000000345B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.2255644177.0000000004E15000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.2267284095.000000000A17D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:37:04
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Imagebase:	0x100000
File size:	3'794'944 bytes
MD5 hash:	948D8D109D5498949CB6DF8DDF011187
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:37:04
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Imagebase:	0xa10000
File size:	3'794'944 bytes
MD5 hash:	948D8D109D5498949CB6DF8DDF011187
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.4496248076.0000000003187000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:37:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
Imagebase:	0x3d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:37:06
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:37:11
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Imagebase:	0xd40000
File size:	3'794'944 bytes
MD5 hash:	948D8D109D5498949CB6DF8DDF011187
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.9%
Total number of Nodes:	204
Total number of Limit Nodes:	16

Executed Functions

Function 076D75E8 Relevance: 6.9, Strings: 5, Instructions: 622
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 076DA6C5
Haq, xrefs: 076DA63B
Haq, xrefs: 076DA783
Haq, xrefs: 076DA5B4
Haq, xrefs: 076DA521

Memory Dump Source

Source File: 00000000.00000002.2093632137.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID: Haq$Haq$Haq$Haq$Haq
API String ID: 0-1792267638
Opcode ID: 700698d5291a807482f581dbee0adc55d64ed562f02df54c327b184e482c8d3b
Instruction ID: 0a674d1b59cbfb9fe7606930bc862bff03972b68a826dacc682af09d64de78aa
Opcode Fuzzy Hash: 700698d5291a807482f581dbee0adc55d64ed562f02df54c327b184e482c8d3b
Instruction Fuzzy Hash: B8329070E142198FDB54DFB9C8907AEBBB6AF88300F14C4A9D40AEB385DE349D45CB95

Function 03153210 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1fc9c532bd16ebe2da04478dfea5e07b380d8bfc868b06a4a738061525ffea
Instruction ID: 5f42aac6bfe92a96b89aeda0e4f76e5545de43b6545b4553ee0d5ab87794eb42
Opcode Fuzzy Hash: 9b1fc9c532bd16ebe2da04478dfea5e07b380d8bfc868b06a4a738061525ffea
Instruction Fuzzy Hash: ADC18A357017048FDB1ADB79C460BAAB7FAAF8D640F18486DE566CB290DF34E901CB61

Function 05DD68B0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c9b09affa00e0abc774b048de99b8cc2225e9b12bc038c39eab261a01f2cdf
Instruction ID: aad079ace315477ab4597114ec0cab06b199c9445251f894ee291680497499da
Opcode Fuzzy Hash: 77c9b09affa00e0abc774b048de99b8cc2225e9b12bc038c39eab261a01f2cdf
Instruction Fuzzy Hash: 72C1C270E04219CFDB14DFAAC884BADFBF2BF49300F14916AD449AB251D7749985CFA1

Function 076D9F50 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093632137.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89c48112a2c2b4fc15774cfe0b0bb646ec57dbecfaed7187ae4b706c25d05a7
Instruction ID: 5c1c3e219232d72c373675c105a3d3e35a2dd6549a294a7c6a7ef8a36b23d09a
Opcode Fuzzy Hash: c89c48112a2c2b4fc15774cfe0b0bb646ec57dbecfaed7187ae4b706c25d05a7
Instruction Fuzzy Hash: AAC15CB1E102558FDF15CFA9C88079DBBB2AF89300F14C1A9D80AAB255EB74DD85CF51

Function 05DD689F Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32b1a5d3d37a024fd6e51f7e5c02276a09fdbe0b37faa6fa2b729ac4e928985
Instruction ID: 12e56f35825e6d8cb510eeea59b0db1ef209ec0e5e4ad5c58b74a705e697ee9a
Opcode Fuzzy Hash: a32b1a5d3d37a024fd6e51f7e5c02276a09fdbe0b37faa6fa2b729ac4e928985
Instruction Fuzzy Hash: D3C1C074E04218CFDB54CFAAC8847ADFBF2BF89300F14916AD449AB251EB749985CF60

Function 031517E0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c30e987d6fe305de1be9238a6c6feda2035f54a151c718506422de84ecdbfd
Instruction ID: 9826bb31ce875fe34b520cbdf08e2d2c7135ffc2533b0e39c359f2208dc10d97
Opcode Fuzzy Hash: d9c30e987d6fe305de1be9238a6c6feda2035f54a151c718506422de84ecdbfd
Instruction Fuzzy Hash: 09712971D44219DBDB29CF66C8407E9F7B6BF8D300F1492EAE819A6250EB745AC5CF40

Function 05DDA558 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9656e4fb327781e3812a5f37bedd7cf6fba0872a5497059681a732e6a2b7fe1c
Instruction ID: 5edf6f307dbb470ffaeba8361306074764f1772fd2e5d9673efcc0719d295806
Opcode Fuzzy Hash: 9656e4fb327781e3812a5f37bedd7cf6fba0872a5497059681a732e6a2b7fe1c
Instruction Fuzzy Hash: C431E2B0D04658CBDB18CFAAC8447EEFBF6AF89301F14C06AD409AA259DB754946CF60

Function 031BD551 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 031BD5DE
GetCurrentThread.KERNEL32 ref: 031BD61B
GetCurrentProcess.KERNEL32 ref: 031BD658
GetCurrentThreadId.KERNEL32 ref: 031BD6B1

Memory Dump Source

Source File: 00000000.00000002.2066381317.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_UoEDaAjHGW.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1fd3a28159c78894179faf8eab56a9e4636efeb5e6b46d2bbae173087bf99724
Instruction ID: 7a33e055a3136964d8780754b22e873eaa346270f21c8a7392da6b70b54d26fe
Opcode Fuzzy Hash: 1fd3a28159c78894179faf8eab56a9e4636efeb5e6b46d2bbae173087bf99724
Instruction Fuzzy Hash: 645144B09003498FDB08DFA9D948BEEBFF1EF4D314F248459E509A72A0DB389944CB65

Function 031BD560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 031BD5DE
GetCurrentThread.KERNEL32 ref: 031BD61B
GetCurrentProcess.KERNEL32 ref: 031BD658
GetCurrentThreadId.KERNEL32 ref: 031BD6B1

Memory Dump Source

Source File: 00000000.00000002.2066381317.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_UoEDaAjHGW.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0b3cf66a929d40b1eb115c4fb9ee11ceab19fd6f982911162bb0a6cf20ba40b1
Instruction ID: d2636d7ecf655cb196f5188428b24943f5cca0eb0f63a2cddee557c249543431
Opcode Fuzzy Hash: 0b3cf66a929d40b1eb115c4fb9ee11ceab19fd6f982911162bb0a6cf20ba40b1
Instruction Fuzzy Hash: 925125B09003098FDB18DFA9D948BEEBBF5EF4C314F248459E519A7260DB389944CF65

Function 05DD9670 Relevance: 2.7, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 05DD96FB
Te]q, xrefs: 05DD97BB

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: d70ea294b9eadc24fd9beea5b53972656f835856e550e62e2697dc674adb2cfd
Instruction ID: c1881a1f5248d3083b736d5c020721b62bb51c1a28867d4a82c5056a3ef9d6cd
Opcode Fuzzy Hash: d70ea294b9eadc24fd9beea5b53972656f835856e550e62e2697dc674adb2cfd
Instruction Fuzzy Hash: AE61C4B4E04208DFDB08DFE9C9946EDFBB6BF89300F14912AD419AB354D7359906CB60

Function 05DD9660 Relevance: 2.7, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 05DD96FB
Te]q, xrefs: 05DD97BB

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 742baf0d98f892954b05befa68b30e9e30f66af5a031db1936a14cb31e1919d9
Instruction ID: fd6a7d61963519263f629a6b5eae71d15e5dad5fef343ee09aa15be7a7105034
Opcode Fuzzy Hash: 742baf0d98f892954b05befa68b30e9e30f66af5a031db1936a14cb31e1919d9
Instruction Fuzzy Hash: 1C51D5B4E05208DFDB04DFE9C9946EEFBB6BF89300F14812AD419AB354DB359906CB60

Function 031506DE Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0315091E

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ce317e00ed2e7d605880c3915e53ba6fcc0575d06df8b67ef116d706f32172ae
Instruction ID: ba4c06acdb88c1f392e72ce1862b8009b3275e9592ceab62d22cb9bcf2d78482
Opcode Fuzzy Hash: ce317e00ed2e7d605880c3915e53ba6fcc0575d06df8b67ef116d706f32172ae
Instruction Fuzzy Hash: 84A17E71D00619DFDB24CFA8C841BEEBBB2BF4C310F1481A9E868A7244DB759985CF91

Function 031506E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0315091E

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bc6221131408faa1532a728867610fa3137cf7ae05feac5822b1a343115260cb
Instruction ID: d87768f08d71824a2c1d7fd96f0b44ace046af18e4ef509d8fcf142636cb8228
Opcode Fuzzy Hash: bc6221131408faa1532a728867610fa3137cf7ae05feac5822b1a343115260cb
Instruction Fuzzy Hash: F3917E71D00619DFEB14CFA8C841BEDBBB2BF4C310F1481A9E868A7244DB759985CF91

Function 031BB2B9 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066381317.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c20db6645a5fb5b7aaf4d7fc4786c339fdfabeb04056b8cd308f3709ff2d1b
Instruction ID: 2860fb1fae4a18106ea80873cc973c3500d4c406b15af8b1372d36dbc9e434b0
Opcode Fuzzy Hash: b8c20db6645a5fb5b7aaf4d7fc4786c339fdfabeb04056b8cd308f3709ff2d1b
Instruction Fuzzy Hash: EE814370A04B058FD724CF69D49079ABBF5FF48300F04896DD08ADBA50DB78E949CBA1

Function 05DDE248 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

4']q, xrefs: 05DDE758

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: d8de948f88cba42cc3c764ea85f030569df1c5d52a86aa66237a0080d46b629c
Instruction ID: 0e9a4c1226ec49bf9ae59932170d97d8e68b2878f7116e60ac51b3a0a3a7363a
Opcode Fuzzy Hash: d8de948f88cba42cc3c764ea85f030569df1c5d52a86aa66237a0080d46b629c
Instruction Fuzzy Hash: 46E17074A00209DFDB05DFA9D984ABEBBFBFF88310F108469D805AB355CA389D45CB65

Function 031B5CEC Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 031B5DA9

Memory Dump Source

Source File: 00000000.00000002.2066381317.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_UoEDaAjHGW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 22955a05a85b084788ebf61ca9d275dfb6f1b38191c56e087df1d8d51cda1007
Instruction ID: a07e08ab34cb8cd412719f930c441fd0227e5051065a97457c788e7bba89d7a2
Opcode Fuzzy Hash: 22955a05a85b084788ebf61ca9d275dfb6f1b38191c56e087df1d8d51cda1007
Instruction Fuzzy Hash: 4641E2B0C00719CBDB24DFA9C944ADDBBB6BF49304F24816AD418AB254DB75694ACF90

Function 031B4538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 031B5DA9

Memory Dump Source

Source File: 00000000.00000002.2066381317.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_UoEDaAjHGW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4043be84d889b92a49cf02dcb7c0e02689a957f86e0d608abede5ba74d61bdfd
Instruction ID: 07e9c4d91cec873cd36f0a4fb4d867a72a9bc67a06e0db2f192bcf2b0a7a49da
Opcode Fuzzy Hash: 4043be84d889b92a49cf02dcb7c0e02689a957f86e0d608abede5ba74d61bdfd
Instruction Fuzzy Hash: 6741D2B0C00719CBDB24DFA9C944BDDBBB6BF49304F20806AD419AB255DB756946CF90

Function 076DA888 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093632137.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d0000_UoEDaAjHGW.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: a72de66f8e99fed71d2a2952beaafdf88f19a289087b704af9c13ac43a58c6c0
Instruction ID: 4617f176ec164e14b80b0167a6399ae4f3014af64b2d5cefb044a7cdbc6b7f95
Opcode Fuzzy Hash: a72de66f8e99fed71d2a2952beaafdf88f19a289087b704af9c13ac43a58c6c0
Instruction Fuzzy Hash: DE316DB29043499FCB11DFA9D844ADABFF8EF09310F14845AE554A7211C3359954CFA1

Function 0315045A Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 031504F0

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2585c2360a3f32faad6c4513d3befc4ef342d8f1deeff821de8fbdb4e9b702eb
Instruction ID: abbe3c0f76d9b190d4fe5cc36c06133608598d0f46d4ab37e8ddb118c9f37b22
Opcode Fuzzy Hash: 2585c2360a3f32faad6c4513d3befc4ef342d8f1deeff821de8fbdb4e9b702eb
Instruction Fuzzy Hash: AC2128B5900349DFCB10DFAAC985BEEBBF5FF48310F108429E919A7250C7799945CBA0

Function 03150460 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 031504F0

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dc3da376cdd5a664eddbeda9fb2bf6d7a841c8f1b2bd97c432066bf59449baa2
Instruction ID: 14550a0b550bc0fbb9cc4da5d8afa6d498daa8e73519a33705d6f316a26151d4
Opcode Fuzzy Hash: dc3da376cdd5a664eddbeda9fb2bf6d7a841c8f1b2bd97c432066bf59449baa2
Instruction Fuzzy Hash: C82119B5900359DFCB10DFAAC985BEEBBF5FF48310F148429E929A7250C7789954CBA0

Function 03150548 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 031505D0

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bdbc0d9f2121b7fb1d713ee098f97778bf938911e8a54b6317e8bae01eab2d47
Instruction ID: 53ea0a7a19e93944ef75249948fb1c7fa28f2243977cd3cc5c350efb8bdbc08b
Opcode Fuzzy Hash: bdbc0d9f2121b7fb1d713ee098f97778bf938911e8a54b6317e8bae01eab2d47
Instruction Fuzzy Hash: C6213BB58002499FCB10DFAAC8806EEFFF5FF48310F50842AE919A7240C7399545CBA0

Function 031502C0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03150346

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0c9e7cd649e75cf3018bab38c109eee7fe4dcbfae395960efed890c60b1139bc
Instruction ID: 152a901c5d44b4779dc24e0931cde53cd430c1187d19c949f83476694f29e69f
Opcode Fuzzy Hash: 0c9e7cd649e75cf3018bab38c109eee7fe4dcbfae395960efed890c60b1139bc
Instruction Fuzzy Hash: 18213971D002098FDB50DFAAC5457EEBBF4FF48324F148429D529A7280C7789985CBA0

Function 03150550 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 031505D0

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3672d7b4fa4f98965a6d0af1739b8889f0084737696b6842bec7b4a06d9a621d
Instruction ID: 8558b648d189bd96b70a7d4238637960e5a08383eeb94a9123511189a7be6989
Opcode Fuzzy Hash: 3672d7b4fa4f98965a6d0af1739b8889f0084737696b6842bec7b4a06d9a621d
Instruction Fuzzy Hash: B02128B1C002499FCB10DFAAC940AEEFBF5FF48310F50842AE919A7250C7389945CBA0

Function 031502C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03150346

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: df6cde3dc9f8c33294c904c907828a91015d5fc2c41a8972a805743640ee6ca8
Instruction ID: f4bc7662d3b84059439d9b4313d53968fce8849133dd14b61c3aa2c8f067a3b3
Opcode Fuzzy Hash: df6cde3dc9f8c33294c904c907828a91015d5fc2c41a8972a805743640ee6ca8
Instruction Fuzzy Hash: 0C2104B19002098FDB50DFAAC5857EEBBF4FF48314F54842AD959A7240CB78A945CBA1

Function 031BD7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031BD82F

Memory Dump Source

Source File: 00000000.00000002.2066381317.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_UoEDaAjHGW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bf88a919fefb40452124b6a85b823c33f3dc0736d7af4874cb48e534917a050b
Instruction ID: b63b999a98d26e21226d861ca45c77ffb7cc2fdde17c82164ee50578ac3074df
Opcode Fuzzy Hash: bf88a919fefb40452124b6a85b823c33f3dc0736d7af4874cb48e534917a050b
Instruction Fuzzy Hash: A821C4B59002489FDB10CF9AD584ADEFFF9FB48310F14841AE918A3350D379A954CFA5

Function 076D7624 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,076DA8A2,?,?,?,?,?), ref: 076DA947

Memory Dump Source

Source File: 00000000.00000002.2093632137.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d0000_UoEDaAjHGW.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: f9bd2950bd2c83c7bef966935c4e329548f2d0e500a485728178343d1fd9f078
Instruction ID: 155cbb15750b4880acd452bf68c85360d8afd78a8bb42208e45d0f0637f39835
Opcode Fuzzy Hash: f9bd2950bd2c83c7bef966935c4e329548f2d0e500a485728178343d1fd9f078
Instruction Fuzzy Hash: D8113AB1814249DFDB10DFAAD944BEEBFF8EF48310F14841AEA15A7210C379A954DFA4

Function 03150210 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0315027A

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c0336a109be177423672e3ceb697780415c08b75442e7fff57f9f2620f245fdc
Instruction ID: 65dea6d0b766a08ec852c11dfd427dd59e2ed260579b33f3bd1e4cc45cc87472
Opcode Fuzzy Hash: c0336a109be177423672e3ceb697780415c08b75442e7fff57f9f2620f245fdc
Instruction Fuzzy Hash: 6A1158B1C002088FCB20DFAAC4457EEFBF4EF88324F248819D519A7240CB39A945CBA5

Function 031503A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0315040E

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: edd2fbaf7d988625fab2d1fd70cd3ce5436d2cd94093a0483ab2e1d0e071e14c
Instruction ID: 2d2eac1c3554319f2ab779f022a5e1270c2ffa4545a9eb74a5a7bb25cf90bc39
Opcode Fuzzy Hash: edd2fbaf7d988625fab2d1fd70cd3ce5436d2cd94093a0483ab2e1d0e071e14c
Instruction Fuzzy Hash: 69113771900249DFCB10DFAAC944AEEFFF5EF88314F248819E919A7250C779A540CFA0

Function 031503A2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0315040E

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e3ff6e46485c23e7fffe8fd7f1792decb967ed612943ee5369c1f259303aeaf9
Instruction ID: 1c5a0a91184ed988b808008f8ce89402a985eaac1e283e2a5532e239e2afd27c
Opcode Fuzzy Hash: e3ff6e46485c23e7fffe8fd7f1792decb967ed612943ee5369c1f259303aeaf9
Instruction Fuzzy Hash: DC113771900249CFCB10DFA9C944AEEBFF5EF88314F248819E519A7250C7799540CFA0

Function 03152B99 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 03152BFD

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7952f63aeccaa6c78d9068ed36132b61c59400951338b3bdfa0d10f00e6fd675
Instruction ID: be405c2495245ca4f283fcc7cbb4eb788bf11b212cbdccc99c2e468bc24378e3
Opcode Fuzzy Hash: 7952f63aeccaa6c78d9068ed36132b61c59400951338b3bdfa0d10f00e6fd675
Instruction Fuzzy Hash: C61125B5800248DFCB10DF99D585BEEFFF8EB48310F108419E958A7211C379A544CFA1

Function 03150218 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0315027A

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ba1b017b6dc6b1b3eed95ffab0992bb2cc2af30471b3f3501d34aef71fe43daf
Instruction ID: ceaacacee728e55cb3efeb7f5722a01593abf6ed00c334eebdecb903123e92bf
Opcode Fuzzy Hash: ba1b017b6dc6b1b3eed95ffab0992bb2cc2af30471b3f3501d34aef71fe43daf
Instruction Fuzzy Hash: 441125B1D002488FCB20DFAAC5457EEFBF5EF88324F248819D519A7250CB79A944CBA5

Function 031BB4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031BB51E

Memory Dump Source

Source File: 00000000.00000002.2066381317.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_UoEDaAjHGW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7be6e0937f6a073f87bd493ce1b752a6d3e6275772cd188706024280b5b519ef
Instruction ID: 70f0f41d220b80704f4f9ce93173479823d47f3a2bee73d57d5bff4b29578f70
Opcode Fuzzy Hash: 7be6e0937f6a073f87bd493ce1b752a6d3e6275772cd188706024280b5b519ef
Instruction Fuzzy Hash: 2A111DB6C012498FCB10CF9AD544ADEFBF8EF88320F14C42AD829A7610D379A545CFA1

Function 03152BA0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 03152BFD

Memory Dump Source

Source File: 00000000.00000002.2066131897.0000000003150000.00000040.00000800.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3150000_UoEDaAjHGW.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b9d37146a9e099e567d9c967f73048a2e2595ba792f627d941065c5d40433bc7
Instruction ID: be0d9381206b702bf8731815e21754fdb908dbc96c1de6d4c9b1e392dc3bbecc
Opcode Fuzzy Hash: b9d37146a9e099e567d9c967f73048a2e2595ba792f627d941065c5d40433bc7
Instruction Fuzzy Hash: 2C11D3B5800349DFDB10DF9AD545BDEFBF8EB48310F208419E928A7250C379A544CFA1

Function 05DD69F8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61e9e285d5877860ae65d5899bbbab5c463893ecd534a57ddee1c29393bb993
Instruction ID: 7b89ff8edb5ce0c47a36cbe198533e6a03e2292018d0f798a0c39bfb3baf7156
Opcode Fuzzy Hash: d61e9e285d5877860ae65d5899bbbab5c463893ecd534a57ddee1c29393bb993
Instruction Fuzzy Hash: 32A1BF74E04229CFDB60DFA8C884BADFBF2BB09300F14919AD449AB241D7749985CFA1

Function 05DDAF78 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9359cb2f1c34be54cfeb37e7c232aeba56fac32c9ae7713b7986c68dba04ff21
Instruction ID: db99589aff519b8d52a9f49c1981af4c0cc7f4a547c42e0d25c24e3f489d0e34
Opcode Fuzzy Hash: 9359cb2f1c34be54cfeb37e7c232aeba56fac32c9ae7713b7986c68dba04ff21
Instruction Fuzzy Hash: 03714870909209DBDB04CF99C8849BDFBBAFF8D305B16D156D459A7241C734E981CF60

Function 05DDEC80 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063cc39ac6b28a0a889cecf582b57a4ab32bea71d5d9e27e9f9d6a802589ce3c
Instruction ID: cb27e3820af9c0b185028cd7986ee49a1975eef50c7f82d5d8aefc10a4573c6a
Opcode Fuzzy Hash: 063cc39ac6b28a0a889cecf582b57a4ab32bea71d5d9e27e9f9d6a802589ce3c
Instruction Fuzzy Hash: A741B231A042258FCB59DB7CC8846AEBBFAFF89210B14846BD449DB355DA399C42C7B1

Function 05DD9E30 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9190f72ad90473c32e74382f287f470c1c370d9b5fafbabb7f585d46440f42
Instruction ID: a68aba9dcfc5fa4c109fc777ab49cbef43175b8d8803a921be736d411519e3b5
Opcode Fuzzy Hash: eb9190f72ad90473c32e74382f287f470c1c370d9b5fafbabb7f585d46440f42
Instruction Fuzzy Hash: F7415770E0A2089FDB08CBAAD8546EEFBF7BFC9301F14D06AE459A7251D7359941CB60

Function 05DDCCF4 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca840b508d161be0f67f6c940b404ad24ddcb42c2deb14a8e489d58e66b58c5
Instruction ID: 2f095a9de260e9028460c3d4e826c67b225ac73a2ad29761a0c589a5534cb8fd
Opcode Fuzzy Hash: 7ca840b508d161be0f67f6c940b404ad24ddcb42c2deb14a8e489d58e66b58c5
Instruction Fuzzy Hash: 115120B4A00309DFCB14DF64D8956ADBBBAFB88311F1082AAE419E7755DB349D42CF60

Function 05DD8B98 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fcb5cdab6ab2fa1531f6b4b6a8a6a9317f6c70224be7cb925b175b71666dcf
Instruction ID: 61285add5e3d948a79d8251bee9ae7df66136c22b98b7b39b710b24097841a01
Opcode Fuzzy Hash: 73fcb5cdab6ab2fa1531f6b4b6a8a6a9317f6c70224be7cb925b175b71666dcf
Instruction Fuzzy Hash: 0131031294F7E05FE703AB3C98706DA7F70AF83224B0A01D7C0848F4A3D418994DC7AA

Function 05DDEB58 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dd6043fbb03e2b784259bb17be36f6a01c21f61528e3650c78b8c6d3c0e047
Instruction ID: 630e884f666cee6297cd725c9c2bf2a66ab5c64b8206583bdf31ee545957e846
Opcode Fuzzy Hash: 34dd6043fbb03e2b784259bb17be36f6a01c21f61528e3650c78b8c6d3c0e047
Instruction Fuzzy Hash: 54419370A042089FDB04DBB8E8956EEBBB6FF88311F14416AD402AB794DB345D46CB76

Function 05DD6FE8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de1292f2ed57ed2d279322d6375d0ca63ef545e44bc5c31365d61c7e95afef7
Instruction ID: 19aa6f3dbf4f95a62515aff13090b8c39b586301d92f10c15063a493453f3ca7
Opcode Fuzzy Hash: 9de1292f2ed57ed2d279322d6375d0ca63ef545e44bc5c31365d61c7e95afef7
Instruction Fuzzy Hash: 27411570E05218DFCB04CFA9D844AEEFBB6FF88311F5094AAD405A7290DB759981CFA0

Function 05DD6FD9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05cd21a82ce01246ae26542e6594fdbc202094706f22c20a374015c4ed3ca09f
Instruction ID: 18a22ab5855ee78d3b81db2732d97cdc75d67fed3fdac4ef464789de159cb422
Opcode Fuzzy Hash: 05cd21a82ce01246ae26542e6594fdbc202094706f22c20a374015c4ed3ca09f
Instruction Fuzzy Hash: 373133B0D05218DFCB04CFA8D844BEEFBB2FF49311F0494AAE405A7291DB759981CBA0

Function 05DDAF3A Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377076532e71fc428c9d442a2d1b4d34bfa9dfd5c7a399a4e1836783ae4bb7d4
Instruction ID: c81eba6b405d3aa3ce38a68ee87ddbda22ed9c9f06f334ede5c4e5a16ffa048d
Opcode Fuzzy Hash: 377076532e71fc428c9d442a2d1b4d34bfa9dfd5c7a399a4e1836783ae4bb7d4
Instruction Fuzzy Hash: C1314A7090A248CFD709CF65D8445ADBFB6BF8E311F15D1ABE449A7262CB348945CF20

Function 0161D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065068697.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8f3c12b8c04e736e11b32cc88346ca84477ab3c83604f12144f34c50ed26a6
Instruction ID: 304bef777a1df034789c7fcf2ef23e47925cf48686a283e79868d90b15bb5a79
Opcode Fuzzy Hash: ee8f3c12b8c04e736e11b32cc88346ca84477ab3c83604f12144f34c50ed26a6
Instruction Fuzzy Hash: 5A210371500240DFDB15DF58D9C8F26BF65FB88318F28C569E9090B35AC33AD416CAB2

Function 0161D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065068697.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177d1e30b19673a59cff038db946b68e6e02bd85bb2c9b00e3007ddd42377f9d
Instruction ID: e092928d72cc402e24c4ca2e19b66be19562c0cbb9e0452cf827082d5f7aee98
Opcode Fuzzy Hash: 177d1e30b19673a59cff038db946b68e6e02bd85bb2c9b00e3007ddd42377f9d
Instruction Fuzzy Hash: 80213671140204DFDB05DF98D9C8B56BF65FB98314F28C569E90A0B35AC33AE406C7A2

Function 018BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065446705.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18bd000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87382e24fa88b8ea57c22afe14618af3bcd4e2f55e69b213704205f12adb63f6
Instruction ID: 8e03943200736a7ce3fbddf976116b8de871abf23d7e3f4bccb02b2c78605a14
Opcode Fuzzy Hash: 87382e24fa88b8ea57c22afe14618af3bcd4e2f55e69b213704205f12adb63f6
Instruction Fuzzy Hash: 44213471604204EFCB15DFA8D9C0B26BF65FB88318F20C66DD90A8B356C33AD507CA61

Function 018BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065446705.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18bd000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0a65c477d166e9e2a3a67dc8add5bf20633ae44e0bbd869cd9dd97e2f83e35
Instruction ID: 818abc5a32caf8c6fed1c2b1fca580f4a5072d34bb85c5ed1fc56f817dbd61bc
Opcode Fuzzy Hash: 1c0a65c477d166e9e2a3a67dc8add5bf20633ae44e0bbd869cd9dd97e2f83e35
Instruction Fuzzy Hash: 0721F571504244EFDB05DF98D5C0B66BF65FB84328F20C66DD9098B356C33AE506CB61

Function 05DDFD70 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3584b675c99a43fdfcfa2bfea032c3b5ce4c4a9b98e9df7bea5c1088e68aa3ae
Instruction ID: 15eb6bbd19f3acad5f4a58f7e7ba3b167b957d937fc8798286b70d3abc7c3790
Opcode Fuzzy Hash: 3584b675c99a43fdfcfa2bfea032c3b5ce4c4a9b98e9df7bea5c1088e68aa3ae
Instruction Fuzzy Hash: 7631A774E142099FCB05DF98D894AEDFBB6FF48310F14812AE906A7360DB74A941CFA4

Function 05DDFD60 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3dce318865159561161b3b7a8fff496996a2522bbf7b2ead2f6cc744668183
Instruction ID: fbb1cc6806a8535c9d91c9dd4cedc2570f71a1c8de8b950b2320c6c4831a5d8b
Opcode Fuzzy Hash: 5d3dce318865159561161b3b7a8fff496996a2522bbf7b2ead2f6cc744668183
Instruction Fuzzy Hash: 4531F674E052099FCB05DFA8C498AEDFBB2FF49310F04816AE952A7360DB749941CFA5

Function 05DDCE5B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c868e7c2bebcc19e6f1eb61d4d53f66c209362088febbf9b62b1ceee669e6d74
Instruction ID: 7b3d84935a669adee96331f955a5920c50b4e0f72b9c43c5405be3e553360ec0
Opcode Fuzzy Hash: c868e7c2bebcc19e6f1eb61d4d53f66c209362088febbf9b62b1ceee669e6d74
Instruction Fuzzy Hash: F931FAB4A00309DFCB14DF68D9955ACBBB6FB88301F10826AE859E7715DB349D42CF60

Function 05DDE180 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e364f09e0e05956b644a37070c0fb04353bc99d168c4c739ba832dccb18ee0e6
Instruction ID: 0dd5ef43fcfefd3fef7b2385e61f4af6a04912ff0249f179e457d8bfe44f832d
Opcode Fuzzy Hash: e364f09e0e05956b644a37070c0fb04353bc99d168c4c739ba832dccb18ee0e6
Instruction Fuzzy Hash: 0D118130B002158BCB189B79DC10ABEBBBBFF84720F14852AE8468F344EA74C94187E1

Function 05DDCE50 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8748dc094491902c5ed06e14dac8b1050d2022d465db51f41c55d5ae974f8bff
Instruction ID: 1e4d43eb3601a2c7e2fc0ab30188482f2b38e55d2e8d48773bf38e4e5e10ad7f
Opcode Fuzzy Hash: 8748dc094491902c5ed06e14dac8b1050d2022d465db51f41c55d5ae974f8bff
Instruction Fuzzy Hash: B9211BB4A10209CFCB24DFA8D8955ACBBB6FF88301F20826AD419A7315DB349D42CF60

Function 018BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065446705.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18bd000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f02ef011fb9e2bff17ca00e102a67a242c48b1c223fe086d0fc99cc4e9c4c4f
Instruction ID: 8a20c1c634549479e39c165649cec5fdfb93ff866daffb09fe57c93dcf9eea60
Opcode Fuzzy Hash: 2f02ef011fb9e2bff17ca00e102a67a242c48b1c223fe086d0fc99cc4e9c4c4f
Instruction Fuzzy Hash: 422171755083809FCB02CF54D994711BF71EB46314F28C5DAD8498B2A7C33A981ACB62

Function 0161D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065068697.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: ebc930416363498c4c3de84a50f8ee3876bd6cadfc5f1087a1c2030327405329
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6111E172404280CFCB06CF54D9C4B16BF71FB88314F28C6A9D9490B25BC336D45ACBA2

Function 0161D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065068697.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 8c14c9ed776f1634894797b4c0f94d403efcb75232149d1c6957f6a975c4e465
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: C011DF72444240DFDB16CF44D9C4B56BF71FB88324F28C6A9D9090B25BC33AE45ACBA2

Function 018BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065446705.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18bd000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 6e47503844a253bd12ce37c794216283b8526341805550ea3661013a65501025
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 7E11BB75504280EFDB02CF54C5C4B15BFA2FB84328F24C6A9D8498B397C33AE40ACB62

Function 05DD6EB8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e526e65bac366a0ac1572c2dde2248a4384b10b7cb9b71c2a62caf778caff0df
Instruction ID: b783ecceb60c76671644530ef27719384352385375fff3e3244fa4a5e06501a1
Opcode Fuzzy Hash: e526e65bac366a0ac1572c2dde2248a4384b10b7cb9b71c2a62caf778caff0df
Instruction Fuzzy Hash: 5B1133B4D4560ADFCB40CFA9D4416EEFFF1FB4A304F1085AAD818A3251EB748A45CBA0

Function 05DD6E10 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a1bedfc0534c19ee7591c070b8e52289b99db194a4711bc9c36497ba891df9
Instruction ID: 32ebdc23a6dbf6ee1d40dff66ca923245cf47e5a5de3e82467c6cab1f2c644c6
Opcode Fuzzy Hash: 15a1bedfc0534c19ee7591c070b8e52289b99db194a4711bc9c36497ba891df9
Instruction Fuzzy Hash: 0611F570D14209DBCB44CFE9D4456EEFBF5AB49210F10C16AD419A3251E7749A41CFA0

Function 05DD6EC8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b3443d42e37a78945e69f579356a49c2aebaefe813b643dccc2e6696c74505
Instruction ID: 56548d96c2592cb0c4e1b64d34f3df48d9bbd764f9ded4ab7cf500ab51bd76d9
Opcode Fuzzy Hash: 87b3443d42e37a78945e69f579356a49c2aebaefe813b643dccc2e6696c74505
Instruction Fuzzy Hash: 2B11B3B0D45609DFCB44DFB9D4416AEFBF6BB49344F1084AAD819E3200E7749A45CFA0

Function 05DD6E20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5178bb7a9fcf77a5ba2c428288ac237a0a6aef953eef4ee7eb18fcca81c4204e
Instruction ID: 28ac261b74fcc520f0a7295e5b01191de3f5674e345a129738669e7cbaf8014d
Opcode Fuzzy Hash: 5178bb7a9fcf77a5ba2c428288ac237a0a6aef953eef4ee7eb18fcca81c4204e
Instruction Fuzzy Hash: AD11AEB0D19209DFCB44DFEAD4456EEFBF6AB49200F14C4AAD419E3250E7749A41CFA1

Function 05DDB3A7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c3b476e01b576592ac4a370aec6c12c17c5386e89d60402b25b251f4065f62
Instruction ID: 27822cba518435ca01d6d5c2ba2f9dde2ead6e418626589926d796933d7f8982
Opcode Fuzzy Hash: b4c3b476e01b576592ac4a370aec6c12c17c5386e89d60402b25b251f4065f62
Instruction Fuzzy Hash: 30014035909108DFDB04DFA8CA84AA8BFF6AF4A311F1981D6D8099B366D731DD01EF11

Function 05DDCD4B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f9362874e7c0ebbda8b14b568682c22883637adb0534d586710cb9f6894006
Instruction ID: 509a9be974bbcb96492aa8c1229d7672de9b716de29709646417439a953937b9
Opcode Fuzzy Hash: 26f9362874e7c0ebbda8b14b568682c22883637adb0534d586710cb9f6894006
Instruction Fuzzy Hash: 40111CB4A01219CFDB64DF64DC95BACB7B6FB88311F108296D909A7750DB349D82CF60

Function 0161D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065068697.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e83b41d2b34a5adb3fee9c1691ee1e21e6e3e89d306f396a9d869546090ee2
Instruction ID: 4b4d46a7a8a7de6145e756530033a84d9ca2da770a5b826e006c93ba0d7e7c55
Opcode Fuzzy Hash: 78e83b41d2b34a5adb3fee9c1691ee1e21e6e3e89d306f396a9d869546090ee2
Instruction Fuzzy Hash: C201DB710053849AE7219E99CD8CB77FF9CEF45324F1CC52AEE190A39AD3799841CA71

Function 05DDB338 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ba9acefb1f5f90386a6e0ec0e89d246c017b450091a5f9c393431fdbd9c67f
Instruction ID: 878997cc59a913df63a5dc92786250d0ad12e16db66f578e4da2afba5c7f4fd6
Opcode Fuzzy Hash: f0ba9acefb1f5f90386a6e0ec0e89d246c017b450091a5f9c393431fdbd9c67f
Instruction Fuzzy Hash: 2601B17090D204DFDB04CFA5C941AACBBB9EF4A304B1592ABD8059B222D730CA45EF50

Function 05DDCD21 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1b0fc5395b745e7ff7ff4b019a06c4d3f8fd9dd5ab29d033524f26d19d6287
Instruction ID: bd9ae1750f5f8b691e0c612043dad4f72241370637b5f0b02b52a607eeaa66f0
Opcode Fuzzy Hash: 1c1b0fc5395b745e7ff7ff4b019a06c4d3f8fd9dd5ab29d033524f26d19d6287
Instruction Fuzzy Hash: BB01C9B4915309CFC700DF64E9455ADBBFAFB49302B14A625D4099B265D734DD01CB61

Function 05DDB3B8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce165e5de26529abc80345c20356d21b25ab7914428201caa0ec0455df315a87
Instruction ID: aed977cc069635539dcd95e61c967ed1b5b8528e52c367849bf39673df229e75
Opcode Fuzzy Hash: ce165e5de26529abc80345c20356d21b25ab7914428201caa0ec0455df315a87
Instruction Fuzzy Hash: D501FB75A04108DFD704DFA8CA85AADBBF6AF48300F15C19698099B351DB31DE00EB50

Function 05DDCC70 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39046196d11aa284287addd4df36c059ae26a8408eef47ea34f1e65f3f4791f
Instruction ID: 3817dca380bcbf3646e2a180ba03348a534a25d9079b75ddd86097e718eef58c
Opcode Fuzzy Hash: a39046196d11aa284287addd4df36c059ae26a8408eef47ea34f1e65f3f4791f
Instruction Fuzzy Hash: 03F0C2B4509248CFD752CBB9CC89BA8BFBAFF46301F048253D00197265DB34594ACB72

Function 05DDA8C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96adf6cd0d3b1d7cad5d885c768777bb1cc0db5eb8ab135ea7728b4e0a4f63d6
Instruction ID: 91f9f6b1206b3646e20a9588d5a3ee9f6fefb9adf43eaea87f288b915c322dad
Opcode Fuzzy Hash: 96adf6cd0d3b1d7cad5d885c768777bb1cc0db5eb8ab135ea7728b4e0a4f63d6
Instruction Fuzzy Hash: DE012CB0D08655CFDB04CFA6D8446ADFFB2BF89301F04D4A6D409A6255D7348946CF20

Function 0161D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065068697.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78013b76e3c4473038075cd9e8284b1981089bfca034862e32f9bef024040910
Instruction ID: e8cdd437afcb646c4cfe21d1ff44bcf379e5fba5ab1015f45b8cf516a480b797
Opcode Fuzzy Hash: 78013b76e3c4473038075cd9e8284b1981089bfca034862e32f9bef024040910
Instruction Fuzzy Hash: 91F062714053849AE7119E1ADD88B62FF98EF45734F1CC45AEE484A39AC3799844CAB1

Function 05DD683F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5bd3f33d2a9e5e3bfe8c5d778c8b07f2cd90d3267e0aef6ee92fa40e1e207c
Instruction ID: ccd8fe145cbd828e86c03903e1594b11dab6dffea83691c191e0fecad755dd16
Opcode Fuzzy Hash: db5bd3f33d2a9e5e3bfe8c5d778c8b07f2cd90d3267e0aef6ee92fa40e1e207c
Instruction Fuzzy Hash: 0BF04F70D09209DFCB40DFA8E8016AEFFF5BB49300F50816AD859E3241DB309A04DBA2

Function 05DDE121 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c67b333401a515f2f181686996ca4ad3ff05c9b1388d0b65497e96e48a7691
Instruction ID: 46f8375bf860453acd5e85222d21a0fc0ba7d8783066352c3197bba2880bc3b2
Opcode Fuzzy Hash: 87c67b333401a515f2f181686996ca4ad3ff05c9b1388d0b65497e96e48a7691
Instruction Fuzzy Hash: 0CF090B5D05208EFCB41DFA8D8406DDFBB4FB89310F04819AE8049A351D6345A51DB61

Function 05DD8E44 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c585f9894836e60e6cfa367ee8368c26f43e233cc466d1d6ba71b572a14fa7
Instruction ID: 03afec1c3d16789dd7e53489b92e250940dd01cedcc6af14fabfb84d3349b7ee
Opcode Fuzzy Hash: 85c585f9894836e60e6cfa367ee8368c26f43e233cc466d1d6ba71b572a14fa7
Instruction Fuzzy Hash: 45F0307090A315CFCB45CF55DDA4AFDF77AFB49300F005166E046A31A5D7754945CB21

Function 05DD6850 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281c8fe0cf94525c6ff72445022432a06f9eff8818545aaf193da6f4a4b74050
Instruction ID: 93b6c0c8ef1a388a4188912e9f46b1ff8279efe66f6d56019eea5070c898f8c0
Opcode Fuzzy Hash: 281c8fe0cf94525c6ff72445022432a06f9eff8818545aaf193da6f4a4b74050
Instruction Fuzzy Hash: 73F0FEB4D09209DFCB44DFA9D9016BEFBF9BB49300F10916AD459A3341DB709A00DBA2

Function 05DDCCC9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e139e681b80b64f3211a4313c4cfe6ee11a4a614892c4e8dbe5f52a88f1c62
Instruction ID: 5ed0cd95d2174fd1a9f9d7f717821458d4d00a1c3c5261c46c204bf86a02478d
Opcode Fuzzy Hash: b9e139e681b80b64f3211a4313c4cfe6ee11a4a614892c4e8dbe5f52a88f1c62
Instruction Fuzzy Hash: 1FF01DB4944349DFCB01DFD8D886AACBBBAEF88311F109626D4119F398D738AC46CB50

Function 05DDCC80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a465d20de578385af05c2ea94d0a0730082ddee02ef80f14402f13804324b92
Instruction ID: 85db1f35679e89bf508a16e880ae859233898ec57457fe687d90cb8b78d3cce1
Opcode Fuzzy Hash: 2a465d20de578385af05c2ea94d0a0730082ddee02ef80f14402f13804324b92
Instruction Fuzzy Hash: 99F0A0B0918208CBD751DBA9C849BADFBBAEF84301F10D6269412A3260DB74594ACB71

Function 05DDAACA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e096f244f88c8698f30a4b50316de2c4daf65a243fec7cc48e7df746498ee73c
Instruction ID: 114ab7e697c922c8e87ca128a3a087dcd54305edaee8b2d117d919c6e4255bd0
Opcode Fuzzy Hash: e096f244f88c8698f30a4b50316de2c4daf65a243fec7cc48e7df746498ee73c
Instruction Fuzzy Hash: 5AF0BD74909219CFCB14CF54CA84AA9B7B6FF49301F109696D45967251C375DD82CF60

Function 05DD92E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4de09f4018a9d873e0ccef0ffb263112a59f3283b2778fbe60708a5ece32297
Instruction ID: f01e46d4290e4345e6e92d11106d11888a8b7a276f500a7446409d6769594978
Opcode Fuzzy Hash: e4de09f4018a9d873e0ccef0ffb263112a59f3283b2778fbe60708a5ece32297
Instruction Fuzzy Hash: 50F030B4A0E3599FCB44CF54CDA8AADFB7ABB44200F0451A6A005A71A5C7755948CB22

Function 05DD6F99 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07575fad63c9154b31f32cef3629edbef48cf074dcf821bd0b2e07fd45e3085f
Instruction ID: 95625e5eb8c7af93a7513a30d40dd667218e84ebf3c65a861e6f4286c0b790bb
Opcode Fuzzy Hash: 07575fad63c9154b31f32cef3629edbef48cf074dcf821bd0b2e07fd45e3085f
Instruction Fuzzy Hash: 60E04F3141D2048FC701CFB4DE86AB4FB75AB47201B1955DAD80957252DB31D919D7A1

Function 05DDEB09 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b0435e692645cee541219027359be1093c970a9acbe9af37f904bf3d7cf7b8
Instruction ID: 650f1cdf531a650bd4c368bf91e8f8099b11299c05bfdb974b195ae672ebe994
Opcode Fuzzy Hash: 05b0435e692645cee541219027359be1093c970a9acbe9af37f904bf3d7cf7b8
Instruction Fuzzy Hash: 31E092B080D248DBC705EBA4D84529CBB71EB45311F08429ADC059BB92D6380E15C792

Function 05DDE130 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208efff621a672965c5142e620fbc1ed8c580fcdc6ba0fd573e5c2d77962f258
Instruction ID: ad8862c79e906c67b9e7cdecf12d1ba44c75e18acbee0fb7dc5561829a111a98
Opcode Fuzzy Hash: 208efff621a672965c5142e620fbc1ed8c580fcdc6ba0fd573e5c2d77962f258
Instruction Fuzzy Hash: 58F039B5E0420CEFCF40EFA8D44469CBBF5FB88301F10C1AAA818A7390D6355A51EF41

Function 05DD7120 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92231c7b61cc35c7db69b5ac13ebae786a7e23e2fdb125a9324e2b5c68ab61df
Instruction ID: 75f0c75296a7965ed437d91b10f65dd905f5c189bd7c407526f4a77ee759c63c
Opcode Fuzzy Hash: 92231c7b61cc35c7db69b5ac13ebae786a7e23e2fdb125a9324e2b5c68ab61df
Instruction Fuzzy Hash: D8F03974919285CFCB52CB68D885A98BFF0FF06325B1902CAD894CB3B3D6716915CB52

Function 05DD6DD0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af93d2c48ac84119e9f9c7be4b4cbd5c35ee8f59ba06e063f5374983d3fb78c8
Instruction ID: 95d75785cbd11f753a0a4faf27bb6963ca22961bc281a1a861eb1f9d27641ba2
Opcode Fuzzy Hash: af93d2c48ac84119e9f9c7be4b4cbd5c35ee8f59ba06e063f5374983d3fb78c8
Instruction Fuzzy Hash: 8BE09A788183858FC753C7A8E9053897FA0AB02220F1806DAD8D4EB2A2EB610A91C752

Function 05DD6803 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996dad7d39fb707269e4cbfe802f7d2c50f3059692bf09cd22652a24e4839bc6
Instruction ID: b3cac87eb54629be237cc8d2f0b4f6049c8d9fad65594180b5c43a1967e22494
Opcode Fuzzy Hash: 996dad7d39fb707269e4cbfe802f7d2c50f3059692bf09cd22652a24e4839bc6
Instruction Fuzzy Hash: E2E09A74D15208EFCB44DFA9D44569DBBF4EB48311F1581AAA818A3340DB745A54DF81

Function 05DD6338 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc607ad3c0e762f3a3f6f25f8f369e897fcd3275ee9202b77809344572330bf3
Instruction ID: dafe366e01291112cbcea909a1dd00d08da501ba12a778d49b8dced6724e3f26
Opcode Fuzzy Hash: dc607ad3c0e762f3a3f6f25f8f369e897fcd3275ee9202b77809344572330bf3
Instruction Fuzzy Hash: B5E0D87081C3858FC761C7A8E405759BFA0AB02325F1843DBDC549B2D3DB310951C742

Function 05DD6FA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4d4c3126139b9822b5f44c0b3733dea03254a84ac7afd41b3abf3f6e6b6815
Instruction ID: 660110739950f247e663ba8c7bf617a966ea7d0b2c8c05c11ae4096b139fd82b
Opcode Fuzzy Hash: cc4d4c3126139b9822b5f44c0b3733dea03254a84ac7afd41b3abf3f6e6b6815
Instruction Fuzzy Hash: F5D05E3046D208DBC600DE649C05AB9FB7CA707251F001055E40D53241DB71D908D7A5

Function 05DD6F60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99df7517d7da62c6734bd8c73515da80a2a194217f26cf18ae8e36de2c49eb0b
Instruction ID: b4d63dc22d72dd877bc08a7d8003f9d59ea399830548b857406f931001819804
Opcode Fuzzy Hash: 99df7517d7da62c6734bd8c73515da80a2a194217f26cf18ae8e36de2c49eb0b
Instruction Fuzzy Hash: 04E08C7045E284CFC701CFA4DE86B99BF75BF03302B0845CAD008AB266CB30A918DB62

Function 05DD6808 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df30dd387c5a03c77f1bd80ae0361d319c302ff3369e35eee281218e0ab374a
Instruction ID: 92cd5be33fe5d26252b8ce5be06f20aec4a94897b484f9659493b0341fde17e3
Opcode Fuzzy Hash: 2df30dd387c5a03c77f1bd80ae0361d319c302ff3369e35eee281218e0ab374a
Instruction Fuzzy Hash: 77E0B674D19208EFCB44EFA9E445A9DBFF4FB48311F1081AAE818A3340EB745A54DF81

Function 05DD7130 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b946f035e87010a7f14c0b5271f5753b27ceee13d490ccd1f8974e1b7b4310b6
Instruction ID: 86bff4f57e4a908c5bab683a3df9c8d8422cf58640ba11860d4c8b65a5cf1ee5
Opcode Fuzzy Hash: b946f035e87010a7f14c0b5271f5753b27ceee13d490ccd1f8974e1b7b4310b6
Instruction Fuzzy Hash: 52E04634A20208DFCB40EFA8D449A8CBBF4FB08611F1041EAE808D3320E7309A40CB81

Function 05DD6348 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8a4d05d5b77a441b5e72866caa42c41625493b0e5cd414f58de2951a85b1be
Instruction ID: ccd0060301f46f1f0368ddb969fc69653af58c60b59200c9d9c2d78817dde942
Opcode Fuzzy Hash: 3a8a4d05d5b77a441b5e72866caa42c41625493b0e5cd414f58de2951a85b1be
Instruction Fuzzy Hash: C2E0EC70D25208DFCB44EFA8D44569DBFB4AB04211F1441A9D80893240EB705A54CB91

Function 05DD6DE0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e56696cd637d1667be50280dcdbeeabcdb02bf6aebfc1d5a1fc7cc2ea6ef0d
Instruction ID: dff12cbd1cef045edbdbf8b42e82095f8db5413990616c2ef6ec5fe54fa1f7c9
Opcode Fuzzy Hash: 89e56696cd637d1667be50280dcdbeeabcdb02bf6aebfc1d5a1fc7cc2ea6ef0d
Instruction Fuzzy Hash: 8FE01770D29208EFCB44EFB8E54A79DBFF4AB04211F1041A9E808E3340EB719A94CB91

Function 05DDEB18 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d8523882647bcf52366dfd9e636b993c019b78a76213184f1cb8287a4e718d
Instruction ID: cf4b21a9a18b566cf2f7c1433601a9604e828bd82b11e54676b70f471a652aca
Opcode Fuzzy Hash: 20d8523882647bcf52366dfd9e636b993c019b78a76213184f1cb8287a4e718d
Instruction Fuzzy Hash: C3E0C2B490820CEBCB04EFA8D8453ACBBB4EB80302F1402AED80657380CA341E45D752

Function 05DD6F70 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee91c31296879f91174c0f8d3daadd174630a44b015e9b62f9af0125cb4dedbd
Instruction ID: f2aac171682090dc5457190811dcdce64587a4fcca5261402db6e5515f6c856c
Opcode Fuzzy Hash: ee91c31296879f91174c0f8d3daadd174630a44b015e9b62f9af0125cb4dedbd
Instruction Fuzzy Hash: 4ED01270469208DFC744DFA4E406B9EBF7CF702622F400199A41953250DF715D14D795

Function 05DDA9E6 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af45e46818f34f81bc7592a2df6feca8bcd8735299b22bf541188a21804f080c
Instruction ID: ce0a149a2467df1593868cf5892c0a15f3d77ca4c19a28f8f11e4b262b4a9d0f
Opcode Fuzzy Hash: af45e46818f34f81bc7592a2df6feca8bcd8735299b22bf541188a21804f080c
Instruction Fuzzy Hash: B1E017B1209340CFC315CF24C554AA4BB7AFF8F206B4006DAE18A9B2A2C735DC82CF10

Function 05DDCED1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad991c2a453707e8bbddba4e7baf9edd241148d91e5551edce92ae351ed707c
Instruction ID: 268d5b212bf065678d7acfd038b65dbb4e5ea9415c6ace0f35599d1a00bd34ef
Opcode Fuzzy Hash: 6ad991c2a453707e8bbddba4e7baf9edd241148d91e5551edce92ae351ed707c
Instruction Fuzzy Hash: F2D017B0800249CFCB00CFA8D849A5C7BB6EF4A306F149645D42097215C3386466CB51

Function 05DD8C88 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873ac15e23c76207b2a7ce344898eeb8bcb7900ca6d17dd191c190b8a1876349
Instruction ID: 638f8598652f9951d972575c549e6c7a2a356bbe668d1b95423f7c33517ea27d
Opcode Fuzzy Hash: 873ac15e23c76207b2a7ce344898eeb8bcb7900ca6d17dd191c190b8a1876349
Instruction Fuzzy Hash: A1C08CB000630CCBC3152798E40E33877687F80213F440210A509409518BB94056C622

Function 05DD6068 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23191ce0152baa9cf96ff3d8dd9072f1da1f648586598f2d1faf0a482cd8f60
Instruction ID: c23581edd5ed2089715bc55bc9bdaaa196e38c76caa554dd7500f83c4092d311
Opcode Fuzzy Hash: b23191ce0152baa9cf96ff3d8dd9072f1da1f648586598f2d1faf0a482cd8f60
Instruction Fuzzy Hash: EBC09B5A6557C087E20152787D05F113E518BF6F60F192057455527183986498278277

Function 05DDD348 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bb3af87ed1eebb1646a184904721fa2be973b470e1f5e548427b31f3b8c350
Instruction ID: 1a1eb0a61dd3c60e8e9fcbec5e7dd9110e213fe43e91398d46b99837e49dabc4
Opcode Fuzzy Hash: d3bb3af87ed1eebb1646a184904721fa2be973b470e1f5e548427b31f3b8c350
Instruction Fuzzy Hash: 0CC012B0A002089BCB01DB58D5015ACBABEEB88202F0092229456A6624D7388802CBA0

Function 05DD3F94 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34728fe1328d356522c92a2e7a3d13b9af004a1673d069147674661fd730a841
Instruction ID: dd927c80faca32e7c247b40ffe8f0399701ce3cdf66d52b0381a0039e149c9fa
Opcode Fuzzy Hash: 34728fe1328d356522c92a2e7a3d13b9af004a1673d069147674661fd730a841
Instruction Fuzzy Hash: 43B012392D4600A18000B2744E84D3AD423EFB1B01B80AC223784D0010C830C86DD62B

Non-executed Functions

Function 076D4590 Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

Xaq, xrefs: 076D4848

Memory Dump Source

Source File: 00000000.00000002.2093632137.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID: Xaq
API String ID: 0-686314484
Opcode ID: d75879af47a98156de7d1ce5755553d065df385ed1c044397b3c26ad4b3e281c
Instruction ID: 941705b2bb2c7f8f425f647f96db7cefc49b42217fd339cedd16a3d5ffb8a989
Opcode Fuzzy Hash: d75879af47a98156de7d1ce5755553d065df385ed1c044397b3c26ad4b3e281c
Instruction Fuzzy Hash: 70C14DB4B202858FDB14DF79C984A6A7BBAAF89650F158069E807DB365DF30DC41CB90

Function 05DDF538 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

3m2Z, xrefs: 05DDF593

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID: 3m2Z
API String ID: 0-3843767483
Opcode ID: 274914042278b159b613e4bc4db479a3b458ba8837fa514e7f842c07bdb1093d
Instruction ID: af3f5c680e78a81dae3f7e77c11478e22efaea5b432c8e7fc469142f66859e90
Opcode Fuzzy Hash: 274914042278b159b613e4bc4db479a3b458ba8837fa514e7f842c07bdb1093d
Instruction Fuzzy Hash: 18E10874E0421A9FCB14CFA8C5809AEFBB2FF89305F24C16AD415AB356D731A941CF61

Function 05DD4B20 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4']q, xrefs: 05DD4C02

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 14ee0a68c7b87ae01d736974abc355c3b305ff3574f8df75698ab43cbde1f408
Instruction ID: 198bea66e765b30208975e56a63b90962f964301add6ce7408c0a3fa3cdd9634
Opcode Fuzzy Hash: 14ee0a68c7b87ae01d736974abc355c3b305ff3574f8df75698ab43cbde1f408
Instruction Fuzzy Hash: 8E612DB1A042498FEB08EF7AF85169A7FF6FF88301F14D529D01997264DB785806CB50

Function 05DD4B30 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4']q, xrefs: 05DD4C02

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 5a6c8af7742ce9d0b876ab2b2c09e003f02ef3543a4f04317546de50522a3aa2
Instruction ID: e7488ebe75ec4ed254c8026acb4fe873a6df135a61d00d3954d04f8d37172fca
Opcode Fuzzy Hash: 5a6c8af7742ce9d0b876ab2b2c09e003f02ef3543a4f04317546de50522a3aa2
Instruction Fuzzy Hash: 62611CB0A042498FEB48EF7AF95169A7FF7FF88301F04D529D0099B264DB785805CB51

Function 05DDF100 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9643db4276de031cb061d1ef4276d36c9c230085a24a7098aafe4bacf0627d
Instruction ID: 391e571c3c4cc92addfe0176155ebb463f97213d5557eca1eedec413f5bdfaea
Opcode Fuzzy Hash: ed9643db4276de031cb061d1ef4276d36c9c230085a24a7098aafe4bacf0627d
Instruction Fuzzy Hash: 35E1D674E042598FCB14CFA9C5809AEFBB2FF89305F24C16AD815AB356D730A941CF61

Function 05DDDCF8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d4942be9069001745d2ddda57975602f4b549edf9066db890a86a43f63df51
Instruction ID: 7de546f8b55e97992fb62227d64022f42ce80f44579c34bc253b8f9ef7fc44ea
Opcode Fuzzy Hash: c2d4942be9069001745d2ddda57975602f4b549edf9066db890a86a43f63df51
Instruction Fuzzy Hash: 7EE1E6B4E042598FCB14DFA9C5809AEFBF2FF89305F24816AD415AB356D730A941CFA1

Function 05DDD8C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf247596f53953b2f459be82d57b770a4551db6977a2421ca0718deffa6cca5
Instruction ID: a7b34e1b89a7be5d9aa6c7ed2e15a7e2e1e37702af99b5b1e64536dfd7458d88
Opcode Fuzzy Hash: eaf247596f53953b2f459be82d57b770a4551db6977a2421ca0718deffa6cca5
Instruction Fuzzy Hash: F1E103B4E042598FCB14DFA9C5809AEFBB2FF89305F24C16AE415AB356D734A941CF60

Function 031BE0CC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2066381317.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31b0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb38c34a524d40066d9db7e39263bc814d11478b3c17876e00dcf43f3081d352
Instruction ID: a59f5d085dd14ca25d0aa314e08af4c349e996030a4fa7d67ef0bf35d95df102
Opcode Fuzzy Hash: cb38c34a524d40066d9db7e39263bc814d11478b3c17876e00dcf43f3081d352
Instruction Fuzzy Hash: 26A16136E10205DFCF09DFB5D8405DEBBB2FF89300B2985AAE805AB265DB31D956CB50

Function 05DD5D40 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11af5fbe26b5d4e4f9531cfd5a83f39931155a37f43405c2449d109bd1f4356c
Instruction ID: 9c72ea334e923508d37e2d627472fd8bd98ee69e8bd3ad4313601202d2eca1ed
Opcode Fuzzy Hash: 11af5fbe26b5d4e4f9531cfd5a83f39931155a37f43405c2449d109bd1f4356c
Instruction Fuzzy Hash: D591DB70D05219DFDF14DFA9E888BEDFBB2BB49310F10806AE419A7261DB749985CF60

Function 05DDDCE8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092866854.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5dd0000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e01fcaaff9b5080b2d7ded0ba6d3aac4c1e2b45a9b138a1ab8282923b2cb83c
Instruction ID: a4924cf2fab9b4b3e815dddf210c68f6f6545cb6750aec78960146427f0f1b48
Opcode Fuzzy Hash: 1e01fcaaff9b5080b2d7ded0ba6d3aac4c1e2b45a9b138a1ab8282923b2cb83c
Instruction Fuzzy Hash: D15107B4E042198BCB14DFA9C5805AEFBF2FF89301F24C16AD458AB356D7309A41CFA1

Analysis Process: UoEDaAjHGW.exePID: 7472, Parent PID: 7268COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	80
Total number of Limit Nodes:	9

Executed Functions

Function 01596540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015965BE
GetCurrentThread.KERNEL32 ref: 015965FB
GetCurrentProcess.KERNEL32 ref: 01596638
GetCurrentThreadId.KERNEL32 ref: 01596691

Memory Dump Source

Source File: 00000004.00000002.2094458426.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_UoEDaAjHGW.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5f8768a44d0ec1fc05f5198f55ca4f4269a53b85a84d7067008c0f1039bcb06c
Instruction ID: e21833dd04479c6e1a5b1b6c921052875b928ce501a02b045fdd8675ae2b625f
Opcode Fuzzy Hash: 5f8768a44d0ec1fc05f5198f55ca4f4269a53b85a84d7067008c0f1039bcb06c
Instruction Fuzzy Hash: FB5138B09103098FDB58DFA9D548BAEBFF5FF48314F208459E409A7390DB395944CB65

Function 0159BFF0 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0159C256

Memory Dump Source

Source File: 00000004.00000002.2094458426.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_UoEDaAjHGW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3fb94234eb31e70ccbb53e5a76f0a2aa5cb47f24d7fc6cc070f3cce5e5a7fa11
Instruction ID: 56a77404096932988f0eddde8b95ea962a6f7c44b13777af7be317d4b29555ee
Opcode Fuzzy Hash: 3fb94234eb31e70ccbb53e5a76f0a2aa5cb47f24d7fc6cc070f3cce5e5a7fa11
Instruction Fuzzy Hash: 918157B0A00B458FDB24DF69D54475ABBF1FF88300F00896ED48ADBA50DB75E849CB91

Function 01596414 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01597421

Memory Dump Source

Source File: 00000004.00000002.2094458426.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_UoEDaAjHGW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 140e40509d437547362926da2fbda403ec423eb020dd1d0c554df2622d446fa9
Instruction ID: 594a5e15796817f20f2105b30703c9b2abad3984d4b33baf01ab2ad6907c268f
Opcode Fuzzy Hash: 140e40509d437547362926da2fbda403ec423eb020dd1d0c554df2622d446fa9
Instruction Fuzzy Hash: 5541B2B0C0061DCBDB28DFA9C944B9EBBF5BF49304F20806AD418AB255DB756946CF91

Function 01597364 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01597421

Memory Dump Source

Source File: 00000004.00000002.2094458426.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_UoEDaAjHGW.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6c9499a118d2585e35302f7360842ac75673992f514cbeee6960e66520a65150
Instruction ID: 653826a06b5cbed603f2af97bccbfb2b53a9f85d48cb23d18a09ecbf644dc0da
Opcode Fuzzy Hash: 6c9499a118d2585e35302f7360842ac75673992f514cbeee6960e66520a65150
Instruction Fuzzy Hash: B441F2B0C00619CEDB25CFA9C944BDEFBF5BF48304F20805AD418AB255D775694ACF91

Function 01596780 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0159680F

Memory Dump Source

Source File: 00000004.00000002.2094458426.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_UoEDaAjHGW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bc603a6b25292d5e6c70f5ae62313328a6e4c3f2febfee9cc1a1652648104cdb
Instruction ID: 0f7757c1d8c7b9297b11ed7b9febd39f6e09baec12be34f46e8b7d6e7cb20a64
Opcode Fuzzy Hash: bc603a6b25292d5e6c70f5ae62313328a6e4c3f2febfee9cc1a1652648104cdb
Instruction Fuzzy Hash: F321E4B5D002489FDB10CF9AD984AEEBFF8FB48310F14841AE918A7351D379A944CFA5

Function 01596788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0159680F

Memory Dump Source

Source File: 00000004.00000002.2094458426.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_UoEDaAjHGW.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 017c038b1d30f9d121baa9fc7cba4359fe8ebe5ef01b203a49d6624be42996e4
Instruction ID: e37a6655a4ebda80d688236432cda39b24572a50103c12cc9ac6ed0ec8755e31
Opcode Fuzzy Hash: 017c038b1d30f9d121baa9fc7cba4359fe8ebe5ef01b203a49d6624be42996e4
Instruction Fuzzy Hash: D921C4B5D002489FDB10CF9AD984ADEBFF9FB48310F14841AE918A7350D379A944CFA5

Function 0159C1F0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0159C256

Memory Dump Source

Source File: 00000004.00000002.2094458426.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1590000_UoEDaAjHGW.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bef07ba99f488ae228f6c18b2cace421e780a395d2338201ef331906fd22112a
Instruction ID: af3dc99c509dd3ab3bc40978927ffaffc9cc87f030dda7729aca0886f1ed0aea
Opcode Fuzzy Hash: bef07ba99f488ae228f6c18b2cace421e780a395d2338201ef331906fd22112a
Instruction Fuzzy Hash: 6B110FB5C002498FDB10DF9AC444A9EFBF4EB88210F10845AD569B7210C379A545CFA1

Function 0126D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2092342054.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_126d000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1abce59b572187d07540a4293e31c604c5f89a38e9eb086d270b6f8276fb03b1
Instruction ID: 51c9656fc00ed70c3cc1129446b946d97fa4daba6d900833c72279a1eef9deb4
Opcode Fuzzy Hash: 1abce59b572187d07540a4293e31c604c5f89a38e9eb086d270b6f8276fb03b1
Instruction Fuzzy Hash: 2321257561420CDFCB15DF68D580B26BF69FB88314F20C56DD9890B296C37BD487CAA1

Function 0126D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2092342054.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_126d000_UoEDaAjHGW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 18997be9b84bf8456bb6c611b992d4f63f89c7cf45a9925801be92308448b02e
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: B511BE75604288CFDB12CF54D5C4B15BF61FB88314F24C6A9D9494B696C33BD44ACBA2

Analysis Process: Exccelworkbook.exePID: 7568, Parent PID: 7472COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	222
Total number of Limit Nodes:	17

Executed Functions

Function 06D6683F Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05fa28674bac470217cc5523d9af9c3637f3f8bede6195b40cfa8e8d395247cf
Instruction ID: d9951bf4ff10a07c617142bf2fb16814022a2b6765c4a60d7d72b2d6eb8e794b
Opcode Fuzzy Hash: 05fa28674bac470217cc5523d9af9c3637f3f8bede6195b40cfa8e8d395247cf
Instruction Fuzzy Hash: 5FD1F370D04258CFEB94CFAAC8847AEFBF2BF89304F14816AE449A7251D7749985CF52

Function 06D668B0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d7eee7d69907b6796aaa106b1bae627c1737704bb1e8a2833fad30762e8ff4
Instruction ID: 7d589a8eab484336e9af24210d03cfdc83f2aa661404ee817f9983c1acc66b63
Opcode Fuzzy Hash: 78d7eee7d69907b6796aaa106b1bae627c1737704bb1e8a2833fad30762e8ff4
Instruction Fuzzy Hash: DAC1F370D04258CFEB94CFAAC884BADFBF2BF49304F14916AE449A7251D7709985CF51

Function 06D6689F Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cbc674931fcf92fd94a79242b3f964e4f1dc39ba1d93f3fb838f4df488d8ff
Instruction ID: 5fef6af1293d5e1cc1c75a72de792a6b30906b1e37b919055de2be99bc36e3ee
Opcode Fuzzy Hash: e3cbc674931fcf92fd94a79242b3f964e4f1dc39ba1d93f3fb838f4df488d8ff
Instruction Fuzzy Hash: 27C1D270E04258CFEB94CFAAC8847ADFBF2BF89304F14816AE449A7251D7749985CF51

Function 06D65D40 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33f56fa3584928193d9008f9980f0d6be0ffa5829704d7086c3a22738c79a23
Instruction ID: 7126b3e66cea4f72310255b7eabbd7c22d36fd16f150e81257105817bb802eb4
Opcode Fuzzy Hash: b33f56fa3584928193d9008f9980f0d6be0ffa5829704d7086c3a22738c79a23
Instruction Fuzzy Hash: C291E2B0D05219DFEF54CFAAE8487EDBBB6FB89310F108069E419A7291DB704985CF80

Function 06D6A558 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efa06191db940026d2b2484f51cb55024a6eacae0857aa7feadf35599722092
Instruction ID: 824cc01224d5f7761c9d4a4350ffc2c6706aade54700da3e28c6626794d1c5fc
Opcode Fuzzy Hash: 4efa06191db940026d2b2484f51cb55024a6eacae0857aa7feadf35599722092
Instruction Fuzzy Hash: F331EAB0D046588FEB58CFABC9447AEBFF2AF89300F18C06AD449B6255DB744945CF90

Function 0122D551 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0122D5DE
GetCurrentThread.KERNEL32 ref: 0122D61B
GetCurrentProcess.KERNEL32 ref: 0122D658
GetCurrentThreadId.KERNEL32 ref: 0122D6B1

Memory Dump Source

Source File: 00000007.00000002.2125949547.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1220000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fe81ee86ea5ecc3ab7f2f18bfd3284316a1d2037e520dc1c58183a4f0967ae10
Instruction ID: 250796180029b20844430e3dcd4b1d080e487888a1f02df46ca01a44dd541313
Opcode Fuzzy Hash: fe81ee86ea5ecc3ab7f2f18bfd3284316a1d2037e520dc1c58183a4f0967ae10
Instruction Fuzzy Hash: 535175B49013498FDB14DFAAE548BAEBFF1EF88304F208459D509A73A1D7389944CF66

Function 0122D560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0122D5DE
GetCurrentThread.KERNEL32 ref: 0122D61B
GetCurrentProcess.KERNEL32 ref: 0122D658
GetCurrentThreadId.KERNEL32 ref: 0122D6B1

Memory Dump Source

Source File: 00000007.00000002.2125949547.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1220000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 761e96cf66a94e2042747f7dacd869554c2e04f173e2845e50cd9d27246cf75d
Instruction ID: 0a017355abe4dcaeaede5347ff218baae81ebd6b18a78224b792f3e503af47be
Opcode Fuzzy Hash: 761e96cf66a94e2042747f7dacd869554c2e04f173e2845e50cd9d27246cf75d
Instruction Fuzzy Hash: DB5167B09002498FDB14DFAAD548BAEBFF5FF88304F208459D119A7361D738A944CF65

Function 06D601F7 Relevance: 2.8, Strings: 2, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 06D6023B
(aq, xrefs: 06D603DE

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq$Haq
API String ID: 0-3785302501
Opcode ID: 0431f54828e32613a9ec7caa3cd6935b13aa05f7640c977fbe2a212aaba251c0
Instruction ID: 1eda78cf49f6419a586258b7aebe42059864b1c91cc9f21365fbe11d3ecccc7d
Opcode Fuzzy Hash: 0431f54828e32613a9ec7caa3cd6935b13aa05f7640c977fbe2a212aaba251c0
Instruction Fuzzy Hash: 63810671E002548FCB54EF6AC954AEEBBF6EF89310F14846DE445EB281DB349D06CBA1

Function 06D69670 Relevance: 2.7, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 06D696FB
Te]q, xrefs: 06D697BB

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: af7592c235abbc3b3aa42650ce15752192c0ebed48c66fafd82ad7d37c6081fd
Instruction ID: eb2a354f86c8709fabc542669f425ce17e4ffee109e163ebfcb14d98f56a441a
Opcode Fuzzy Hash: af7592c235abbc3b3aa42650ce15752192c0ebed48c66fafd82ad7d37c6081fd
Instruction Fuzzy Hash: 3561B374E042198FDF48DFEAC9946EDBBB6FF89300F209029E419AB355DB319945CB90

Function 06D69660 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 06D696FB
Te]q, xrefs: 06D697BB

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: e17d07358e95c5c26531f7110803767fb43f74723de2cc468bdae0e55cc9b273
Instruction ID: a26447346e596ea483c0cea88b0f0f42c14c31387589418cfa530eb4fdee7651
Opcode Fuzzy Hash: e17d07358e95c5c26531f7110803767fb43f74723de2cc468bdae0e55cc9b273
Instruction Fuzzy Hash: EF51E674E052199FDB44CFEAC9946EDBBB6FF89300F108129E419AB355D734990ACB90

Function 06D607C0 Relevance: 1.8, Strings: 1, Instructions: 522COMMON

Download Yara Rule

Strings

(aq, xrefs: 06D60CBA

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: a8db7469ecc21d6050a44d999126fc9d4cd3f814d1b04d2ee2f02d6923a0866f
Instruction ID: 4d9b0b7597adaf005be7b34f90893f3c138b31ae7cc49bd1d0c69cff4fc33463
Opcode Fuzzy Hash: a8db7469ecc21d6050a44d999126fc9d4cd3f814d1b04d2ee2f02d6923a0866f
Instruction Fuzzy Hash: 67F13970F04205CFDB56AF69C6545AEBFF2EF85304F1584AAE086A72A5EB30CC15CB91

Function 028006DF Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0280091E

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a0c53e93d5fb058bd689f5e7d593c4dc2d302e649d706127e84e7f0e70fd7487
Instruction ID: 376e72f97ae6a97284a124e9fb865ac891127e335a0b88f366564644983393b3
Opcode Fuzzy Hash: a0c53e93d5fb058bd689f5e7d593c4dc2d302e649d706127e84e7f0e70fd7487
Instruction Fuzzy Hash: 9CA16A78D002598FEB64CF68CC817EEBBB2BF44314F1481AAD858E7280DB759985CF91

Function 028006E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0280091E

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 39ba09c2cc88328c352040637664958401292a8d338c011f5d4b9a2fd9a8c9c9
Instruction ID: 2970c2f3e01ba05a6c43de81d5e8ee0bd0185a03706c6d784c7f2819f7c2b4d0
Opcode Fuzzy Hash: 39ba09c2cc88328c352040637664958401292a8d338c011f5d4b9a2fd9a8c9c9
Instruction Fuzzy Hash: 59914979D002198FEB64DF68CC817EEBBB2BF44314F1481AAD858E7280DB759985CF91

Function 0122B2B9 Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0122B51E

Memory Dump Source

Source File: 00000007.00000002.2125949547.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1220000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bff25666b941752335a2cc0b80c75e4f1f8b282b6c29092182822647632cde20
Instruction ID: b82c142cda9af68795b35faa161adc6fde8856012fe7ba7111faf41d4f0cd23c
Opcode Fuzzy Hash: bff25666b941752335a2cc0b80c75e4f1f8b282b6c29092182822647632cde20
Instruction Fuzzy Hash: 5D815670A10B169FD724DF2AD044B6ABBF5FF88300F108A2DD58AC7A50D779E945CB90

Function 06D6E248 Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

4']q, xrefs: 06D6E758

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: fbd1a369f598027a18ba5f0f1effa973a9317a8d2ca9c126bb0042db32137ee3
Instruction ID: 4a96e072af535d90e110911542e1a652bd2ad7c0950d1e0de4ba140b9dcd3ba2
Opcode Fuzzy Hash: fbd1a369f598027a18ba5f0f1effa973a9317a8d2ca9c126bb0042db32137ee3
Instruction Fuzzy Hash: FCE18134A04209DFDB45EFB9D584AAEBBF6FF88300F108464E805AB369CB35AD45CB55

Function 01225CEC Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01225DA9

Memory Dump Source

Source File: 00000007.00000002.2125949547.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1220000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5e174b1a52608b7feff20a4a32e516d0072b65354915acf48d12e5211f4adb4c
Instruction ID: 1977dadebcd972a853327cbc3ae839977fe67d8764d2df2b23f08efadace08cf
Opcode Fuzzy Hash: 5e174b1a52608b7feff20a4a32e516d0072b65354915acf48d12e5211f4adb4c
Instruction Fuzzy Hash: 824100B0C00719CADB24DFA9C844BCEBBB5BF88304F20816AD418AB255DB756946CF90

Function 01224538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01225DA9

Memory Dump Source

Source File: 00000007.00000002.2125949547.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1220000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 608cf118cb33f24845b66d0c5408b9faef8c0700746d8fd7c00f7683e9896d8d
Instruction ID: 55604cef7fdfe28af401e7b5b1a089d1ffe011573c1b50e0fc11afbce0895567
Opcode Fuzzy Hash: 608cf118cb33f24845b66d0c5408b9faef8c0700746d8fd7c00f7683e9896d8d
Instruction Fuzzy Hash: 234101B0C10729CBDB28DFA9C844BDEBBF5BF48304F20806AD418AB254DB756946CF90

Function 06D7A888 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168740516.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d70000_Exccelworkbook.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 83ac16eec7294b6d14fd14f896d4404261de3e933041e4bf8d38d61f137b3ab4
Instruction ID: 4e7756df40324d10a40392028f1f33f9882bcfd5309de8d7b36e1b662df5ec04
Opcode Fuzzy Hash: 83ac16eec7294b6d14fd14f896d4404261de3e933041e4bf8d38d61f137b3ab4
Instruction Fuzzy Hash: 5E31AB729043899FCB11DFA9C840ADEBFF8EF49310F18849AE554AB261D335D954CFA1

Function 0280045B Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 028004F0

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2b87a02a9bea3d8652bf8dcca3001b71d65d1971e8f8dc10feed04898f645926
Instruction ID: da7955afc2e79193c0339f37421c93ebb23a2239fc85e104efa60186529c08a9
Opcode Fuzzy Hash: 2b87a02a9bea3d8652bf8dcca3001b71d65d1971e8f8dc10feed04898f645926
Instruction Fuzzy Hash: 0D2144B59003499FCB10CFAAC884BEEBBF5FF48314F10842AE959A7251C7789945CBA0

Function 02800460 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 028004F0

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1c83cd5b4d0392000b918db193b67cbf211c73406b96d22948369d28e5806b8e
Instruction ID: bac6728337b0d38a14c718c5ddec361bc21e5bcd4e09e5c2b9b54c84b8179e31
Opcode Fuzzy Hash: 1c83cd5b4d0392000b918db193b67cbf211c73406b96d22948369d28e5806b8e
Instruction Fuzzy Hash: 822136B59003599FCB10DFAAC985BEEBBF5FF48314F10842AE959A7240C7789944CBA4

Function 02800548 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028005D0

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ea8803527eb5a52198615a3ef81d3c36c0eb2559c92e14ab99a1d9eec0335f80
Instruction ID: 69609452d49f34ad05f88eb0b88baf485ba3964cd1f75cda1afe79105e62ddc2
Opcode Fuzzy Hash: ea8803527eb5a52198615a3ef81d3c36c0eb2559c92e14ab99a1d9eec0335f80
Instruction Fuzzy Hash: BA2123B58002499FCB10DFAAC881AEEFFF5FF48320F10842EE559A7240C7799945CBA1

Function 0122D7A0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0122D82F

Memory Dump Source

Source File: 00000007.00000002.2125949547.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1220000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 463542283c2025899e75d2ab6c1c8544e3a4e2c2a7ad467362043e1f6e8f3a77
Instruction ID: 5561abc0655fd93c8a90505233ef0a31d73f8e72ac519e39fb98f5701b034456
Opcode Fuzzy Hash: 463542283c2025899e75d2ab6c1c8544e3a4e2c2a7ad467362043e1f6e8f3a77
Instruction Fuzzy Hash: 232105B5800259AFDB10CF9AD584AEEBFF8FB48310F14841AE958A7210C378A945CFA1

Function 028002C0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02800346

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 56fe344f9f56b6c261cc5c9feb6f8799bed6fd19e6f840a075864263b827f3d0
Instruction ID: 3b7a22a102bf42d8e31f4f39992baffc4eca4c94fd3cfc3b6ab0d895f0493132
Opcode Fuzzy Hash: 56fe344f9f56b6c261cc5c9feb6f8799bed6fd19e6f840a075864263b827f3d0
Instruction Fuzzy Hash: 442157759002088FCB10DFAEC9847EEBBF4AF88324F148429D559A7280CB789985CBA0

Function 028002C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02800346

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e3ec8ed23630a6a5ffb2dceafa3c410d2d085d97184cdd6a1287481024d4e568
Instruction ID: 6b8d8d4a8e2cd6e93d5f429cc666effbab91c6cd5831421deb2da349bc569d80
Opcode Fuzzy Hash: e3ec8ed23630a6a5ffb2dceafa3c410d2d085d97184cdd6a1287481024d4e568
Instruction Fuzzy Hash: FB2147B5D003098FDB10DFAAC8857EEBBF4EF48314F14842AD559A7240CB78A945CFA1

Function 02800550 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028005D0

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a3b546666a62aa9de1b584476bba1d02ce91d64d64ad08a2e0ab1aadd19468f0
Instruction ID: eb2842d8bc112277f066e3034cce1b7bf76e79e24ba78503a9cd3fd520f7d1aa
Opcode Fuzzy Hash: a3b546666a62aa9de1b584476bba1d02ce91d64d64ad08a2e0ab1aadd19468f0
Instruction Fuzzy Hash: A42137B5C003499FCB10DFAAC881AEEFBF5FF48310F10842AE559A7240CB789945CBA1

Function 0122D7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0122D82F

Memory Dump Source

Source File: 00000007.00000002.2125949547.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1220000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 650caae8127612e9148c446f419fca5a37c6bf353d5eac2bb586b93fb94d414b
Instruction ID: dfd82d750ab0c368f48da7ce3ac1fb421604e50cbcfde8e2f23f38a3f9e6fcd6
Opcode Fuzzy Hash: 650caae8127612e9148c446f419fca5a37c6bf353d5eac2bb586b93fb94d414b
Instruction Fuzzy Hash: F521E4B5900258AFDB10CF9AD584ADEBFF8FB48310F14841AE918A3310D378A941CFA1

Function 06D77624 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06D7A8A2,?,?,?,?,?), ref: 06D7A947

Memory Dump Source

Source File: 00000007.00000002.2168740516.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d70000_Exccelworkbook.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 86a20d2e8f0e16a2a8e5455b7b9e84414521e43147152bf5b86efa99c9948859
Instruction ID: 9fe3a2feda61300facf13d22dad76c036d887073e98b0b8b89c21146e3d320f7
Opcode Fuzzy Hash: 86a20d2e8f0e16a2a8e5455b7b9e84414521e43147152bf5b86efa99c9948859
Instruction Fuzzy Hash: 411167B1800249DFDB10DF9AC844BEEBFF8EB48320F14841AE559A3210C339A950CFA5

Function 02800210 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0280027A

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5d23a3ba7dd24a26a8fbe578166765521e330790cc08334766298339fa60b538
Instruction ID: a3a5a6de0e86bfb6f0b5186383ca08e06c17a1608ffd53904aff7430ad38e8d5
Opcode Fuzzy Hash: 5d23a3ba7dd24a26a8fbe578166765521e330790cc08334766298339fa60b538
Instruction Fuzzy Hash: DA1137B9D002488EDB20DFAEC8847EEFBF5AB88314F248419D459A7240CB796945CBA0

Function 028003A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0280040E

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f7790ce0ed34855c2bb3c9b1f8001288707f0055210e1072fdb1a8ebd2eb5445
Instruction ID: 47a6739e7d09ab2790be06602e49c1b9d9876b02af04a47b4fa26af75044a8e1
Opcode Fuzzy Hash: f7790ce0ed34855c2bb3c9b1f8001288707f0055210e1072fdb1a8ebd2eb5445
Instruction Fuzzy Hash: 491126759002499FCB10DFAAC844AEEBBF5EF88314F208819E519A7250CB79A544CBA1

Function 028003A2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0280040E

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4ab38bda004237de73cd89db6c8d507ba3d6bd8b92422c99918067fc36a22d5a
Instruction ID: 1aefaca0faa2e49396bff73f5ffde7ac2a2256508f19f5ae50ab4cff31f3436b
Opcode Fuzzy Hash: 4ab38bda004237de73cd89db6c8d507ba3d6bd8b92422c99918067fc36a22d5a
Instruction Fuzzy Hash: F21134759002498FCB20DFAAC844BEEBFF5FF88314F208819E519A7250CB799945CFA0

Function 02800218 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0280027A

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d8b0bbb2672942925aa44093a103155d38ab352c373cd89e89c654310360eba7
Instruction ID: a4fe604ce71e054f787247dbd67fb1c85b4d96f739e0f9ad1831570628e0b131
Opcode Fuzzy Hash: d8b0bbb2672942925aa44093a103155d38ab352c373cd89e89c654310360eba7
Instruction Fuzzy Hash: E41128B5D002488FCB20DFAAC4457AEFBF5EF88314F208419D519A7240CB79A545CBA5

Function 02802B99 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02802BFD

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9d55cee80ad03a99bdca57cf3348bff3d40a95e655f7ee84f62fd6d9066bb4df
Instruction ID: b30d17d4a0fe2074f3f1205a0a9ae8e4a006b1579120a5f8b9e740de83b3f7ae
Opcode Fuzzy Hash: 9d55cee80ad03a99bdca57cf3348bff3d40a95e655f7ee84f62fd6d9066bb4df
Instruction Fuzzy Hash: 111125B9800289DFCB20DF99D989BEEFFF8EB48310F108459E558A3641C379A544CFA1

Function 0122B4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0122B51E

Memory Dump Source

Source File: 00000007.00000002.2125949547.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1220000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9489ac4b5ffe9ee3adcd55c74906c915cb2ecac22f8e3c19a068a9e792799fa9
Instruction ID: 442389c805ad1002615185d90ed706a5ab24a05815fa86b1c47d23e6b32cd07a
Opcode Fuzzy Hash: 9489ac4b5ffe9ee3adcd55c74906c915cb2ecac22f8e3c19a068a9e792799fa9
Instruction Fuzzy Hash: DF1110B5C002598FDB10DF9AD444ADEFBF8EF88310F14841AD529A7200D379A545CFA1

Function 02802BA0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02802BFD

Memory Dump Source

Source File: 00000007.00000002.2126532509.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2800000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ef56cdcf89d906a66536db823406f32a287d9986cb2e665680da40c00fc0c3aa
Instruction ID: fdddcb4158b4ec2c8a8353c814acf6a7e328cfcb99791a020b2c4c9937ade60a
Opcode Fuzzy Hash: ef56cdcf89d906a66536db823406f32a287d9986cb2e665680da40c00fc0c3aa
Instruction Fuzzy Hash: F911D3B98003499FDB20DF9AD989BDEBBF8EB48314F108459D958A7640C379A544CFA1

Function 06D604C8 Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

(aq, xrefs: 06D60665

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 6ba69e78797f787b8c37c731e346b6884dbdbc1cbe9eba398f7385de2058a68b
Instruction ID: ecf03fc27b36c3c9f4d92c2c0ae6f9bfef7160d6b869e0bfaa8e224b5f985da2
Opcode Fuzzy Hash: 6ba69e78797f787b8c37c731e346b6884dbdbc1cbe9eba398f7385de2058a68b
Instruction Fuzzy Hash: 1A71E330A003059FDB65DB6AD954BAEBBEAEFC4300F148829E816972A4DF74DD41CB91

Function 06D65AC8 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

8aq, xrefs: 06D65B40

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 62f86fbdea7e3de85886e2bb39bcb835df948ea41b2c99de0c0a6a4208ad57ef
Instruction ID: bf4f33f607996a03cb2d8cee2785706c20f9bce3cd7f8fcd1ddb47d8744d5a7a
Opcode Fuzzy Hash: 62f86fbdea7e3de85886e2bb39bcb835df948ea41b2c99de0c0a6a4208ad57ef
Instruction Fuzzy Hash: 0431F374E11209DFDB44DFAAE4846EEBBB6FB88310F10802AE415A7350DB709981CF91

Function 06D65AB9 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

8aq, xrefs: 06D65B40

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: d7692728a4f215f3fe150255665de9f73d4d94bbfa8c496cd8f19a75d733dee8
Instruction ID: 2895b31dbaa2395887fcc2149c297df1ce262228416439660a7a8c365f3754c4
Opcode Fuzzy Hash: d7692728a4f215f3fe150255665de9f73d4d94bbfa8c496cd8f19a75d733dee8
Instruction Fuzzy Hash: D8310774E11209DFDB44DFAAE4846EEBBB2FB88310F10806AE415B7250D7705985CF91

Function 08359FB0 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0835A010

Memory Dump Source

Source File: 00000007.00000002.2169061991.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8350000_Exccelworkbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3bea8a76a81e10c24b23820f36c7b97454dc937df0c58b9ea1eddd9dbe7b2fa9
Instruction ID: f2f966febd79f56b1f251281885181f3ef0cd9aaaaa7a1829404fb335ba142a4
Opcode Fuzzy Hash: 3bea8a76a81e10c24b23820f36c7b97454dc937df0c58b9ea1eddd9dbe7b2fa9
Instruction Fuzzy Hash: FC1166B58003488FCB20DF9AC445BDEBFF4EF48320F10841AD958A7240C738A584CFA1

Function 08359FB8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0835A010

Memory Dump Source

Source File: 00000007.00000002.2169061991.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8350000_Exccelworkbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: abd605dd17ff7da986bacd31d52b0155cd858c0f23fe46a1d4253443a30dcf83
Instruction ID: c34c1b961a935bc9b55f7db6579df59503d913066a5bd854dd281f9bb7eab2f7
Opcode Fuzzy Hash: abd605dd17ff7da986bacd31d52b0155cd858c0f23fe46a1d4253443a30dcf83
Instruction Fuzzy Hash: 271115B58007598FCB20DF9AC545BDEBBF4EF48320F20841AD958A7740D779A944CFA5

Function 06D62F30 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37063aa64d2373fda3a244ce5b0301a3999e5da2f85eb52143fcae1995a6c5b5
Instruction ID: 2559a5fe9e53c30653498e3c70cddef47874ec0cc47538fe651514e9180e5444
Opcode Fuzzy Hash: 37063aa64d2373fda3a244ce5b0301a3999e5da2f85eb52143fcae1995a6c5b5
Instruction Fuzzy Hash: EAF1C835D1061ACBCF10DFA8C954AEDB7B5FF88300F1196A9D559B7214EB30AA85CF90

Function 06D62F20 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fed7811fcf3d563d9d1f3957829bba7e172175ae90fcb3554b0da9e9a2c9461
Instruction ID: f383b8e13b53fe9d2979b45b098393430346065b7e7bd4c034cb40c3153f6161
Opcode Fuzzy Hash: 5fed7811fcf3d563d9d1f3957829bba7e172175ae90fcb3554b0da9e9a2c9461
Instruction Fuzzy Hash: BBE1EA35D1061A8FCF10DFA8C9446EDB7B5FF89300F1196AAD549B7215EB30AA89CF90

Function 06D63540 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcb1b07216c6b8b619af30e500790d2ebce62a286bbe8d4bdc86fa828253082
Instruction ID: 22eedd71d5c05d818f306a0464d0cc3b9a0c58148f4b855f19277ce0c1ff7664
Opcode Fuzzy Hash: bbcb1b07216c6b8b619af30e500790d2ebce62a286bbe8d4bdc86fa828253082
Instruction Fuzzy Hash: 12C15E30E00219CFDB54DF69C844AADB7B2FF85304F1585A9E446BB361EB70AE85CB91

Function 06D669F8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c11bb906f41baeac4bffd53ac4131d3e5b43174451e6d221657ea499bad395b
Instruction ID: 7b1d0acc8a47f3cfac3f28595e67d36dbd4ab177a0bf7a6f5b0ec87ce83276a4
Opcode Fuzzy Hash: 0c11bb906f41baeac4bffd53ac4131d3e5b43174451e6d221657ea499bad395b
Instruction Fuzzy Hash: 96A1C074D04269CFEBA0DFAAC884BADBBF1FF09304F10919AE449A7241D7749985CF52

Function 06D643B0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fa4ee252df15fc192cc5c7d0c301fea77f2d5d9fae2b7964d093521ab5f5eb
Instruction ID: a0ff0253c6d6cce4045fe09dff93fb5f84e554213842b28c752ceeee82b171fc
Opcode Fuzzy Hash: e1fa4ee252df15fc192cc5c7d0c301fea77f2d5d9fae2b7964d093521ab5f5eb
Instruction Fuzzy Hash: 5F914634D05209CFCB44EFA9D5859EEBBF6FF49300F108469E945A7364DB70A855CB90

Function 06D643C0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c19513478e6d497f4c404b33c96f9e9f6a25f22035bcbc18894a82f5f26c88a
Instruction ID: 2291d116c663f1a7efe003af6211bd3aeeac3d72ebd067d472c5ecc9f364cea4
Opcode Fuzzy Hash: 2c19513478e6d497f4c404b33c96f9e9f6a25f22035bcbc18894a82f5f26c88a
Instruction Fuzzy Hash: 91913334E05209CFCB44EFA9D585AEEBBF6FF49300F108429E945A7364DB70A855CB90

Function 06D65D31 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf0520a77be50310a3d620247f88b51a41a2b98a4ae467dfb3146a7349ec74a
Instruction ID: 54fc88046ad63455e170aa9d34ad36bd6f52dbbdbfca720d3d64655d2debc463
Opcode Fuzzy Hash: ebf0520a77be50310a3d620247f88b51a41a2b98a4ae467dfb3146a7349ec74a
Instruction Fuzzy Hash: 6491D1B0D01219DFEF54CFAAE8487EDBBB2FB89310F108069E519A72A1DB744985CF50

Function 06D6AF78 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4649684ff42ecf1db7f11856650768b5b37d184381f1f47b4ed0f2b483717e67
Instruction ID: 3ecb65596aa8f00943e7d778824f785db5cbb9ff24dc35d55e62d4b9de6a4a50
Opcode Fuzzy Hash: 4649684ff42ecf1db7f11856650768b5b37d184381f1f47b4ed0f2b483717e67
Instruction Fuzzy Hash: CF71E270908209DFDB84CF9AC4845AEFBBAFB4E301F14E156E45AA7246C734E995CF90

Function 06D6EC80 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20231adff61e0bf56afcc230cdf32fa9a297fad03aa20cd7feb54060e4f31fc3
Instruction ID: aecf41232b35ae8e7bbec0086ebe2d4f4a3b5a052fb0e6a8364ffd1ea2a0164d
Opcode Fuzzy Hash: 20231adff61e0bf56afcc230cdf32fa9a297fad03aa20cd7feb54060e4f31fc3
Instruction Fuzzy Hash: 4D51B735E081258FCB989B7EC8441AEBFF2EFC9300B15846AE409D7351DB358C42CB91

Function 06D64F60 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ab0044c1ba25fefa1bcc8055fb8c3c15b7454d2ae1a49dfb1902b402010c90
Instruction ID: 63090bc8977bfe91b8be2e4c439bb8386ff07ee717b4956a4546656019fc71f8
Opcode Fuzzy Hash: b5ab0044c1ba25fefa1bcc8055fb8c3c15b7454d2ae1a49dfb1902b402010c90
Instruction Fuzzy Hash: F851A274D15209CFEB40DFA6E5896AEFBF6FF49301F10902AE91AA7240DB705985CF80

Function 06D69E30 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e53e5e900d22caa9b5143b5c87275357e2f36b24c3c5c9cca3020978ca5bfc
Instruction ID: 5d50b9d8057dc25d8e9b98b09b061e5372c801fe43222ffa3c214047b60dd5e8
Opcode Fuzzy Hash: 31e53e5e900d22caa9b5143b5c87275357e2f36b24c3c5c9cca3020978ca5bfc
Instruction Fuzzy Hash: E3417070E092099FDB48CBAAD4506FEBBF6FF89301F14D029F459AB252D7309945CB90

Function 06D64F70 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a1c642004eb7adf959eeca4a2b017afc7aa4172e54b3bbb6bed2d68fb81206
Instruction ID: 1341ba085cff7bcefc5c540a90617490dbf51a226bb484824607a35e095d33ff
Opcode Fuzzy Hash: 92a1c642004eb7adf959eeca4a2b017afc7aa4172e54b3bbb6bed2d68fb81206
Instruction Fuzzy Hash: F851A074D15219CFEB40DFA6E5896AEFBF6FF4A301F109029E91AA7240DB705985CF80

Function 06D62318 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e09ef0d0d1ed22635aea8952ce20e57d9bbde959ccb2e74b10cf011dea358e2
Instruction ID: e8ccdbc67ee811812ebc101d16d7bef434993b7d205b41faf539d2b4b4335ea4
Opcode Fuzzy Hash: 2e09ef0d0d1ed22635aea8952ce20e57d9bbde959ccb2e74b10cf011dea358e2
Instruction Fuzzy Hash: E8414B30E012099FDB44DFA9D854AADBBB2EF89310F148169E851FB3A0DB75ED41CB50

Function 06D607B0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5f386b6762d152ee4d02c6058437b34f3ac69731a892247bf9dfdf037d1441
Instruction ID: f7d0a2f2140ccd62e7d6d8d220aabbe6607dbe24c04659bddc3ecca0e3ee310f
Opcode Fuzzy Hash: df5f386b6762d152ee4d02c6058437b34f3ac69731a892247bf9dfdf037d1441
Instruction Fuzzy Hash: C9413E31F102048FDB54DFA9C6986ADBBF6EF88315F148069E416AB361DB35DD41CB60

Function 06D6CCF4 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37f35b97a16c6fe9cc970a81d2bcb1139567e1cbcdfc13497b8729de34aafde
Instruction ID: 32435f1b5b83c9c5237d418964e115aed1e10ed5461724c7e11be32232c8a961
Opcode Fuzzy Hash: d37f35b97a16c6fe9cc970a81d2bcb1139567e1cbcdfc13497b8729de34aafde
Instruction Fuzzy Hash: FB516B34A00219CFEF54DF68D894A9DBBB6FF88301F208169E449AB316DB709D86CF51

Function 06D62328 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3faa990b9c5a6beeb68ce11ebe32a05684fae361bbc242d5017065f13bd3c3a0
Instruction ID: 223ab30cbba7f534945933ca9180dc954355da0061243811fe60efdce05d34bd
Opcode Fuzzy Hash: 3faa990b9c5a6beeb68ce11ebe32a05684fae361bbc242d5017065f13bd3c3a0
Instruction Fuzzy Hash: 3D412930A102089FDB44DFA9D854AADBBB2EF89310F148569F451BB3A0DB74ED41CB50

Function 06D65003 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383c731fdaa1e07484ed270762c77414d89ed7152fac53fa20167b6c13469615
Instruction ID: 5c2df8d1926547a86e046f96d2915b6c3960aefa6ee06228c7e8f01ef537da75
Opcode Fuzzy Hash: 383c731fdaa1e07484ed270762c77414d89ed7152fac53fa20167b6c13469615
Instruction Fuzzy Hash: FA415B74D15248CFEB40DFA6E4896ADFBF6FB0A311F10902AE91AA7340DB345985CF90

Function 06D68B98 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67eae5c2d1aac5f7bcdb2e6f1426cf18e1f90fc176a7f0ec881b65c7583772fe
Instruction ID: 245414d85716c539febfa8627da75caba27c8f2fb2a5a60f53f45fb9ca61c6e9
Opcode Fuzzy Hash: 67eae5c2d1aac5f7bcdb2e6f1426cf18e1f90fc176a7f0ec881b65c7583772fe
Instruction Fuzzy Hash: 7C31E52185F7E02FD703973C99B5585BF74AE43214B1E81EBC0C48F4A7DA58984DC7AA

Function 06D66FE8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683d8b206f73510d8673407c1ed578263f42a917a942e11f65406fd1cf487f6e
Instruction ID: a7d0d78633d9e9a069788924adf0c5d62397ca993966012f53c31b64fcee6f21
Opcode Fuzzy Hash: 683d8b206f73510d8673407c1ed578263f42a917a942e11f65406fd1cf487f6e
Instruction Fuzzy Hash: 06414370E1121DDFDB44CFAAC8406EEBBB2FF88315F109829E015A7250DB769980CFA0

Function 06D66FD9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc0d8cb8ac48e8ff80e90233cceae2f847f6b9fd72f2043697c9e8833ffa749
Instruction ID: e66123dde298a5c7b866615040f6270fce2c3638ceab1d10ca3a3dcfc153968f
Opcode Fuzzy Hash: fcc0d8cb8ac48e8ff80e90233cceae2f847f6b9fd72f2043697c9e8833ffa749
Instruction Fuzzy Hash: 52317370D15208CFDB44CFAAC8406EEBBB2FF49314F14846AE011B7290EB768980CFA0

Function 06D604B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8389431865c3d7a581805d0b3dfa2028f98ec79ece8ee74b60d33bb3a1a132ed
Instruction ID: f685468fdc82b27cbbdcbcc5858f8f11a1281b70fbd6d829dd99d5c43bc3b369
Opcode Fuzzy Hash: 8389431865c3d7a581805d0b3dfa2028f98ec79ece8ee74b60d33bb3a1a132ed
Instruction Fuzzy Hash: D031CF70A01205EFDB54DFA5C954BAEBBFAEF88300F10892DF405AB291DB75DA44CB90

Function 06D6EB58 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51272970aa6769cbbc9e0c97c20fc1dc6ed964dfa4af5ca653d38a70b74f95d
Instruction ID: 989c5ed2f6e6d5a1052e32a1b9939d33133c7b947d6eb04185d1f46afb502cb0
Opcode Fuzzy Hash: e51272970aa6769cbbc9e0c97c20fc1dc6ed964dfa4af5ca653d38a70b74f95d
Instruction Fuzzy Hash: 4131A234E142589FDF44DBB9D8946EEBBB6FF88310F104469E402A7285CF344945CB65

Function 06D6AF63 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43276a5d042c08f89887868b78e0571a8f35bbf50a7518e2f8c983230296288
Instruction ID: c90ace5fe2f7af3dba585b6dba27c0252287ccaf51e91036e162bcfaa1aeec46
Opcode Fuzzy Hash: c43276a5d042c08f89887868b78e0571a8f35bbf50a7518e2f8c983230296288
Instruction Fuzzy Hash: 50314970D09208DFDB48CFA7C4445EDBBFAAF8E311F24906AE449A7251DB358945CF91

Function 06D60100 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aee4feb308ff96d4296ef0d31b145ea8e480f927a01747d54d2c3f1a17a7e85
Instruction ID: b7ebccb61624fb223fbbdc1202fa4d22b299fa993118baacce717d3f38f9ea08
Opcode Fuzzy Hash: 0aee4feb308ff96d4296ef0d31b145ea8e480f927a01747d54d2c3f1a17a7e85
Instruction Fuzzy Hash: 33212575A052019FDB40DF66EE54B6A7BF8EF84384F04405AF005DB295E738DE04C7A0

Function 06D62D90 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cc054cc1e1b5000cdb8d823447d68e642c624918d6641afda1e31adc2fb6ff
Instruction ID: 3708e30937bc3e7bd33c13ea44b63995121d7cab6822b549e5a176ef314f3bb5
Opcode Fuzzy Hash: 76cc054cc1e1b5000cdb8d823447d68e642c624918d6641afda1e31adc2fb6ff
Instruction Fuzzy Hash: 51216275B002058FCB44EF69CC948AEB7B5FF893007114679D905EB352EB30EA05CBA1

Function 06D60110 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d150c26e0f70a74c8251eac8b53a1d2da60657a2e75c180bc5dbfd27f3dfe2
Instruction ID: 24a9fd581bb6886485b3a3761b2b7538a814555602987545dd6ab2a8fdcddb7f
Opcode Fuzzy Hash: d3d150c26e0f70a74c8251eac8b53a1d2da60657a2e75c180bc5dbfd27f3dfe2
Instruction Fuzzy Hash: 7621C879B00215DFDB10DFAAEA44B6E77F8FB84389F404429E519DB285D738D905CB90

Function 00C0D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2122322503.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c0d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a974476802e2d052140e79c9728207a92df625f937d5c703bf2a65b8ba4abf39
Instruction ID: b543da504cc85f0a97355ba473f7956ed85c2708b11c472ea1135d78ac6768ee
Opcode Fuzzy Hash: a974476802e2d052140e79c9728207a92df625f937d5c703bf2a65b8ba4abf39
Instruction Fuzzy Hash: 2D210771504204DFDB05DF94D9C0F26BF69FB98324F24C569E90B0B296C33AE856DBA2

Function 06D6FD60 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcb874a24daa9e4044d33e769ca8e930e5fadc163e841ff8130f4b1b8b8c83b
Instruction ID: 8b0eb05adc5d70abcc726f9980941a5f35494f81695ca2fc6b8027b57e73ddae
Opcode Fuzzy Hash: cfcb874a24daa9e4044d33e769ca8e930e5fadc163e841ff8130f4b1b8b8c83b
Instruction Fuzzy Hash: 1D312974D046089FCB45DFA9D488ADDBBF1EF88310F10816AE815A7361DB74A945CFA4

Function 06D6FD70 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a5fb6271984d323c3ee9e21a37145e58e55b479d871567724ed072f5648458
Instruction ID: c3d0e5a090211f38e2c45d17457354591c5003c5535dacb9cdac8b43b18ce258
Opcode Fuzzy Hash: d1a5fb6271984d323c3ee9e21a37145e58e55b479d871567724ed072f5648458
Instruction Fuzzy Hash: 5431D474E106089FCB44DF99D884AEDBBB6EF88310F10812AE915A7361DB74A944CFA0

Function 00C1D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2123244228.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c09d65bbbd82a8ebf9f1162ebc2f6f3a28bc9494bd90bd3beb9ea607a58fa58
Instruction ID: f5f6ff95a7965148155d878b4e853b42049630606df4b94fa525f9dbb55bd57c
Opcode Fuzzy Hash: 8c09d65bbbd82a8ebf9f1162ebc2f6f3a28bc9494bd90bd3beb9ea607a58fa58
Instruction Fuzzy Hash: E821F571504204EFDB05DF14D5C0B66BBA5FB85314F20C6ADE91A4B356C33ADC86EA61

Function 00C1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2123244228.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e24ac08952e7ea86a96b869cd3d2fbdce064585810d595d056e5737808fde5
Instruction ID: 5c91b1f0e4129f9696c909d54b4feba84df6486891e3fe299337927a33b52d83
Opcode Fuzzy Hash: f1e24ac08952e7ea86a96b869cd3d2fbdce064585810d595d056e5737808fde5
Instruction Fuzzy Hash: 2921F275604204DFCB14DF24D9C4B66BF65FB89314F20C5ADE90A4B396C33AD887EA62

Function 06D62DA0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893496e833c70e21bacd81eb6b2b5a7956ee3eff292ee488eed89b536d71f2a1
Instruction ID: ab8f092816904200a0422990bab19efc6ac913491909da9d195e64c43ea28e5b
Opcode Fuzzy Hash: 893496e833c70e21bacd81eb6b2b5a7956ee3eff292ee488eed89b536d71f2a1
Instruction Fuzzy Hash: A2210175E102098FCF44EF69C8949AEB7B5FF88300B118679D905A7351EB30AA45CBA1

Function 06D6E180 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9087ae088524151a5505d33b5409592f560ec6f7bbbe7422216b33f516c0f7a8
Instruction ID: 6f5c35f2de1ba6d57c44c3bffd4c9335b5c4082bf78f8f0b263f67c315dff9e5
Opcode Fuzzy Hash: 9087ae088524151a5505d33b5409592f560ec6f7bbbe7422216b33f516c0f7a8
Instruction Fuzzy Hash: 9411B438F081559FDBA89B7A9C106BB7BB6AF88710F148528F84587391EA348901D7D0

Function 06D6CE56 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9f221cf8b796f737d1c841c627ec32852408edaf82c6b8c32e7ebe5439abd7
Instruction ID: 3751a833a5d4d5ecf62e594a64103a8d012f2fa8bd2c0a881f34a537a184e0c2
Opcode Fuzzy Hash: fd9f221cf8b796f737d1c841c627ec32852408edaf82c6b8c32e7ebe5439abd7
Instruction Fuzzy Hash: C0314A34E00209CFEF54DFA8D49459DBBB6FF88301F20812AE456AB316DB749846CF51

Function 00C1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2123244228.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade61a8e551f5515387a10adc6dade5334cbbd3ed71e0051f3edc5ec90ea3d00
Instruction ID: 961bead65471060af383800d4c0322cac11d115843066f7e1a6c460e79dde2ee
Opcode Fuzzy Hash: ade61a8e551f5515387a10adc6dade5334cbbd3ed71e0051f3edc5ec90ea3d00
Instruction Fuzzy Hash: B2219F755093C08FCB02CF24D994715BF71EB4A314F28C5EAD8498F2A7C33A984ADB62

Function 06D65C67 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5352517618004f813e00f5d646273d96be2e3b33353366b67dbaa731ecb723e8
Instruction ID: 6f501f6a4f8e13a2824faabd0c5cbc50a3f308dd75af17ea1746ab6dcfc6b1b6
Opcode Fuzzy Hash: 5352517618004f813e00f5d646273d96be2e3b33353366b67dbaa731ecb723e8
Instruction Fuzzy Hash: 20211A75D01219CFDB54CFAAD4456EEBBF2AB88321F01806AE416B3380E7755995CF90

Function 06D65C78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a23da0ff940db1102fcfa29aec7e441e32dd287d904d6183871f973a8e7fbac
Instruction ID: 94be1be42529605640917127f1983d43a87d847d407dea159130f34fef05074d
Opcode Fuzzy Hash: 9a23da0ff940db1102fcfa29aec7e441e32dd287d904d6183871f973a8e7fbac
Instruction Fuzzy Hash: 4811F970D11219CFDB44CFAAD4456EEBBF6EB88310F118029E516A3380EB755981CF90

Function 06D625C9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6d859b8cd2e5d4f1de8af8856985569d3a74806e596c47aec1f33331519aa3
Instruction ID: c7ba743ccb25b82cbe9623982df970521f0c39ea8d46b7819ed486fc10a91f4a
Opcode Fuzzy Hash: fe6d859b8cd2e5d4f1de8af8856985569d3a74806e596c47aec1f33331519aa3
Instruction Fuzzy Hash: 2B115971E093818FE7829B24C8207697BB59F46304F0505DAD091DF2D2DB38D945C762

Function 06D659B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6796890339882ca7ba4727a53a53cd759539f72227d4775a277e2f7fadadcc3c
Instruction ID: 4decbf1c4c732675a30cc417373812697dfe88910cfa2236ecd5eccc110114e3
Opcode Fuzzy Hash: 6796890339882ca7ba4727a53a53cd759539f72227d4775a277e2f7fadadcc3c
Instruction Fuzzy Hash: 8811C9B4D14209DFDB44DFAAD4856AEFBF2BB49300F14816AD415E3250E7745A81CF50

Function 00C0D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2122322503.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c0d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 512299368e19a480332eeeb743f1cfdb9a6bdb065377343d02f9dc4ebf530cb2
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 54112672404240CFCB02CF84D5C4B16BF71FB94324F24C6A9D90A0B256C33AE95ACFA2

Function 06D66E10 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4def2627d59032675de208a70fd25f8dc04d03137200007c22914e8a1a270187
Instruction ID: 565f68874c954fa53796d49a41f2fe96376a7610bccc804663ab7a30ed563a44
Opcode Fuzzy Hash: 4def2627d59032675de208a70fd25f8dc04d03137200007c22914e8a1a270187
Instruction Fuzzy Hash: A611FBB0D05249DFDB84DFAAD9452EEBFF5AB49200F14C0AAE418E3251E7758A44CF91

Function 06D659C8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7944e1d396f690e422154562832622990361259f286b2880fd9469b960a983e
Instruction ID: 5ffd2dbe8a1d13e4a0211115d150a802939f9a0896bb4957e231ff7fd57395d3
Opcode Fuzzy Hash: d7944e1d396f690e422154562832622990361259f286b2880fd9469b960a983e
Instruction Fuzzy Hash: C811B9B0D14209DFDB44DFAAD4816EEFBF5BB49301F10816AE419E3250E7745A81CFA0

Function 00C1D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2123244228.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: b2706f1c8b5518256cef6cb9fc2ecbf6eebbf3c5a1ad08527fcb02ca7e135f8e
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: C211BB75504280DFCB02CF14C5C4B15BBA1FB85314F24C6A9D85A4B696C33AD89ADB62

Function 06D66EB8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265656e46fc565321692216d2b571f59ebb415c3bb479dcf864b71603b27ab4c
Instruction ID: dbf6955c54364e0f29a84129d1b8ca5b3ebb7172ad087c3e72518a3ee35bd733
Opcode Fuzzy Hash: 265656e46fc565321692216d2b571f59ebb415c3bb479dcf864b71603b27ab4c
Instruction Fuzzy Hash: 4811D3B4D05259DFDB80CFAAD5402EEFBF1AB49304F1484AAE818E3211E7749A45CB91

Function 06D6B3A7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e011d357f2c83ebc30cda72cbd0e0a41e5cc908eff84d681186c402bdf712ef
Instruction ID: 470ba3176f085b9f98ebffc139190713d7d73048badbecc991183d4b2f7af545
Opcode Fuzzy Hash: 9e011d357f2c83ebc30cda72cbd0e0a41e5cc908eff84d681186c402bdf712ef
Instruction Fuzzy Hash: 56015E34A05108DFCB44DFA9C684A99BFF5EF09210F288196E409DB362D670D915EB40

Function 06D62518 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b44db57ac0361443e0e221861df4eec309e354428c8a4fcfb724111be1d14a
Instruction ID: 87e7cbf5e57c7cfabf7a68b52020e947e655416670ccadfc24a3ad2708f6ecda
Opcode Fuzzy Hash: e0b44db57ac0361443e0e221861df4eec309e354428c8a4fcfb724111be1d14a
Instruction Fuzzy Hash: 9011E176D0420A9FDB84EF69C851BAEBBB0EF48304F048529D511FB395EBB89641CBD1

Function 06D66EC8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73a613616269d03e192f99df6b1d26f4725b27631a410c68bccd3b79505a058
Instruction ID: a45075f2e232339f98e7ee122a1463848964d19eabe0fbbf04d8a3eb04912e35
Opcode Fuzzy Hash: b73a613616269d03e192f99df6b1d26f4725b27631a410c68bccd3b79505a058
Instruction Fuzzy Hash: 5411C9B0D05249DFDB84DFAAD4416AEFBF5FB49304F1084AAE818E3241E7749A41CF91

Function 06D66E20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2737946faa20280aa4774a1032d37000b638bed4c6d5efaf4004dbd84e435
Instruction ID: b3950978523bd65775d822eac0be1dbaf35dc3f6039f509fefedd20fb01b62b6
Opcode Fuzzy Hash: a6e2737946faa20280aa4774a1032d37000b638bed4c6d5efaf4004dbd84e435
Instruction Fuzzy Hash: A211E8B0D05249DFDB84DFAAC9452EEFBF5AB49200F10C06AE418E3251E7749A41CF91

Function 06D606E0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82ebb19d9762c90fe5b9ec968a1b8ace1d015ad4ee51dc4f0ede30f74ec0056
Instruction ID: 359193926e2605e9e9900a35ec2eed60eeefba495e0703e625fe4270ff067c99
Opcode Fuzzy Hash: a82ebb19d9762c90fe5b9ec968a1b8ace1d015ad4ee51dc4f0ede30f74ec0056
Instruction Fuzzy Hash: 8D01A731E003058BE769972BDA88B6FBB9FEFC0350F14C829E94646668DF74D846CA50

Function 06D6CD4B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62bae492387d450fe2489b556c894d71b372cc353fc6fa474bcda389f798a99
Instruction ID: 0a734274d933e7af15215522dd47e10f29cd614b725e467163d2b4efe78b5861
Opcode Fuzzy Hash: b62bae492387d450fe2489b556c894d71b372cc353fc6fa474bcda389f798a99
Instruction Fuzzy Hash: 4A112B74A0121ACFEF60DFA4D854B9CB7B6FB88301F20859AE409A7354DB349E85CF61

Function 00C0D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2122322503.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c0d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1621b9936c9bb42eeb538e71c9aa90ed28e0519473aab79785592f7a75c2d0a4
Instruction ID: 7f53c9b9a35cd0c3087b455b8493c20e9b35070c9c6bb42c5e94df6cb3bdb8cf
Opcode Fuzzy Hash: 1621b9936c9bb42eeb538e71c9aa90ed28e0519473aab79785592f7a75c2d0a4
Instruction Fuzzy Hash: DF012B310043409AE7209F9ECD84B67FF9CEF85324F18C56AED1A4A2CAD2399841CA71

Function 06D63430 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad6e8388e7649d25403c9dd47977e0505ad2974ff88a6fc4d0bfe7bc416e033
Instruction ID: c1a622934223a48ed3423271c237d96088816380275ff97a1d7704a3c1671c3c
Opcode Fuzzy Hash: 1ad6e8388e7649d25403c9dd47977e0505ad2974ff88a6fc4d0bfe7bc416e033
Instruction Fuzzy Hash: 2D018FB2D1420A9FDB11DF95DC445EEBBB4EF58310F01402AE944F7241E7756A04C7E1

Function 06D63440 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95a6d13e7abf538b7b4d11b6f554502b591f39a299b10752400821ad6766e57
Instruction ID: 2dea7025b4421314e61518ae3fe572faac914a70ff749ee7754f85749eedc343
Opcode Fuzzy Hash: a95a6d13e7abf538b7b4d11b6f554502b591f39a299b10752400821ad6766e57
Instruction Fuzzy Hash: 05011A72D0020ADFDF51DF99D9459EFBBB8EB58320F10412AF958B7240E771AA148BE1

Function 06D62528 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0bac370039bd3a326dc07fc84d66e5223fec4904d81095c24444cbfbbaecc0
Instruction ID: c4df21daf46464302db5fa41bd37ccc231e1efe68186168279dfd9a02c5c19f9
Opcode Fuzzy Hash: 3d0bac370039bd3a326dc07fc84d66e5223fec4904d81095c24444cbfbbaecc0
Instruction Fuzzy Hash: D0018035D0020A9FDB44EF68C852BAEBBB0EF48304F044529D515F7395EB749641CBD1

Function 06D6B338 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb01f3bb980deb4966c1bdce69e473a9cea426baf9277085f4c447c57d212f53
Instruction ID: fb12e58f85f39cb5d33a12cdbb9ae070f243e55b62b4c71d692ce72a36fe24c6
Opcode Fuzzy Hash: eb01f3bb980deb4966c1bdce69e473a9cea426baf9277085f4c447c57d212f53
Instruction Fuzzy Hash: 12017C70A4D244DFDB45CFA6D5415ACBFB8EF5A300B1592ABE049DA223D2308A65DB80

Function 06D634AF Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8366d090c4e5a8f300553fd5780687de9c24bbdf34a6915a23a7971307470a2b
Instruction ID: 8af705e7c209c737d20887b79814905e2c8404de493dd15d6a46115e55119d31
Opcode Fuzzy Hash: 8366d090c4e5a8f300553fd5780687de9c24bbdf34a6915a23a7971307470a2b
Instruction Fuzzy Hash: F6F02832A046288BCF05BB65CC100DEB7B1AF89210F01C266D545BB241FF319A1AC7D1

Function 06D6CD21 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53e9a0d72614bcef7601d53be55b2391fdef5ae6222a3d6494abb8b169877e4
Instruction ID: a203bde7026a003b4ddc9afc2fc40b845ae734693ef725b0830d92a20f7e3749
Opcode Fuzzy Hash: a53e9a0d72614bcef7601d53be55b2391fdef5ae6222a3d6494abb8b169877e4
Instruction Fuzzy Hash: 72015274905209CFDB40EFA5E5845AD7BFAFB88302B209928E0599B356D730DD45CF91

Function 06D634C0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee31d34a04cfd894da27f9c1ddc9df65792f7861b27d7afa8bc82e9d3e5c40f
Instruction ID: b7e2f86e57cb6722f78f00a77e1b6995eeba48715f71ecb9e7d05e6effbb9235
Opcode Fuzzy Hash: 1ee31d34a04cfd894da27f9c1ddc9df65792f7861b27d7afa8bc82e9d3e5c40f
Instruction Fuzzy Hash: 36018131A1062D8BCF04FBA9DC145EDB775EF88210F018629D91677250EF306A1ACBE1

Function 06D6B3B8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284418e027cbf88d5c1b752d526afcc0a2838bdfc7ad485c81936fc25d13b3b4
Instruction ID: cadfe4ee910de8e3666a73dc614d8bb2575652e9299b18627a22ddaa0fd84f17
Opcode Fuzzy Hash: 284418e027cbf88d5c1b752d526afcc0a2838bdfc7ad485c81936fc25d13b3b4
Instruction Fuzzy Hash: AA01FB34A04108DFDB44DFA9C684AADBBF5EF48300F25D196E5099B352D731DE15EB40

Function 06D63530 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f878efbed19d0f8c7240d69b322be71d906aec5c7ad6298497745c77a207502b
Instruction ID: 485f54952ce3f253ac4161006256167114d3d9617b28a0fd27be3f427f724ce6
Opcode Fuzzy Hash: f878efbed19d0f8c7240d69b322be71d906aec5c7ad6298497745c77a207502b
Instruction Fuzzy Hash: 1EF05932B043009FC7049B6A9C5049ABF6AFFD7250B02427FE149DB211DE71D801C661

Function 06D6CC70 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0d3679b6ff496dda768b14abbbd36847868f3c9e37bf60c2123193ccded29b
Instruction ID: 2fe632d0763588a8b1eeca9cf65536e66148f45d011c26c2c67d4b9982052fb6
Opcode Fuzzy Hash: 0a0d3679b6ff496dda768b14abbbd36847868f3c9e37bf60c2123193ccded29b
Instruction Fuzzy Hash: AEF0467195D2848FE7C1CBBAC804BA97FB5EF82300F15865AE082D7162CB30854ECB22

Function 06D6A8C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea1d259b6c98ce43906dfc4dc93db1741702c0fc743f7ded8a9dcf8feef2cbc
Instruction ID: 93b8f1eef767253fe00e7846526b5081737e309011dbea0f512eeb147a13690f
Opcode Fuzzy Hash: 9ea1d259b6c98ce43906dfc4dc93db1741702c0fc743f7ded8a9dcf8feef2cbc
Instruction Fuzzy Hash: 8F012C70D04259CFDF44CF9AC8446ADBFB2EF89301F1894AAE089B6256D7304955DF50

Function 00C0D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2122322503.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c0d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b7b7c501a3916e4a99a3a2362d5967f90917e5871c8d83157f2556cc38b7d9
Instruction ID: bf8cca253a4c14bb953d9ce80463346e30fb2503833faf123d9998b0c28992b7
Opcode Fuzzy Hash: b2b7b7c501a3916e4a99a3a2362d5967f90917e5871c8d83157f2556cc38b7d9
Instruction Fuzzy Hash: 48F062714043449AE7209F1AC988B62FF98EF95734F18C45AED594A2CAC2799845CBB1

Function 06D65361 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71142d4512ccc44fce841939380548a8dbf5a6c5e5ca2688f401e0c42124a7a7
Instruction ID: 77175ba1027b23f3ce5a56b8729cbc80aa27253233be975c8fcb35b6e77beb20
Opcode Fuzzy Hash: 71142d4512ccc44fce841939380548a8dbf5a6c5e5ca2688f401e0c42124a7a7
Instruction Fuzzy Hash: B8F0275105F2C49FDB039260ED147E73EB84713211F0D04C7E055E31A3D6AA4548C3A2

Function 06D6E121 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4eaa4292836a63a9fccae86384450fc5de134a90d912cd1ba2c65a16e70099
Instruction ID: 7bdadf2a4369dfdedf4d71fb9c5785e24a08282bee26cbf21e4501c6a8c7b5f7
Opcode Fuzzy Hash: 5f4eaa4292836a63a9fccae86384450fc5de134a90d912cd1ba2c65a16e70099
Instruction Fuzzy Hash: AEF09075D0924CBFCF91DFB9CC44A8DBFB4EB49300F14819EE80496351D2380A44EB11

Function 06D68E44 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af3e85411c15064d764e60ace746b6fbc39473d1af7b15807b9143ca4de2d73
Instruction ID: 70a55a813ec1424e0af340c5805b8601c961eafe1a90a3892483a89ad25a9d7f
Opcode Fuzzy Hash: 9af3e85411c15064d764e60ace746b6fbc39473d1af7b15807b9143ca4de2d73
Instruction Fuzzy Hash: 60F09A7090920ACFDB84CF5AC9A4AFD77BAEB89200F1051A5F00AAB166C7344988CB61

Function 06D66850 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f14bdca96660b14665441211f624e423a8ee95ff04cd859651016dc557f991d
Instruction ID: 0569cc285d8e44068249ef5b48683d4572b56ef0c8757bb08084436168bf9771
Opcode Fuzzy Hash: 1f14bdca96660b14665441211f624e423a8ee95ff04cd859651016dc557f991d
Instruction Fuzzy Hash: C1F03AB4D09209DFDB44DFA9D8006AEBFF8BB49300F108169E458A3350DB709A40CB92

Function 06D6CCC9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2135f3005874c416f53f55d847e85bd6f0a7aa2f7268fa788f63fec49b751c
Instruction ID: f2edf9deb2181767c62cadec99e878da92aecdff319c59731e05f59dd9e13441
Opcode Fuzzy Hash: eb2135f3005874c416f53f55d847e85bd6f0a7aa2f7268fa788f63fec49b751c
Instruction Fuzzy Hash: 5AF0F974948289CFCB01DFD8D884A9C7BF9EF88320F208629D4119F399DB34A84ADB41

Function 06D6CC80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfac84eb0d546e3170f937f991b8545ff1031c6905290adbf5d138c08e9474f3
Instruction ID: f3276959cb431e9a8b66bb5b8bd6ae5c65b798646447461d56c8016996861ec1
Opcode Fuzzy Hash: bfac84eb0d546e3170f937f991b8545ff1031c6905290adbf5d138c08e9474f3
Instruction Fuzzy Hash: EAF0A770914208CFEB80DBEAC844B997BB9EF84301F109525E04262255DF74554ACB62

Function 06D6AACA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea68d530dd43f0d0c925c358a40af75bd453a3d53abe1d7b1ae7996028759e98
Instruction ID: 70169d78fb15502061d68b6389cb8b5088a6993c7f5d82b12bbf6c093402e634
Opcode Fuzzy Hash: ea68d530dd43f0d0c925c358a40af75bd453a3d53abe1d7b1ae7996028759e98
Instruction Fuzzy Hash: 3AF01D34905115CFDB54CF55C684AA9B7B6FF0A301F245285E489B7252C370DD82CF90

Function 06D6EB09 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c0bd2c13243f325756402607dd9c99c06829eda0d4009238681dc00286d8db
Instruction ID: fc5291c9a04b782c2aa268389bda4b709631d0a47e7f79cae2a6e00220f41ee2
Opcode Fuzzy Hash: 60c0bd2c13243f325756402607dd9c99c06829eda0d4009238681dc00286d8db
Instruction Fuzzy Hash: 16F0A030D0D288ABCF55ABA8AC0159C7F70DB42302F24019EE90197392D6700D08D752

Function 06D66F99 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34f77ca8800a63703cbed4baa3661238a09c15fe05b9443a2d3fa40c93a8409
Instruction ID: 44be11933706f8297639cb34778869afee6b808af88c376c4c073cbe0f7a93f6
Opcode Fuzzy Hash: f34f77ca8800a63703cbed4baa3661238a09c15fe05b9443a2d3fa40c93a8409
Instruction Fuzzy Hash: 68E0263041D384DFE3418F119D056B7BB79AB43201F054189F04DA3192E7B0E908C792

Function 06D692E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c6c9f2a01f3435b919d4fbe4ec1b003814e17634011d371c8e8b9dfde36105
Instruction ID: d33dd719675f0cef88ee1f84ca111b588d6f6d66b45fb00e6b8d253ce779e5b2
Opcode Fuzzy Hash: 25c6c9f2a01f3435b919d4fbe4ec1b003814e17634011d371c8e8b9dfde36105
Instruction Fuzzy Hash: BEF0E570A0A24ACFCBC0CF55C9E4AAD777AEF44200F1400A9F009AF0A5C7384948CB22

Function 06D6E130 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edda18594a838d9edb4c6178099225d1f6b175e990143b2432d80762a6da7f7c
Instruction ID: 60a35a24110e9e7ad1cee323e55515c1ab49237d4124896cdc3dc81b8b6447a7
Opcode Fuzzy Hash: edda18594a838d9edb4c6178099225d1f6b175e990143b2432d80762a6da7f7c
Instruction Fuzzy Hash: 44F01574E0420CEFCF40EFA8D54468CBBF5EB88301F1081AAA818A2390D6355A54EB41

Function 06D67120 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d86755039eb8cf80142b284d493fbe7880a7f78f77c6e9c7eeda81dddca404
Instruction ID: 40ade4a794e25c8785e68168ecab50b98fc2b8d7326af5cbe1b4e284aaa75923
Opcode Fuzzy Hash: c2d86755039eb8cf80142b284d493fbe7880a7f78f77c6e9c7eeda81dddca404
Instruction Fuzzy Hash: 81F0ED749182889FCB92CB68C455A987FF0AF07224B1802CAE8A0CB2B3D6718985C702

Function 06D66DD0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5868eb6b62a4064e14a2cfd4bce943b1d3d9d1d8e793475031d6dee117ca44dd
Instruction ID: 5d29d0265ffb55929b584d6baf8b98598b22fd6f7e031e588cc93f98d7e0a617
Opcode Fuzzy Hash: 5868eb6b62a4064e14a2cfd4bce943b1d3d9d1d8e793475031d6dee117ca44dd
Instruction Fuzzy Hash: D9E04FB4D25344EFDB82DBB4A60538CBFB1AB45225F5504EAD884E3761E7708A94CB01

Function 06D65A71 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c1aa36043e7566548ba82bfb824e0a8c7635a85e2a73ceecfceaf9f34c4430
Instruction ID: f1b6dead6c8e101f508c4fc4dd96b68622c8ba5dd1d6fb4197236404bdba9bc0
Opcode Fuzzy Hash: 92c1aa36043e7566548ba82bfb824e0a8c7635a85e2a73ceecfceaf9f34c4430
Instruction Fuzzy Hash: 81E06D70E10208DFCB40DFA8E50468DBBB2EB45315F1480AAE819E3740D7748A94CB00

Function 06D64F19 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c5254119ab9149bac86546f6045b2ee7cdc385565d41b17c01ffdf6f383cc0
Instruction ID: 7b89cf4e9a7905213016b672e3d123d68b9e2d4e3ed3f2bcef34c9d527480d32
Opcode Fuzzy Hash: f8c5254119ab9149bac86546f6045b2ee7cdc385565d41b17c01ffdf6f383cc0
Instruction Fuzzy Hash: 0BE01A71825304EFC706DF60E905ADDBF72BF42312F0581EAE804A7661EB714AA8D791

Function 06D66802 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14ec91937b01d29009d2d27f37fbb775978867ee3f5acc1f76c3eedb47f97e0
Instruction ID: 793ed7baffbdd27ee7453aaf1c66ee73c27790ce53d38584b096d2a230a5adf1
Opcode Fuzzy Hash: b14ec91937b01d29009d2d27f37fbb775978867ee3f5acc1f76c3eedb47f97e0
Instruction Fuzzy Hash: 01E01A70D10208EFCB84DFA9E50469DBBF1AB84301F0081AAE818A3350E7704A90DF41

Function 06D66338 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f43ae8cc4abffdda690e2bc3eba88e4fabe7ce592aa12202cd34b57cd4c3cfc
Instruction ID: e52a383a0ad5de1a0d0a978656ae543a88ee60750d46f585003d783ca12b1a6b
Opcode Fuzzy Hash: 1f43ae8cc4abffdda690e2bc3eba88e4fabe7ce592aa12202cd34b57cd4c3cfc
Instruction Fuzzy Hash: 13E01AB0D25344DFC741DBA8E91969DBFB1AB05205F1841EFE805E2651F6304A94C742

Function 06D66FA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b39f92c581c7d03e96a9321ffa22e1cbad9974478edaf2b65012e7a70b0a95
Instruction ID: 4c69814bd6e52b6713ff10a7b93db74f0a2e981359fe945aa92be973b397e340
Opcode Fuzzy Hash: 80b39f92c581c7d03e96a9321ffa22e1cbad9974478edaf2b65012e7a70b0a95
Instruction Fuzzy Hash: 09D05E70829248DFD7408E569405ABAFB7CA707211F001054F40953181DBB1D948D686

Function 06D66F60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add08c31e7b593ab303a37fc20ea74db902e2ae7a50c0734f85854705389ccb5
Instruction ID: 52f765313bac028f9d0b7384ad3e45e0510503275132139c5aa3b9324c6f6760
Opcode Fuzzy Hash: add08c31e7b593ab303a37fc20ea74db902e2ae7a50c0734f85854705389ccb5
Instruction Fuzzy Hash: 81E08670455380DFE345CFA099027567F71AF42205B0501CED055A3152D730A944C761

Function 06D65A80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c122a968d747ae7e024fb542ba2f2555a29abc5fb7977670dac794419a3645
Instruction ID: e7efbca5fc3a7352e0e227ea38e72e5a7f60ea3a0c534b65885bc53a4a535425
Opcode Fuzzy Hash: a4c122a968d747ae7e024fb542ba2f2555a29abc5fb7977670dac794419a3645
Instruction Fuzzy Hash: E3E09274D15208EFCB94DFA9E445A9DBBF4AB49301F1081A9E828A3340EB746A94DF91

Function 06D66808 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f7afa61c9868c9dc2d75ce2dc94845fdc3365860a70a5fbc24a93dd70b33ab
Instruction ID: 67183862af0c6cb75414de04d0be127f82b5d000f1e626ff96048db1e4a003d4
Opcode Fuzzy Hash: 07f7afa61c9868c9dc2d75ce2dc94845fdc3365860a70a5fbc24a93dd70b33ab
Instruction Fuzzy Hash: 0FE0B6B4D15208EFCB44DFA9E44569DFFF5EB48301F1081AAE818A3390EB745A90DF81

Function 06D67130 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdf61acef65803c790509a1781771fe50da68c318b618789aff48acbca901ca
Instruction ID: e5f47a64754ed53457df411371d00d115977135225a213b2041f87b295eb40ac
Opcode Fuzzy Hash: ebdf61acef65803c790509a1781771fe50da68c318b618789aff48acbca901ca
Instruction Fuzzy Hash: EBE0B674A20208EFCB80DFA8D449A9CBBF4EB08615F5041E9E808D7361E7719A94CB81

Function 06D66348 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24089c45313c911c5967e1d832458decab202f9819c1161faefa86297b274d05
Instruction ID: 33e476ab3977c0d1063116705b9d55e656faefe023cda0902af69fecdc7e60b1
Opcode Fuzzy Hash: 24089c45313c911c5967e1d832458decab202f9819c1161faefa86297b274d05
Instruction Fuzzy Hash: 28E0EC70D21308EFDB44EFA8D44569CBFB4AB04201F1441A9E804D3240EB705A94CB51

Function 06D64F28 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05879599b713b79138b45146bcb908712c55e0d5cf905443095615d74d5402f6
Instruction ID: f0ad54ae8b3d81a3b9cc8af577ae37f0984dcd59db4ead95fa235064a2ad2190
Opcode Fuzzy Hash: 05879599b713b79138b45146bcb908712c55e0d5cf905443095615d74d5402f6
Instruction Fuzzy Hash: 8FE01270825308EFCB14DF94E405A9DBFB5BB45302F5081A9E80453350DB715A94DB95

Function 06D66DE0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1690cce41787a82ba953834134d5a8817530b081ff04fe46aa4a5679cd528b3
Instruction ID: 1ebd8ebe7c07eda097d3619b087d6d709bd961bc6643c487093ac4c57abd363d
Opcode Fuzzy Hash: c1690cce41787a82ba953834134d5a8817530b081ff04fe46aa4a5679cd528b3
Instruction Fuzzy Hash: C2E01270D21208EFCB44DFB8D54579DBFF4AB04201F1041A9E804D3340EB715A90CB41

Function 06D6EB18 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cec6c02a5ee3a3c3d737eda8ae57887bd2e485efd2f75abc0af01e2cf22a690
Instruction ID: 38329c3f020d998a6983dc4a1dabd950a6410e2d4cd57174ac0d0a4622748112
Opcode Fuzzy Hash: 2cec6c02a5ee3a3c3d737eda8ae57887bd2e485efd2f75abc0af01e2cf22a690
Instruction Fuzzy Hash: 89E01234A0820CDBCF44EFE8D54569C7FB8EB44302F6041ADE90557391DA745E59E752

Function 06D65398 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdd0ca8e02ecfea846087aa53eb4ca013d6dea3a92603cea42cc1a884e7e26d
Instruction ID: 25ae65e3d227700c0c747dbdc33fbe7431e7d71bf56d0b1b9a92a753ba1d3532
Opcode Fuzzy Hash: bfdd0ca8e02ecfea846087aa53eb4ca013d6dea3a92603cea42cc1a884e7e26d
Instruction Fuzzy Hash: B6C08C2209F20CCAE7492695B004770B5AC4302A04F482410A20E221E3CFF3D8D0C0DA

Function 06D66F70 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747c51d00664d30ec412124902ff14a0eda3ca0a9db2fd4ac965d7ff63e46fe1
Instruction ID: b0857fb04bf43afdfb250c2c6120fb9759aa77825df4579f3ae221ea193e89dd
Opcode Fuzzy Hash: 747c51d00664d30ec412124902ff14a0eda3ca0a9db2fd4ac965d7ff63e46fe1
Instruction Fuzzy Hash: BED01270865348EFD744DFA5E406B9DBB7CE702612F40019CF41953290EFB15D94D696

Function 06D6CED0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce86dd9725564075102c0b7ca6f5adbe1a01b9633e3e6317ee4811cec5478ba4
Instruction ID: 151db1460f503194982f42fff7b42eacd7cccefad6280cdfa817f73da85df114
Opcode Fuzzy Hash: ce86dd9725564075102c0b7ca6f5adbe1a01b9633e3e6317ee4811cec5478ba4
Instruction Fuzzy Hash: BBD05E3491928ACFCF41DBB4D848A8DBFB7EF48316F259599D0409B116C334405BCF02

Function 06D6A9E1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5afbfc06a026f37c51f4444014b1aed89c4003ed05427790602fa3dfd5f53fc
Instruction ID: acd1338bee928b8397393fe28de382f7b4c528009fcb6d2e405dbaab7fd40b57
Opcode Fuzzy Hash: d5afbfc06a026f37c51f4444014b1aed89c4003ed05427790602fa3dfd5f53fc
Instruction Fuzzy Hash: 8AD0177060D240CFCF448B20C4589A17B79EF4B202B4800E9E48EAE167C6758944CF62

Function 06D6D341 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023803111501397d5a765d64679dd2d718f3a094ec4f668639482749846a890c
Instruction ID: 34823f566a01e70a0f1069a3e82d8a0814e650c53fa42c99c51c664cac44e72a
Opcode Fuzzy Hash: 023803111501397d5a765d64679dd2d718f3a094ec4f668639482749846a890c
Instruction Fuzzy Hash: 14D0C9319452058FCB40EF58D14959D7BBEFBC4211B209525D096AB629C73099068F92

Function 06D68C88 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c967d5c79f50cf31d8ddf5f989b654791e1cfad5d2ea0b6416813a6490b7ad02
Instruction ID: 86bf68a76e7b92c16bb9bd9f637efea748773291e68438fecd13fbc3f3ec752a
Opcode Fuzzy Hash: c967d5c79f50cf31d8ddf5f989b654791e1cfad5d2ea0b6416813a6490b7ad02
Instruction Fuzzy Hash: C3C08C300426048FCF106798A50C3283B68EB00212F64025DE20900013CBB140ACE626

Function 06D63F94 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3860d6df867e3e92a60f4ffea4d66362b61bc39deac74dbd306f015b371efe6
Instruction ID: da37250ecf39a3f43debd5096433294893999bd25b17a9f0d972a3902ae28a9a
Opcode Fuzzy Hash: c3860d6df867e3e92a60f4ffea4d66362b61bc39deac74dbd306f015b371efe6
Instruction Fuzzy Hash: 6EB012395D6A40F6730072754D41D3A9822FFF1F01B10BC3173C450020C920C42DD117

Function 06D66075 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2168612795.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e5e8bab464a7413af313aed69e040bfe03f825df50cade77cfa24129c3f24d
Instruction ID: 802e7e2a78682321420c59fb99e87d44b28ed3e88224862d61f0961784cc7c1e
Opcode Fuzzy Hash: 55e5e8bab464a7413af313aed69e040bfe03f825df50cade77cfa24129c3f24d
Instruction Fuzzy Hash: BBA0223F300300B82000B2A0CE00E2AA8032BF0F20B00A020F38C0000088308038E223

Analysis Process: Exccelworkbook.exePID: 7648, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	435
Total number of Limit Nodes:	26

Executed Functions

Function 014ED551 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014ED5DE
GetCurrentThread.KERNEL32 ref: 014ED61B
GetCurrentProcess.KERNEL32 ref: 014ED658
GetCurrentThreadId.KERNEL32 ref: 014ED6B1

Memory Dump Source

Source File: 00000008.00000002.2196862930.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14e0000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fdbce3cbdf3d98f3364f25b526aac4b0b489a6678708e1cbae9a1988ba5bf197
Instruction ID: 9d5e3aa02ba6b83fbd8ebcbf1f49bec57a7049c1c4ccf51ecfcc7f8dd6363532
Opcode Fuzzy Hash: fdbce3cbdf3d98f3364f25b526aac4b0b489a6678708e1cbae9a1988ba5bf197
Instruction Fuzzy Hash: B75132B0D013498FDB18DFA9D548BAEBBF5FF89304F20845AE509A72A0D7389944CF65

Function 014ED560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014ED5DE
GetCurrentThread.KERNEL32 ref: 014ED61B
GetCurrentProcess.KERNEL32 ref: 014ED658
GetCurrentThreadId.KERNEL32 ref: 014ED6B1

Memory Dump Source

Source File: 00000008.00000002.2196862930.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14e0000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c73122f450c93feabac68b02d116c90a230f941ae8606050cba5452bd5e45694
Instruction ID: fee46a9221a8342d07b04f45024abe18156ddb8edc909da87e5e2857c8cebfd5
Opcode Fuzzy Hash: c73122f450c93feabac68b02d116c90a230f941ae8606050cba5452bd5e45694
Instruction Fuzzy Hash: 2F5157B0D002098FDB18DFA9D548BAEBBF5FF88304F20845AE509A73A0D7389944CF65

Function 033D83E0 Relevance: 2.7, Strings: 2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 033D84A8
Haq, xrefs: 033D850E

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 9fa1d62dd7e3b577732271600059b4906e06678aa03fefe8c824157fcf75689b
Instruction ID: 9336533aae655f57a534c738ada4eb7f3d29ef9b2a1fc1f7f747a62b4b0b41bc
Opcode Fuzzy Hash: 9fa1d62dd7e3b577732271600059b4906e06678aa03fefe8c824157fcf75689b
Instruction Fuzzy Hash: 1E815A71E003199FCB14DFA9C8946EEBBF6FF89300F14856AE409AB354DB349946CB91

Function 033D39A0 Relevance: 2.7, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 033D39E7
, xrefs: 033D39EE

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: ebaabeb602430895355bf5b2ffc09b982e951988973c4f8f87eba473b960009d
Instruction ID: baae07fd6db202afbe1e3a667e5c66792858e625c65f2bd9477047a18414136c
Opcode Fuzzy Hash: ebaabeb602430895355bf5b2ffc09b982e951988973c4f8f87eba473b960009d
Instruction Fuzzy Hash: 0A71A131900701CFEB11DF29D484956B7F1FF95314B85C6A9E949AB22AEB71E984CB80

Function 033D2514 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 033D39E7
, xrefs: 033D39EE

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 7dc7a2b9dc254cb3e5342ab844cb55af9ded732dd96f23e4a8b9ec8fc3e6aa0c
Instruction ID: ceecc2c2dcd48912f3a539f8fcf049262a6eeab428995468ae318f3e54905b9d
Opcode Fuzzy Hash: 7dc7a2b9dc254cb3e5342ab844cb55af9ded732dd96f23e4a8b9ec8fc3e6aa0c
Instruction Fuzzy Hash: 2871B231910601CFEB10DF29D484956B7F1FF95314B85C669E949AB329EB71E984CB80

Function 017606DD Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0176091E

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 37e201feb31c07caa68ca9015a23e613e908eeda40d19348449ffd695321aa44
Instruction ID: 9c318c4bf91ac3678ee261f98a369553d9d5c9c829012d90e18a123dde8a6163
Opcode Fuzzy Hash: 37e201feb31c07caa68ca9015a23e613e908eeda40d19348449ffd695321aa44
Instruction Fuzzy Hash: D1A14771D002199FEB24CF68C845BEEBBB6BF48314F1481AAE809A7250DB759985CF91

Function 017606E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0176091E

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f01cb936b5450b905ea00e574f0177d63fc514fe9b60a38fc1640db753c16112
Instruction ID: c3ed29564d1d8604b230afbaafc0a11bb839fec07661ec0a89ebf6ebddf23add
Opcode Fuzzy Hash: f01cb936b5450b905ea00e574f0177d63fc514fe9b60a38fc1640db753c16112
Instruction Fuzzy Hash: 5E914971D00219CFEB24CF68C845BEEFBB6BF48314F1481AAE819A7250DB749985CF91

Function 014EB2B9 Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2196862930.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14e0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa79507336a7e537f1fbe3474e2f1791e1ad7a20c007c5321e84fe346e1d0618
Instruction ID: 9a2625e303da86f290d4acf3ad98ba621658464b2c9e1edac6fb2f5822fcaa04
Opcode Fuzzy Hash: fa79507336a7e537f1fbe3474e2f1791e1ad7a20c007c5321e84fe346e1d0618
Instruction Fuzzy Hash: 57813270A00B058FD724CF6AD04976ABBF1FF88204F108A2ED48AD7B60D775E909CB91

Function 03391DC4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03391EE2

Memory Dump Source

Source File: 00000008.00000002.2204191009.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3390000_Exccelworkbook.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4da917f798da2008a89bc47ac50d92f54e57f201a5b3a5c8af26a98638da6087
Instruction ID: f59630a32a26560cce6db4ca147cff66587682436dce07b42eed4201ba05ca27
Opcode Fuzzy Hash: 4da917f798da2008a89bc47ac50d92f54e57f201a5b3a5c8af26a98638da6087
Instruction Fuzzy Hash: 3E51B0B1D10349DFDF14CF99C884ADEBBB5BF48310F24822AE819AB250D7759845CF90

Function 03391DD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03391EE2

Memory Dump Source

Source File: 00000008.00000002.2204191009.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3390000_Exccelworkbook.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fab2aa439ca968839bc8d796d3745ea9b26d318da5a0ade3abc6970ff4815376
Instruction ID: 53e769bacf440831edfdea1e03dd973930200635db08486ae107dda7254c7265
Opcode Fuzzy Hash: fab2aa439ca968839bc8d796d3745ea9b26d318da5a0ade3abc6970ff4815376
Instruction Fuzzy Hash: EA419DB1D10249DFDF14CF99C884ADEBBB5BF48310F24822AE819AB250D775A845CF90

Function 014E5CEC Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 014E5DA9

Memory Dump Source

Source File: 00000008.00000002.2196862930.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14e0000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 33d940b2838ddd0b41fb87e7bed1f0c419192bca81953244bfde77137871f254
Instruction ID: c2fd36234994e2712ef3ec509f0cfac5e0c84d79a7d098923ef084fc0f6a92c7
Opcode Fuzzy Hash: 33d940b2838ddd0b41fb87e7bed1f0c419192bca81953244bfde77137871f254
Instruction Fuzzy Hash: 0B4106B0C00719CFDB25DFA9C848B9EBBF5BF49308F20806AD418AB265D7756946CF90

Function 03391364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 03394461

Memory Dump Source

Source File: 00000008.00000002.2204191009.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3390000_Exccelworkbook.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8ebf809106cf1c329af19695f596108ff8949cdd0fb53810977074d4f8af121a
Instruction ID: f7ae42e9b4b224a292b87d7d16d80ac848e9936d7fc98c36104cd3d3bbcb9d0f
Opcode Fuzzy Hash: 8ebf809106cf1c329af19695f596108ff8949cdd0fb53810977074d4f8af121a
Instruction Fuzzy Hash: 5F4108B4900205CFDB14DF9AC488AAAFBF9FF88314F24C45AD519AB321D374A945CBA0

Function 014E4538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 014E5DA9

Memory Dump Source

Source File: 00000008.00000002.2196862930.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14e0000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cc4205c21a312a431e9c9dc56e728a70965916fa08faea9fab2cd4f87ba76bbd
Instruction ID: 080dd6b935e1f2e303dc608c2a94f7b9b1ff3b3008c0194ddd40977247283ba6
Opcode Fuzzy Hash: cc4205c21a312a431e9c9dc56e728a70965916fa08faea9fab2cd4f87ba76bbd
Instruction Fuzzy Hash: A341E5B4C0071DCBDB24DFA9C848B9EBBF5BF48308F20806AD419AB255DB756946CF90

Function 01760459 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 017604F0

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cd7a6fd8241f571e7378fe4315b31aa5e51436fefeff165f6bc4d720fe11403d
Instruction ID: 486dd74a16ae98e206a8faad7d6a4fd9b48e2bc9eefe91fe2362336eff404502
Opcode Fuzzy Hash: cd7a6fd8241f571e7378fe4315b31aa5e51436fefeff165f6bc4d720fe11403d
Instruction Fuzzy Hash: C72117B59003499FDB10DFAAC885BEEBFF5FF48310F14842AE919A7241D7799944CBA0

Function 057F5D5C Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,057F6D65,?,?), ref: 057F6E17

Memory Dump Source

Source File: 00000008.00000002.2256977539.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_57f0000_Exccelworkbook.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 1267fa32856b40c832ad925093af9ad766379dbf309979a69fd1403ef564ffcb
Instruction ID: f992054e357f3431161767640cbc4b54df038bc63abe2641f389fcb0d0d2a361
Opcode Fuzzy Hash: 1267fa32856b40c832ad925093af9ad766379dbf309979a69fd1403ef564ffcb
Instruction Fuzzy Hash: C731E3B5D002599FCB10CF9AD884A9EFBF5FB48310F14842AE919A7310D374A940CFA0

Function 057F6D78 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,057F6D65,?,?), ref: 057F6E17

Memory Dump Source

Source File: 00000008.00000002.2256977539.00000000057F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_57f0000_Exccelworkbook.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e193cc15641241b1c16d716742004f9088158bc159f6f6683dfe7e345f33e90f
Instruction ID: 7eb3eb03d46332fdfb6785cc52874f0cad3dcf318797415675f59d67e3b2b05f
Opcode Fuzzy Hash: e193cc15641241b1c16d716742004f9088158bc159f6f6683dfe7e345f33e90f
Instruction Fuzzy Hash: 2931E0B6D002599FDB10CF9AD884AEEFBF5FB58320F14842AE519A7310C375A940CFA0

Function 01760460 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 017604F0

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 47254951eb5a13f94db5f7c6dd3f2d2e18d5f1fe115b92256a68d1f261922ccd
Instruction ID: 11b1963f1765f74e923c56a6cc42549230fea70e80a201b64181e02133942c67
Opcode Fuzzy Hash: 47254951eb5a13f94db5f7c6dd3f2d2e18d5f1fe115b92256a68d1f261922ccd
Instruction Fuzzy Hash: 582126B19003499FDB10DFAAC885BEEBFF5FF48310F108429E919A7240D7789944CBA0

Function 01760548 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 017605D0

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 98fc29a1d1dddcd7e6f99265fa1b9eda4982bc0464294c58ae02fed84d12e2e9
Instruction ID: 6187009673051666430ae05796cd702f433f6414f948281e575cf0fd90ad0b01
Opcode Fuzzy Hash: 98fc29a1d1dddcd7e6f99265fa1b9eda4982bc0464294c58ae02fed84d12e2e9
Instruction Fuzzy Hash: 18210AB18003499FCB10DFAAC884AEEFFF5FF48310F50842AE959A7251D779A544DBA4

Function 014ED7A0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014ED82F

Memory Dump Source

Source File: 00000008.00000002.2196862930.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14e0000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 404f6773c76c030dace4abf1dd793ee0d9b940d5a00fc935c526155f9c9aac18
Instruction ID: e157f4ca6a0da06fc059198ffcc09e5e67585c4e3b9af88ad0b1a17e91b3a0c2
Opcode Fuzzy Hash: 404f6773c76c030dace4abf1dd793ee0d9b940d5a00fc935c526155f9c9aac18
Instruction Fuzzy Hash: 6121F6B5C00248DFDB10CFA9D585ADEBBF8FB48310F14801AE918A7210D378A940CF61

Function 017602C0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01760346

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c55b60ef298e89c0ea6c08a2ba24b5847171a643cfe56a17b57028ca129a3668
Instruction ID: bb526134e161155071c007bc3d8b6372300f47d2d8df8f14305128119800dde0
Opcode Fuzzy Hash: c55b60ef298e89c0ea6c08a2ba24b5847171a643cfe56a17b57028ca129a3668
Instruction Fuzzy Hash: 7C2139B1D002098FDB10DFAEC4447EEBFF5EF49324F548529D519A7240C7789985CBA4

Function 01760550 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 017605D0

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a6392dcd95b5288f150185cd9b35b549a8861a141d1efaaf5eaf928eb038b0e8
Instruction ID: a4b3ab539c9e3229ab8e8571627f5f6b1f8e2bd6bc53190ad5a02119beb85cd4
Opcode Fuzzy Hash: a6392dcd95b5288f150185cd9b35b549a8861a141d1efaaf5eaf928eb038b0e8
Instruction Fuzzy Hash: 4D213AB1C003499FCB10DFAAC840AEEFBF5FF48310F50842AE919A7250C7789940CBA4

Function 017602C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01760346

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3a12065400c5212f7f2da7e7f5c63136de79dab4d7f7916ae808091edc49338a
Instruction ID: f286eecd07a15f58fcf08d7897b87c328f36126b7c84a6789f7c64a6dd5c4d84
Opcode Fuzzy Hash: 3a12065400c5212f7f2da7e7f5c63136de79dab4d7f7916ae808091edc49338a
Instruction Fuzzy Hash: AE2104B1D002098FDB10DFAAC4857AEFFF8EF49314F54842AD959A7240CB78A945CBA5

Function 014ED7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014ED82F

Memory Dump Source

Source File: 00000008.00000002.2196862930.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14e0000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 88889c09a07065c285f41ddbb13dee26921a2fc28cb8e1dfa2754b9d42abc86a
Instruction ID: fb1d43302eb285e8b38bad24413e8b9f71fb62a900824ef03c5b762f9fd0dd69
Opcode Fuzzy Hash: 88889c09a07065c285f41ddbb13dee26921a2fc28cb8e1dfa2754b9d42abc86a
Instruction Fuzzy Hash: 5A21B3B5D002489FDB10CFAAD584ADEBFF9FB48310F14841AE918A3350D379A944CFA5

Function 01760210 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0176027A

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 64397724903bfef6bddc21a1746a2583bdaad7e8e14b43e009dbf8902d600440
Instruction ID: 495a5a653af1257f13fa3475e7ca2e1fc592017e0aa2458ea7814158f1f119b6
Opcode Fuzzy Hash: 64397724903bfef6bddc21a1746a2583bdaad7e8e14b43e009dbf8902d600440
Instruction Fuzzy Hash: D71137B1D002488FDB10DFAEC8457EEFBF8EF89324F208419D559A7250CB79A941CBA5

Function 017603A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0176040E

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c9b07752fc22ab8236b8b0bab15d44e124aa8eb968d86ee35164483d617fb16b
Instruction ID: ac595ea03e0dccc9dcd112ce18011f1cce4b4ab08c2c6e18b1a7a779dce04eff
Opcode Fuzzy Hash: c9b07752fc22ab8236b8b0bab15d44e124aa8eb968d86ee35164483d617fb16b
Instruction Fuzzy Hash: CA1137719002499FCB20DFAAC844AEEFFF9FF89314F248419E519A7250C779A540CFA0

Function 017603A2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0176040E

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 087018be59c2f24854b3c2636b9cb7b9f5f52cdbb8bb74ca02dcb290166eb94f
Instruction ID: 39e94c80b29689e1c13e1966432acb4795da0a071f228121697b9c6862fcd4af
Opcode Fuzzy Hash: 087018be59c2f24854b3c2636b9cb7b9f5f52cdbb8bb74ca02dcb290166eb94f
Instruction Fuzzy Hash: 1C1149719002498FCB20DFA9C844AEEFFF5FF88314F248419E519A7250C7799540CFA0

Function 01760218 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0176027A

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a47f8fbc06d9039658498d5491cae0aec4b3dcc25ca43c3d09f70ec64d05e6d4
Instruction ID: 698fb79c2d396c6a8c909f774587194949b71bf9a70e9f0fcb29439a73d500da
Opcode Fuzzy Hash: a47f8fbc06d9039658498d5491cae0aec4b3dcc25ca43c3d09f70ec64d05e6d4
Instruction Fuzzy Hash: 451128B1D002488FDB10DFAEC4457AEFBF9EF88314F248419D519A7250CB79A944CBA4

Function 01762A98 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 01762AFD

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 955ac9d455867dbfd86a659d94ff800316e673c7acb834f465b34a93c690ce77
Instruction ID: 9455fc451d295d28c3e5a9aa57a3738fe4c3e6a7e3c5e5f28a029c7a3f73971c
Opcode Fuzzy Hash: 955ac9d455867dbfd86a659d94ff800316e673c7acb834f465b34a93c690ce77
Instruction Fuzzy Hash: 2D11E3B58002499FDB20DF9AC484BDEFFF8EB48310F10841AE918A3251D3B9A944CFA1

Function 014EB4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014EB51E

Memory Dump Source

Source File: 00000008.00000002.2196862930.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14e0000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 41335bf9e1ca50b8907a852a0d2ea18bd94231e4c33de2d812c100f07a5539f6
Instruction ID: 9ded6652c66f8ef80b82578f3a3a06bf048d6904a7ca5589cc830f0bc032f79b
Opcode Fuzzy Hash: 41335bf9e1ca50b8907a852a0d2ea18bd94231e4c33de2d812c100f07a5539f6
Instruction Fuzzy Hash: FC110FB5C003498FDB10CF9AD448A9EFBF8EB88314F14842AD519A7210D379A545CFA1

Function 01762AA0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 01762AFD

Memory Dump Source

Source File: 00000008.00000002.2201168862.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1760000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5f28620167199bcee55cdb00fe6a37a0b411dee7150dedb6cec8e2a9cfbb5d0e
Instruction ID: f847f59a3b49db2c6d5e0961490671d00f37a61cb291e2af22bf989f5eae66cc
Opcode Fuzzy Hash: 5f28620167199bcee55cdb00fe6a37a0b411dee7150dedb6cec8e2a9cfbb5d0e
Instruction Fuzzy Hash: 2911F2B58002489FDB10DF9AC484BDEFBF8EB48310F10841AD918A3240C379A944CFA1

Function 033DEBE0 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

@, xrefs: 033DEDC7

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5e2385c66f18f43031508e1eb2cfd381b8d6cfd1bf50759132ac75be420760e1
Instruction ID: 1384b4da72ebf0a74dea48bf4c548e12bafad8d08b38b4d556225910f47c76fd
Opcode Fuzzy Hash: 5e2385c66f18f43031508e1eb2cfd381b8d6cfd1bf50759132ac75be420760e1
Instruction Fuzzy Hash: 82D12B3590020ACFCF15DFA8D8D49EDFBB5FF88314B259659D8066B259DB30AA85CF80

Function 05839FB0 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0583A010

Memory Dump Source

Source File: 00000008.00000002.2257309367.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5830000_Exccelworkbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 719fcb83e20c73be3656d0faf8cc3df5abd9f2b68a79b63ed7f9459d107f7004
Instruction ID: 7f80078a98a3d544211cc0e3f14cec45d375040b8d11b74889589cc74413ff44
Opcode Fuzzy Hash: 719fcb83e20c73be3656d0faf8cc3df5abd9f2b68a79b63ed7f9459d107f7004
Instruction Fuzzy Hash: 091133B5800349CFCB20DF99C545BEEBBF4FB48320F14845AD959A7240D339A944CFA4

Function 05839FB8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0583A010

Memory Dump Source

Source File: 00000008.00000002.2257309367.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5830000_Exccelworkbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 92e3564395d60aa1ec391f889e4e71fd0aec0135846030b18a3485b06f4bfbba
Instruction ID: c79b736fd7627c726460c7b5a433a98f44f1cde227de48fe2f01304a46f6bf58
Opcode Fuzzy Hash: 92e3564395d60aa1ec391f889e4e71fd0aec0135846030b18a3485b06f4bfbba
Instruction Fuzzy Hash: 7C1103B5800349CFCB20DF9AC545BDEBBF4FB48320F14846AD959A7240D779A944CFA5

Function 033DEF90 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97b188dff2faf82b0d28b031990f5bb90ecbbf73a8ea427c820aa1e5c3c96f1
Instruction ID: 509ef9945a95072d1301991e66b8b8698cfafcbd0ee60b01e115d22bf27faf97
Opcode Fuzzy Hash: b97b188dff2faf82b0d28b031990f5bb90ecbbf73a8ea427c820aa1e5c3c96f1
Instruction Fuzzy Hash: 2A726231910609CFCB14EF68D8946ADB7B1FF85315F44C299D44AAB265EF30AAC9CF81

Function 033DBF48 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59e72fa2637be17b979dc8187f7e075583e86eaf4810279d4ec3df47de63a4e
Instruction ID: e075be6983776a529dab73faa09d833003228f956d09acb71c9d17b665d4c214
Opcode Fuzzy Hash: c59e72fa2637be17b979dc8187f7e075583e86eaf4810279d4ec3df47de63a4e
Instruction Fuzzy Hash: E842E631E107598BCB24DFA8D8946EDF7B1FF89300F159699D459BB221EB30AA85CF40

Function 033DBF3A Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d382490b116c0778198773c2dcfc871c826e7aeefe416c5fc87b480f34dfc7d
Instruction ID: f4ec2a9829fad1162014e0b959fe5290fe009409e7de9450d6a6acac24a02134
Opcode Fuzzy Hash: 8d382490b116c0778198773c2dcfc871c826e7aeefe416c5fc87b480f34dfc7d
Instruction Fuzzy Hash: 29E10932E106598FCB24DFA8D8906EDF7B5BF49300F159699D459BB261EB30AE84CF40

Function 033DE920 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929876021e297f415befe09fad512fe974264d2b7cda114ea7b517ad10e817de
Instruction ID: 3c5a2f00f5544585e02e2b4da80844c6fa78e651e3d8bd4142d37a92be1c37a6
Opcode Fuzzy Hash: 929876021e297f415befe09fad512fe974264d2b7cda114ea7b517ad10e817de
Instruction Fuzzy Hash: 8291E97190070ACFCB41DF68D884999FBF5FF89310B14C79AE819AB255E770E985CB80

Function 033D17B0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a2904e9f6ccca946881b6f5d9d2cb91dfb4ecff73eef869d865bda70022182
Instruction ID: 8b0c9691513cc4bfab573762f87d54a289c229247cc668ac9652ab4dd354c0aa
Opcode Fuzzy Hash: 76a2904e9f6ccca946881b6f5d9d2cb91dfb4ecff73eef869d865bda70022182
Instruction Fuzzy Hash: CE81F035A01248EFCB55DFA9E884DAEBBB6FF49310B154099F902AB361D731EC41CB50

Function 033DDC98 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759896c0c86cefc5720ba183f67c20706c46f4a7b90170d05d36ead5b94d780c
Instruction ID: 55a5b66bbfa059302dfe29a898086a95ce8a4d45be7d36eaef29eedcfba56693
Opcode Fuzzy Hash: 759896c0c86cefc5720ba183f67c20706c46f4a7b90170d05d36ead5b94d780c
Instruction Fuzzy Hash: 6081CCB9600A00CFC718DF29C498959BBF2FF8931471989A9E54ACB372DB72EC41CB50

Function 033D81B4 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce66c1b639e09f514939dc5a3f24a672bae88a2f286239fc42665586dc23a91c
Instruction ID: cad54650d81f1f572437dadf4ee98752e771c6da18a8e7ed8f466be809b5ffdf
Opcode Fuzzy Hash: ce66c1b639e09f514939dc5a3f24a672bae88a2f286239fc42665586dc23a91c
Instruction Fuzzy Hash: E651CE71E02348DFCB04DFA4E884AEEBBB6FF85301F1584AAE441AB355CB30A815CB50

Function 033DDAB8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdacb6e563ddef20754e3b9f9179ca3c54642181cbdb394571701f81510c5ba
Instruction ID: 25226235b899d2949ab835780064fd861a1ef0eb128193a6274c8c97fa15522e
Opcode Fuzzy Hash: abdacb6e563ddef20754e3b9f9179ca3c54642181cbdb394571701f81510c5ba
Instruction Fuzzy Hash: 8B71B175A002068FCB14CF68D584999FBF5FF48314B4986AAE84ADB712D734ED85CF90

Function 033D7F60 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bccc9868ec3c7e06ce75524ab8a9cf1833a34cf0e7620fd2a8217174237f553
Instruction ID: a9cb666fb909114519d37fe535497db817b56ab8009a5b0c947df42e2b8c5730
Opcode Fuzzy Hash: 0bccc9868ec3c7e06ce75524ab8a9cf1833a34cf0e7620fd2a8217174237f553
Instruction Fuzzy Hash: 1B514175E002499FCB14EFA9D844AAFBFF9EF88300F14852AD515E7354DB74A905CBA0

Function 033DE912 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11de7a5019faf2dfafd0aa79338ee3f5dc3b845869933119d7f898aedf679035
Instruction ID: a7dfc42d0566245b50511fa71c05422b87080d4f794b3901ab577f7aa413e736
Opcode Fuzzy Hash: 11de7a5019faf2dfafd0aa79338ee3f5dc3b845869933119d7f898aedf679035
Instruction Fuzzy Hash: F7611D7190170ACFCB01DF68C880999FBB5FF49310B14C79AE859EB255EB70E985CB80

Function 033D2978 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b842048d7565f0933805b2b8ad4ae9de124a03984cb733d026e50cdc283f1a
Instruction ID: 34db56ac5ca70f218354cc2569f724ae578971c0593502973eb96283fcdacbbf
Opcode Fuzzy Hash: 87b842048d7565f0933805b2b8ad4ae9de124a03984cb733d026e50cdc283f1a
Instruction Fuzzy Hash: A951F235A10609CFCB04DF68C8989ADBBB6FF89700B1585A9E506EB371EB70ED45CB40

Function 033D2988 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d173592b51d3340ff9091a78d8d39490c7fce8127b8ebb8d2044405a05ab2778
Instruction ID: 3e99605ce84b4cd1fb284ef4d0f00a59d800a5b6a5178fc5e80209ca074862ba
Opcode Fuzzy Hash: d173592b51d3340ff9091a78d8d39490c7fce8127b8ebb8d2044405a05ab2778
Instruction Fuzzy Hash: 4951E334A10609CFCB04DF68D8989ADBBB6FF89700B1585A9E506EB371EB71ED45CB40

Function 033D1C28 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0972975270c4dc305b485b3543d74e56baea75cf9cbabf7cd7d502dee3a235
Instruction ID: c0ba1602b35fd6d798c21af59749c1d10f0d7c7254e04856142cdf60a0a5c34c
Opcode Fuzzy Hash: 7b0972975270c4dc305b485b3543d74e56baea75cf9cbabf7cd7d502dee3a235
Instruction Fuzzy Hash: E8415935F142588FDB54DBAAE8D4AADBBFABF49700F1440AAE501EB361CB71D800CB50

Function 033D4658 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0f8314ea0e885af83b4154eaa9c9068b79f399211087535200b0788ccb1beb
Instruction ID: 53d0476110f8b08a27f3b827ac73ea2d89e551971876038ac830ece9a6834bff
Opcode Fuzzy Hash: 3d0f8314ea0e885af83b4154eaa9c9068b79f399211087535200b0788ccb1beb
Instruction Fuzzy Hash: 39417036A00629CFDB25DF69E984AEDBBF9EF49724F584025E401E7310EF359904CBA0

Function 033D0430 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf947005d28c4fdb0dbd51e0a9cc1aaa8547136493f2d740891ef05480352291
Instruction ID: af1bfcba125d5b36100eef26465fcb257cbea7f3f1cacb2365054ff2288be140
Opcode Fuzzy Hash: bf947005d28c4fdb0dbd51e0a9cc1aaa8547136493f2d740891ef05480352291
Instruction Fuzzy Hash: 0E512975A01209EFDF14DF94E994B9EBBB2FF88710F148059E905AB351CB71AD50CB50

Function 033D3280 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ceacf40dd8495a57843c0789a85d59a7305b1f5d9e6dd120b944ff77ff3734
Instruction ID: 0a73d4905321bc870d9d2b57f6de547fe30a1ad47fb0ed8ee24b842dcbac11d5
Opcode Fuzzy Hash: 48ceacf40dd8495a57843c0789a85d59a7305b1f5d9e6dd120b944ff77ff3734
Instruction Fuzzy Hash: FC414736B002099FCF19DBA9E9C46EEB7F6AF88214F184529E506EB740DB349D41CB81

Function 033DCBD0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffff83739404a4f89994142cde8d891805727fbe919ac2fb57c0f57cb63de1b
Instruction ID: c38efce28856b59346eb4e5e93a6d1071cb97ae71cc6b6c3965d475c2ad6555e
Opcode Fuzzy Hash: 7ffff83739404a4f89994142cde8d891805727fbe919ac2fb57c0f57cb63de1b
Instruction Fuzzy Hash: 21418035A10709CFCB04EFB8D88499DBBB2FF89300F0185A9E515AB325EB70A945CF81

Function 033D0F08 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8dc636343907778f4b403157331def4cf08b9e11a540e87d8facb8037f00a8
Instruction ID: 717aa337d41d6bd1f1c03f552f26a69b39df71d471cdd5f2db689add618a2d39
Opcode Fuzzy Hash: fd8dc636343907778f4b403157331def4cf08b9e11a540e87d8facb8037f00a8
Instruction Fuzzy Hash: BB416D34A10709CFCB04EF78D8849ADFBB6FF89304F008569E116AB325EB70A945CB81

Function 033D3130 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055e5ea80909c66182e4e1556b6b32e1ff4afa2854ad84a8c7aa21f9702e3093
Instruction ID: 385159e0f36f8bb98de34bef96d983d7914d7f9ae2fcde14910100ba179e1d5e
Opcode Fuzzy Hash: 055e5ea80909c66182e4e1556b6b32e1ff4afa2854ad84a8c7aa21f9702e3093
Instruction Fuzzy Hash: 4641C034A04746CFCB14EF69D48045EFBB2FF893107148A6ED409AB355EB31E902CB91

Function 033D882C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800bf9d52fad4b8dde103565374947e8db8c07c2094b12235cebd5b1fcc38e97
Instruction ID: 38f3a3d6481aeaa030c95f8f3595fe59cc3e3d10a1f08e7dbf237659fe30ef78
Opcode Fuzzy Hash: 800bf9d52fad4b8dde103565374947e8db8c07c2094b12235cebd5b1fcc38e97
Instruction Fuzzy Hash: 744102B1D00209CFDB24DFA9C984ADDFBB5BF49304F24812AD409BB211D7756A8ACF91

Function 033DDAA8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffe2d09e4bb85b9c331b8f0db8acedd40351966b43aab1c61892739dc3ae645
Instruction ID: 32e5ac2a5935b67cff42faabf6f6fb51d0e22977c75f5aedce2926162e78573f
Opcode Fuzzy Hash: cffe2d09e4bb85b9c331b8f0db8acedd40351966b43aab1c61892739dc3ae645
Instruction Fuzzy Hash: 8F4115B5A002468FC715CF68D9C0AA9FBF5FF49304B1986AAD84ADB361D730ED45CB90

Function 033D8838 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f82e63dadf52c034f844b943a2ebf67ffd3d6a0cc0bdd5cfa443138a82b567a
Instruction ID: 0392f244bb02cb4291066a37ad40d7be8c8cac78245f593c17f7dc1892bd85f1
Opcode Fuzzy Hash: 7f82e63dadf52c034f844b943a2ebf67ffd3d6a0cc0bdd5cfa443138a82b567a
Instruction Fuzzy Hash: E341E0B1D00209CFDB24DFAAC984ADDFBB5BF49304F24852AD409BB210D7756A4ACF91

Function 033DA857 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f83f57c4d21ca3d045c4351d978b3f1564a4cd7c553e23cf051d27c1c68851f
Instruction ID: ebc68beb0bf09dfd6eb3c4410f678fece08a02d510de8bf5486ef27a8035d6a3
Opcode Fuzzy Hash: 2f83f57c4d21ca3d045c4351d978b3f1564a4cd7c553e23cf051d27c1c68851f
Instruction Fuzzy Hash: 93411A75A0020ADFCB40DF69D98499EFBB5FF89310B15C699E818AB315E730E985CF90

Function 033D77B0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9357228fe3148fd35f795611813ad9f51a27616f8cf5327b58886431a7f4917
Instruction ID: 66cabcb3d312d787e3acf8498821c2ca64f4eb15d63a0283c1653c1d6ba64601
Opcode Fuzzy Hash: d9357228fe3148fd35f795611813ad9f51a27616f8cf5327b58886431a7f4917
Instruction Fuzzy Hash: BF41BEB1D1035CDFCB14CFAAD888A9EFBB5BF48310F64822AE419AB254D7746845CF94

Function 033D24B4 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2c789e0fab9b67e0ef9c252c7adf40e08f3a94dc752189a7adacf9e1043123
Instruction ID: d6bae287ec6beac7f666e3f5d450aa200858518effaec17bbf3ffa0742214eb9
Opcode Fuzzy Hash: de2c789e0fab9b67e0ef9c252c7adf40e08f3a94dc752189a7adacf9e1043123
Instruction Fuzzy Hash: 1E31D776E00301CBE714DF39E894A52B7B2FFC4220F49C575E9096B245EF319844CB61

Function 033DCAD8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829a26517a4928ef70855a5597e35e303086464d51e9aa31d74f21ef1fc5f183
Instruction ID: 002bff2c3c551a5c7d0da8dc8d2d81d49a6bae02500a701c73c366ce1081cd63
Opcode Fuzzy Hash: 829a26517a4928ef70855a5597e35e303086464d51e9aa31d74f21ef1fc5f183
Instruction Fuzzy Hash: CF319336A102159FCF08EF64E8948DDF7B6FF89310B158669E406AB350EF31AD46CB80

Function 033DA868 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64b131cd57667ce56419e5f7566414c9ea6e07f039764bb8d7b0c5248741455
Instruction ID: acf88137874941875e04a14fc30be450da9cca44f015484c47bd2cbe3e560528
Opcode Fuzzy Hash: c64b131cd57667ce56419e5f7566414c9ea6e07f039764bb8d7b0c5248741455
Instruction Fuzzy Hash: 71411975A0020ADFCB40DF69D98499EFBB5FF89310B14C299E918AB315E730E985CF90

Function 033D37A0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9482cb5ad47ae83877b3b1364655957e69a44c6daa3dd9f61beb177c29365ad6
Instruction ID: b80009524877e06b882793b8cb8693e1f93358cb1b254d9dc9f681f35d7b7aa6
Opcode Fuzzy Hash: 9482cb5ad47ae83877b3b1364655957e69a44c6daa3dd9f61beb177c29365ad6
Instruction Fuzzy Hash: 6C31C976E00300CFD714DF79E894655B7B2FF84220F49C579D9096B245DB359844CB61

Function 033DA0B4 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416a18ae9a860e402cf0de519d41f0fe3f2fb204633af9f45e9a5f28312befa0
Instruction ID: 3e9d146bff118f9ca67d20830a257e0a89a66b919043ac80716de8ee471ad1b4
Opcode Fuzzy Hash: 416a18ae9a860e402cf0de519d41f0fe3f2fb204633af9f45e9a5f28312befa0
Instruction Fuzzy Hash: D72185323501018FDB14DB2CECC8969BBE5FF89711B1985B9E109DF366DA35DC048B50

Function 033D326F Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e023feb66df7f95e33ea0ae7d5ab8bbb84258f8c29220eea1d189f9c4ab8afb
Instruction ID: 1e3322730ad7f986fd92c75c9577f0e72640e6aeceee493d7ba0715159ed24ac
Opcode Fuzzy Hash: 3e023feb66df7f95e33ea0ae7d5ab8bbb84258f8c29220eea1d189f9c4ab8afb
Instruction Fuzzy Hash: E1319C36A01204DFCF14DFB9E9C469EBBF5AF49210F08446AD406EB750EB30AD41CB92

Function 033D1CAE Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232c24c6fbe7395610aaca12c26845a532a209d966b24e6e538ccff4fc266aa7
Instruction ID: 3667583ee1b5a0642321536fd438d6b4f9028435ecb6af715e89ffe96b6a70e6
Opcode Fuzzy Hash: 232c24c6fbe7395610aaca12c26845a532a209d966b24e6e538ccff4fc266aa7
Instruction Fuzzy Hash: 2E313635B142148FDB54DBA9E8C4AADBBF9BF49705F1900AAE501DB3A1CB71DC00CB50

Function 033D8721 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7718019aa5ae52c2c7d46532a1d66983b456b8e03f5b42fe490cf257ad9bb5b0
Instruction ID: e7dfd18b271ef488763f3bd253c75e7c1fe7cb6a1af370fa64aa8c026a571d45
Opcode Fuzzy Hash: 7718019aa5ae52c2c7d46532a1d66983b456b8e03f5b42fe490cf257ad9bb5b0
Instruction Fuzzy Hash: 4C31C0326042018FC710EF78D89499ABBF6EFC530571989AAD146CF365EB31E80ACB91

Function 033D89B1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05de1b1d977e3cbc9e643ac73af46edab957ba3052d1810bd872a6893f45d12
Instruction ID: af4e215e88ee622bd9c5407d348db272920f5ebd9f448f2929f4be281ac3bbc3
Opcode Fuzzy Hash: f05de1b1d977e3cbc9e643ac73af46edab957ba3052d1810bd872a6893f45d12
Instruction Fuzzy Hash: 01216276E002156FCB15DBA9DD809AFBBFDEFC8300B148156E515DB250EB74AA0587A0

Function 033D0422 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5b3b7a1a3ab07ef45cdea9ad319d1e9d40e848e37f121755fc23b378cceeb8
Instruction ID: 999a8d65412de1925e04088fdfe1885878a2557258b15451530eb7f59ea72ab7
Opcode Fuzzy Hash: 1f5b3b7a1a3ab07ef45cdea9ad319d1e9d40e848e37f121755fc23b378cceeb8
Instruction Fuzzy Hash: D0314875A01209AFDB14CFA5E984B9EBBF2FF88710F148069E905AB751CB31AD40CF61

Function 033D2F88 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e2fa89ea17ec755f600fd739a9cbbeaa6a98aa2040655439a4a62b0d2b5aeb
Instruction ID: 3df432633f6abb00a35fe6eb2ffe1149de9894385f9cfb8093930479f33ef7a2
Opcode Fuzzy Hash: b7e2fa89ea17ec755f600fd739a9cbbeaa6a98aa2040655439a4a62b0d2b5aeb
Instruction Fuzzy Hash: 36218E353012008FCB18DB39E894A5AB7E9EF89715B1484AEE506CF3B0DB76EC46CB51

Function 0143D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2194228676.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_143d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4929938fc090c80d72198373127dc9aa8600b6fcfad301256448b6ce6c4744e5
Instruction ID: 489480b658a6bbc5c008366aeb510711397de08fd1ff6db2a1d11eb120abe7b0
Opcode Fuzzy Hash: 4929938fc090c80d72198373127dc9aa8600b6fcfad301256448b6ce6c4744e5
Instruction Fuzzy Hash: C221F171900240DFDB06DF58D980B27BF65FBC8318F60C56AE9090A2A6C33AD416CAA2

Function 0144D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2194330218.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_144d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dd4029fcfe8ce470b0a083240797c8f24b59d641edb55be73671cb74993429
Instruction ID: aaf0f3cd2255b10550c1b012ef9ba88322f213958ee1a45e8d1113a66a15ad64
Opcode Fuzzy Hash: d3dd4029fcfe8ce470b0a083240797c8f24b59d641edb55be73671cb74993429
Instruction Fuzzy Hash: 5D210771A04204DFEB05DF98D9C0F26BBA5FB94324F20C66EE9094B366C33AD406CA61

Function 0144D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2194330218.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_144d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50172407867d1cceaf83ce9498adc3b9baad65f0ad0dc07dd6242f22b10c461
Instruction ID: 2bec0d40f0d01fb7556ea7cbffc234ea9bd7c3c6c77460c907ceee1f924854ab
Opcode Fuzzy Hash: b50172407867d1cceaf83ce9498adc3b9baad65f0ad0dc07dd6242f22b10c461
Instruction Fuzzy Hash: 832107B1904204DFEB15DFA8D9C4B16BF65FB94358F20C56ED90A4B366C33AD407CA61

Function 033D2F98 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d902a9390f668dcce7fb58af0eed334790ab8b437cd71587b9dc87254e5b48
Instruction ID: 291c9ee9271fd213e0a7d08c094e54b40b6595ba9d2bc21548eaa2419c43e091
Opcode Fuzzy Hash: 37d902a9390f668dcce7fb58af0eed334790ab8b437cd71587b9dc87254e5b48
Instruction Fuzzy Hash: 21215E353002018FCB18DB39E894A6AB7E9EF89715B1484ADE506CF370DB76DC06CB51

Function 033DFAD0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ba0208c7b594810f825d1d87234ed74db1c9bf64e50f45e77ba6f5fe0ef35d
Instruction ID: e228fb1eb35b3f8230a7e50b8e110e5d4f6fa6a49eb609de8c360c300d3b050b
Opcode Fuzzy Hash: 62ba0208c7b594810f825d1d87234ed74db1c9bf64e50f45e77ba6f5fe0ef35d
Instruction Fuzzy Hash: 4D2153329006099FCB10EF6CD88059DFBF4FF59311B54C26AE958AB300FB31A998CB91

Function 033D2CC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf330d430dc2761992c32dae2bfd239665594d42c5b15e18542bc60fb35d8dc
Instruction ID: b97826aee5201eb2ef0a1ef935034d8e450648ea0420101aa6f02248790c3fd4
Opcode Fuzzy Hash: ccf330d430dc2761992c32dae2bfd239665594d42c5b15e18542bc60fb35d8dc
Instruction Fuzzy Hash: 3011B732F00B164BDB11EFA9A8806AFF7F5EFC4610F14896AD515E7218DB7499428781

Function 033D312E Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27954b9dd17c1942845ba56c4ce329e7b1e8f1dfbed992e63ed141362fe2d22f
Instruction ID: f12fb6751dd9e851e6e9a745f34f74e2e33177cae0d106e1b43f8009bfda42ac
Opcode Fuzzy Hash: 27954b9dd17c1942845ba56c4ce329e7b1e8f1dfbed992e63ed141362fe2d22f
Instruction Fuzzy Hash: D0213B75A0070BCFCB14EF64D5808AEB7B6FF893047104A29D50A9B614EB31E905CB91

Function 0144D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2194330218.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_144d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6929e64e1c85f7b59f66bb2bfd128ad3c929cc4b954287a9bfb91f6d24a343ee
Instruction ID: d7dd278a0de2f0b3fe8e552a1756aa8a592ef4e8cbdd598df9dfd845b7058e2c
Opcode Fuzzy Hash: 6929e64e1c85f7b59f66bb2bfd128ad3c929cc4b954287a9bfb91f6d24a343ee
Instruction Fuzzy Hash: 762192755093808FDB17CF64D594716BF71EB46214F28C5DBD8498F2A7C33A980ACB62

Function 033D36C8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ba124f5fdb10e66c2e9e64ec96793d5013d678733b2459176863238552a152
Instruction ID: 65c32d71dd43846573be02377d469becb67fde8f9398beb2c2b47dc89858600f
Opcode Fuzzy Hash: 56ba124f5fdb10e66c2e9e64ec96793d5013d678733b2459176863238552a152
Instruction Fuzzy Hash: 3F219336900744CFC769EB78D494AAAB7B6EF85310F0488ADD45A4F261DF35A889CB41

Function 033DCDCA Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d48e8119b5ba384b43141c2fbc04f5e499ab15753a659484deb34d5b175a57
Instruction ID: 738f41400d79a37292eef3795dd75be83df191fb4e07e00551c274e4470b2b7d
Opcode Fuzzy Hash: b2d48e8119b5ba384b43141c2fbc04f5e499ab15753a659484deb34d5b175a57
Instruction Fuzzy Hash: 0021E632910B04DFCB20DF69E880455B7B5FF86301B59867ED4499B260EB31E991CB80

Function 033D2484 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4428c0c318c0334990531272f13eaf879b567ff95f137965ab22580f84f5e5bb
Instruction ID: 9c92db0d07f32a630c0e339d2df57b7adc1a839737074ffbbc64849ea5eb858b
Opcode Fuzzy Hash: 4428c0c318c0334990531272f13eaf879b567ff95f137965ab22580f84f5e5bb
Instruction Fuzzy Hash: 8A218435A00705CFC758EB78D494AAAB3B7EF85311F00886DD4595B260DF35A8C9CB41

Function 033D2C90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e692b3914281bee2c29d48c5c7a361a17627c9613a94b6881063af0e90ec410
Instruction ID: 66e379297d351b5494fb767eaef8f533f29ae261f817c7fe07a22bb9f2a814c8
Opcode Fuzzy Hash: 5e692b3914281bee2c29d48c5c7a361a17627c9613a94b6881063af0e90ec410
Instruction Fuzzy Hash: 8A11E3323042518FCB15D738CC9896A7BE5AFCA620B1945EBE105CB3B1CB21DC01CB91

Function 0143D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2194228676.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_143d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 36e4d8bc170ce21b2d1c8bb6de49e02f548ddd32e299c82d2f03253113b3c88d
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6E11B176904280CFDB16CF54D9C4B16BF71FB88324F24C6AAD9490B667C336D45ACBA2

Function 033DB59A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac3caede617b87de14ea3c3e8bbc03a6b409dca08cae905e356594004b67b35
Instruction ID: 2509315b8e792f549c7ed32b7747b3cd50af26e1a9305efda4833eb9aa26ed50
Opcode Fuzzy Hash: 2ac3caede617b87de14ea3c3e8bbc03a6b409dca08cae905e356594004b67b35
Instruction Fuzzy Hash: F41182333482504FDB14DA2DDCD5A69BBE5EF89310F1D84BAE049CF366DA25D8048750

Function 033DB47F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b3b02670a6f2e51348813bf2f9e814a7fddfca9518c8e13d935444644af1db
Instruction ID: caba8edfffb9cf10b52e8fea16559f92b1176dbf969443cc2486f7a83d38f3f4
Opcode Fuzzy Hash: 75b3b02670a6f2e51348813bf2f9e814a7fddfca9518c8e13d935444644af1db
Instruction Fuzzy Hash: DA01F93B2093804FC726CA26AC90969BFB85F8255070F40DBD541CB2A2DA18D985D761

Function 033D4C18 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239b53ed37a09402b1f563a5302d2b486247bfd7a66ab4707ac7cba62e86db99
Instruction ID: 8355478cc3b780bb0fe3fcbf93cc18ea7b95037e6d11fac0ffe61f43d71240c4
Opcode Fuzzy Hash: 239b53ed37a09402b1f563a5302d2b486247bfd7a66ab4707ac7cba62e86db99
Instruction Fuzzy Hash: A411CE35A002089BD714EFA6E5947DEB7F2EF88300F104429C646AB394CF759E05CB91

Function 0144D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2194330218.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_144d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: ce6aea1a469b5ebce42078c698ebd09c0a200a18881bfc6cd3776d3003bc4e4f
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 8B11BB75904280DFEB02CF54C5C4B16BFA1FB84224F24C6AAD8494B3A6C33AD40ACB62

Function 033D1EA0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803ca8e0f3a888128944a5e2ef2696d5365a6e61a6b25b8c32dd468b566b5f5b
Instruction ID: 4be2234a1e414d5114b3784638e62ca2885acce994b9edaa712957dadfa1c7bb
Opcode Fuzzy Hash: 803ca8e0f3a888128944a5e2ef2696d5365a6e61a6b25b8c32dd468b566b5f5b
Instruction Fuzzy Hash: 6511C276E006068FCB65DFA8E8556BEBBB6FF88310F084169E505D7345DB349A01CBD1

Function 033DCE08 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6174d21b60e2fbfdb1d63f67cc94153b9ac8e7023cd2c04f8f94436e18b53548
Instruction ID: d5960e01d6a06142b8160a5f6da1769b2d6b59eef9b00e8b6cb6970dc6c8e36d
Opcode Fuzzy Hash: 6174d21b60e2fbfdb1d63f67cc94153b9ac8e7023cd2c04f8f94436e18b53548
Instruction Fuzzy Hash: 79118272921714CFC715EF38D88055AB7B5EF86301F088A7DD5458B2B1EB30E941CB81

Function 033D82A4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2ca01272cf5f19818fa09304681ba5d2c278b025cea93de2d350ffd32c57d4
Instruction ID: 9bbcbe100d253d2c993559eeab4bbae9789f4d8d839fc8c29e22f85e25abfc57
Opcode Fuzzy Hash: ce2ca01272cf5f19818fa09304681ba5d2c278b025cea93de2d350ffd32c57d4
Instruction Fuzzy Hash: 8A1104B6C006488FCB10DF9ED444A9EFBF8FB49310F14841AD419A7314D378A545CFA1

Function 033D80F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef72f8f0a6ceb978d10387704f3743262303f8b29383bb5f2b24b0514ac7836
Instruction ID: 51ecf3414baaabf67065ef74ac97fbaf2b593e4229bd24270298b5a4229bbc81
Opcode Fuzzy Hash: cef72f8f0a6ceb978d10387704f3743262303f8b29383bb5f2b24b0514ac7836
Instruction Fuzzy Hash: 841104B6D006488FCB10DF9ED444A9EFBF8EB48310F14841AD819A7314D378A545CFA1

Function 033D54F9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cbcea65702ef439f017e5e5f6a3c66bbb280987ecd34c2c6e0ce3cf3fd3cfb
Instruction ID: a37d800f22908f137cdc65fee2ca05296d5205ac4e210a979e13e1b76c55fea2
Opcode Fuzzy Hash: 97cbcea65702ef439f017e5e5f6a3c66bbb280987ecd34c2c6e0ce3cf3fd3cfb
Instruction Fuzzy Hash: 3D11AD31A001159FEB04DF68D998B9BBBF6FF88704F044169E506EB359DB36AC10CBA1

Function 033D8CD0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7640dbe00cbaf9d9781ffe4a2178a44a019d247c986ab45ff610632001b3b4f6
Instruction ID: 0b0dc8d33bf72edd0670de74afbfd44094820e18afc7d33e3b00c191cb359e49
Opcode Fuzzy Hash: 7640dbe00cbaf9d9781ffe4a2178a44a019d247c986ab45ff610632001b3b4f6
Instruction Fuzzy Hash: E211E2B5C006498FCB20DFAAD884ADEFBF5FB88310F14852AD819A7214C379A545CFA0

Function 033D8294 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6ba1a9bff7396c0e7f5cd5bbd675a539bc5a81a0a54df08d08243bb1206a4a
Instruction ID: 334b17632c41a21738b8ded109c50113de81eaf7e712805903697c970d32e646
Opcode Fuzzy Hash: df6ba1a9bff7396c0e7f5cd5bbd675a539bc5a81a0a54df08d08243bb1206a4a
Instruction Fuzzy Hash: 05012632B043145FCB09D779A8949EE7FFADF85210B0484AAD40DD7256DA719C028750

Function 033DD1D8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198637b8a113e2118917945e1a6d5dc623ea008481d105d9c08da951d68fcd8b
Instruction ID: c1aee6fe971b78d8d330cd5684d2517acedf9f9ca228838edfb701bc9cdd82e5
Opcode Fuzzy Hash: 198637b8a113e2118917945e1a6d5dc623ea008481d105d9c08da951d68fcd8b
Instruction Fuzzy Hash: 6401D233A00741CFC711AB78E8805ADBB71EFD5310B0A026AD8545B251EF32A6828FD1

Function 033D1EB0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf92548e0a09b4b4f906937aedeeb641ba8bcabc0cf73ae7f7018c29ef124102
Instruction ID: 99523e1711b81966a0800e6443aac7bacdb6771940a6c1c924f0f0a5df637be0
Opcode Fuzzy Hash: cf92548e0a09b4b4f906937aedeeb641ba8bcabc0cf73ae7f7018c29ef124102
Instruction Fuzzy Hash: CE01D275F0060A8FCB64DF98E8556BEBBB6FF88710F044129E505D7344DB309A018BD0

Function 033DA2E9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df1298cb43e932a4c7d5444a24028b7a9ba60c6f8b78701ef2a5303d5157f30
Instruction ID: 58b528a0c0a9a0a51b04206704806502ea11b1f526897ecbdb094bd6a32f89ec
Opcode Fuzzy Hash: 9df1298cb43e932a4c7d5444a24028b7a9ba60c6f8b78701ef2a5303d5157f30
Instruction Fuzzy Hash: 841113B5800248CFCB10DFADD584B9EBBF5EB48310F24841AD559A3610C379A544CFA5

Function 0143D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2194228676.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_143d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0319401977d03d3abcb5f2a330df8e79836b40ca0357987fcee02aca1bb4e7cd
Instruction ID: 01a609f4f177fac34803f6260aedbb65bfbb9ab8b9fdc471c599587f390a18a4
Opcode Fuzzy Hash: 0319401977d03d3abcb5f2a330df8e79836b40ca0357987fcee02aca1bb4e7cd
Instruction Fuzzy Hash: 3B0120718043849AE7125E69CD84B67FF9CEFC9370F54C52BED090A356C3799401C6B1

Function 033D5508 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af69a7a52799306c981c68ee346445b2d40fc8a300d86ca6e95ccbc4185b46d6
Instruction ID: 31fd7af66112a3696594713e12f38d9ad72bda9c68a6ffc346ac5e978b809f95
Opcode Fuzzy Hash: af69a7a52799306c981c68ee346445b2d40fc8a300d86ca6e95ccbc4185b46d6
Instruction Fuzzy Hash: 08017131A001059FEB04EF59D998B9BBBFAFF88714F144169E106AB354DB759C00CBA1

Function 033DA2F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4a54731e3e38734f5b9196b79d5cb9f5b42a072bea66465e4364c3c3eecdf8
Instruction ID: 044929ba814f76e1b5c65f8dadce2e56fb32773d337eb15e8b8f54f4ba262409
Opcode Fuzzy Hash: ec4a54731e3e38734f5b9196b79d5cb9f5b42a072bea66465e4364c3c3eecdf8
Instruction Fuzzy Hash: D211E5B59002488FCB10DF9AD584BDEFBF9EB48320F24841AD919A7750C379A544CFA5

Function 033DCE18 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9181ef064c340bf3ba22039be329e083c775813df18e1de2f4b3652245ff6c
Instruction ID: 18b6ebeb801d8bc89bf9533e99a91b4e27b6fbea2c98694dc7d7e3414fbc2ccd
Opcode Fuzzy Hash: cc9181ef064c340bf3ba22039be329e083c775813df18e1de2f4b3652245ff6c
Instruction Fuzzy Hash: 9F01E976A10708CFC725EF39D48055AB7B6AF86341B15856ED9468B6A0EB31E941CB80

Function 033D1C17 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed17e88397df2ec9c9eda34024af46c9bd034ce9bac30bf2e662dc78782797bb
Instruction ID: d94599d31d47ca39a1bcfd28b5660a5182084533c48e8cbffcbc23749b8e281d
Opcode Fuzzy Hash: ed17e88397df2ec9c9eda34024af46c9bd034ce9bac30bf2e662dc78782797bb
Instruction Fuzzy Hash: 77017171E181689FCB28DB69D8C59ED7BF5AF4D310F184065E401EB351DB7599018F90

Function 033D4C1A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e12e033e4ec7e48a7d405caa821d4d1100c13986c688cf8c93468f65e654509
Instruction ID: 53b0cc8670e1be92f31bdbc7144f014993700d8d3974bb9901476cad2bae852d
Opcode Fuzzy Hash: 0e12e033e4ec7e48a7d405caa821d4d1100c13986c688cf8c93468f65e654509
Instruction Fuzzy Hash: 68015E35A002099FD714EF66E4987AEB7F2EF88300F10882DD646AB694DF795905CB91

Function 033DB3E9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecbc17b5eab7b37fd38f7be6a01c2adc7cb063d58ffd7079a6c5aa61da21cf1
Instruction ID: 2d1430296684fb64fac3cc9edaee312a595b2e40b3170b7b59d5bec9733e87b7
Opcode Fuzzy Hash: 2ecbc17b5eab7b37fd38f7be6a01c2adc7cb063d58ffd7079a6c5aa61da21cf1
Instruction Fuzzy Hash: 4EF0AF377003104BCB2AEB34B5A052EFBBA9FC961171A406AD545CF3A1DE3DC942C782

Function 033D2C21 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f2f8ebd794a1fad0780a4e2599809c9adf987078453695134ed38d808a17cc
Instruction ID: a8875eceb8c1568a02322b207783c25c0140fae4d219d0610aa280f961b65f0a
Opcode Fuzzy Hash: 11f2f8ebd794a1fad0780a4e2599809c9adf987078453695134ed38d808a17cc
Instruction Fuzzy Hash: 890186353106008FCB14CB68D8989697BE5EFCD611B1980A7E50ACB371DF61DC01CB91

Function 033D9240 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184e1992cc05da0f7f772731c5ca48da1987cdea9f8a9b1b94b23709b14f9699
Instruction ID: cbcb6c3c27844de2ec05ce85291d245f36ad86fed26004221bd38bb84dbc614b
Opcode Fuzzy Hash: 184e1992cc05da0f7f772731c5ca48da1987cdea9f8a9b1b94b23709b14f9699
Instruction Fuzzy Hash: C6F03C76F002655B8F55E7A86C91DBEBB76AFC5510B100029D505AF340DA311A15C7D5

Function 033DA094 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed09861ee852c07b260bfdff571eee2328ea6f64fb4fe30d7d35ff80f33b21a
Instruction ID: b9f6cf71329bdad13e9ff99eed7894a286a10c52a281842413ee729feff0adb7
Opcode Fuzzy Hash: aed09861ee852c07b260bfdff571eee2328ea6f64fb4fe30d7d35ff80f33b21a
Instruction Fuzzy Hash: 47F0E9373042118BC624D92AB8C4E3AF3FDAFC4A6570B806DE906C7650DE64DC85C761

Function 033D30C6 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a883a04e03aa7dc433be599634766c7a92fe6579658b95cbac5acecb55005881
Instruction ID: 741add9fabc96b6b5eac8343f2de2bcebc835ccef62ae58c638f534d2485deb0
Opcode Fuzzy Hash: a883a04e03aa7dc433be599634766c7a92fe6579658b95cbac5acecb55005881
Instruction Fuzzy Hash: D30181717042408FCB45EB78D8944AE7BB6AF9A21031544EAD006CB2A5DF349D41C791

Function 033DA7B8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5bb95495bf43fa9d8354bed11f1f9ae366757006105960a3c66986c8dcd5ff
Instruction ID: a1f3fa83850859907182c7da18b0b4593a98e3720e3ab4d4a1aa11bd136408f8
Opcode Fuzzy Hash: 4f5bb95495bf43fa9d8354bed11f1f9ae366757006105960a3c66986c8dcd5ff
Instruction Fuzzy Hash: 6201E571900209DFCB41EFACC58599DBBF4FF49300B1585AAE489EB321E770AA54CB91

Function 033DD25A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9aa1c17269b6a93686ef9d930b989eb471d4e1bc939912491b339c9f23797f8
Instruction ID: b6fc86b790142928769589009f22c7e12f3ed4e9659a44150873d19005a64418
Opcode Fuzzy Hash: a9aa1c17269b6a93686ef9d930b989eb471d4e1bc939912491b339c9f23797f8
Instruction Fuzzy Hash: AD0128322043108FC721AB29E88491ABBFAFFC9321755059ED4468B731CB36EC02CB80

Function 033D9242 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99d091bd6ba216d31dd00b8f1ae7a02b202e35e7a7a290065ac78e8482a937f
Instruction ID: 0e9da6e9d2528d668477f56d4aea5d30f054c789b6bdc819f2dfe1cb0ea5addc
Opcode Fuzzy Hash: f99d091bd6ba216d31dd00b8f1ae7a02b202e35e7a7a290065ac78e8482a937f
Instruction Fuzzy Hash: 03F05B7AF002755F8F55EBA86C91DBEBB76AFC9610B100029E505AF340CA311E16C795

Function 033DD1E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0575672ac4fa2285b730d319d4e6d71f7597a20921f7acf7fbcd99b15c93a749
Instruction ID: 813bc97202c853fd5e54ec622e8a5554b58eb7ce7fa38588f405c1d86b244237
Opcode Fuzzy Hash: 0575672ac4fa2285b730d319d4e6d71f7597a20921f7acf7fbcd99b15c93a749
Instruction Fuzzy Hash: 2CF06D36B007048BCB15BAB8E8405AEF775EFC5211F06466ED8496B210EF71E5818BD2

Function 033DD5F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7112b372f649b0889b382d04445952d71a69b3b00d38eb68f9d27a624028be74
Instruction ID: ac564596f8ff67eb36bf3a8066da24da2fd2948976ceae7d31b49a64859fbb0a
Opcode Fuzzy Hash: 7112b372f649b0889b382d04445952d71a69b3b00d38eb68f9d27a624028be74
Instruction Fuzzy Hash: 9DF05E723006154F8A14AE6EF8C485ABBEEEFC4325354463AE10AC7224CF71EC0A8B90

Function 0143D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2194228676.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_143d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88ec8799191e63b0b3419ae0cdfa3d7df30384adba0dd200542821fae02d050
Instruction ID: 7bd01acf1189fa1cb58c11aea2ae478a4446bb264ae55e29a1a81dfec9492fb4
Opcode Fuzzy Hash: e88ec8799191e63b0b3419ae0cdfa3d7df30384adba0dd200542821fae02d050
Instruction Fuzzy Hash: 36F06275804384AAE7118E1ADC88B67FFA8EF85634F18C55AED484A396C3799844CBB1

Function 033DB3F8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca34534d07841eba1560d19b5ef8349325c50dcdf3efec08124a5ff797bdc26
Instruction ID: 95ecb6f58e6b3abe65e151ccc9e65367a35ff2dbfbbc32d436d1cc26ffe704d9
Opcode Fuzzy Hash: fca34534d07841eba1560d19b5ef8349325c50dcdf3efec08124a5ff797bdc26
Instruction Fuzzy Hash: ECF082377006104B8B19FA39B59453EF2AA9FC8651B194039D905CF390DF7EC942D795

Function 033DD5E0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711dc98e971d6be0e22b63f221b70bbe7d821aff3b9367f720e902049159e265
Instruction ID: 5ef5d45030c4a436c212703b1e3015a551274324595a2177c961d64d32ae1813
Opcode Fuzzy Hash: 711dc98e971d6be0e22b63f221b70bbe7d821aff3b9367f720e902049159e265
Instruction Fuzzy Hash: 57F090723052024FCB159B69E8D4959BBA9EFD53113550579D006CB265DE60DC0ACB90

Function 033DD648 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7249c1ccb015effa75835abe101946e5beed165cd1e9c1d3d0753b904d3f1547
Instruction ID: ef6c7e9be9bef35dcd94c47b39bcb5808bfda7dbc6630f09fb4dcdfbf165910e
Opcode Fuzzy Hash: 7249c1ccb015effa75835abe101946e5beed165cd1e9c1d3d0753b904d3f1547
Instruction Fuzzy Hash: 8A0114712002108FC714DB28E998D997BF5AF49705709459AE00ACB372C761EC40CB80

Function 033D27F8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec024d80eac7ef58912b9e75b888d5a5c0d0a1794faceaf718349d461c2df49
Instruction ID: 45ef97f5d15722987972943b207c53f016a3563b65fc24c8201c1a31c6eb3abd
Opcode Fuzzy Hash: 2ec024d80eac7ef58912b9e75b888d5a5c0d0a1794faceaf718349d461c2df49
Instruction Fuzzy Hash: A2F01C367641149FC714DF2DD894D56BBF9EF8AA2131640FAE109CB372DA61EC02CB54

Function 033DA7C8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 033D03F2 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb26c6e8d0fce861d66849b12782c8446bb5ee702cb9da22888ecbd855ec46c0
Instruction ID: 9009d3f0a041ef22cb30cc9e5c00ec5f44e5c1a915abc1aa2a2954848eb19b5a
Opcode Fuzzy Hash: cb26c6e8d0fce861d66849b12782c8446bb5ee702cb9da22888ecbd855ec46c0
Instruction Fuzzy Hash: A0F0E9334447499FCB02CF58EC80995BB70FF5A210B088293F1D88B522D331E461C751

Function 033D2850 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984c908d8cc6d3f8e9bb5ff607b55aad72a091cc628427ad132c1f70882b5b95
Instruction ID: b159aff1ea47389e3839d1b0a9416a69ac66b0074962153011fc30770dd7c4a1
Opcode Fuzzy Hash: 984c908d8cc6d3f8e9bb5ff607b55aad72a091cc628427ad132c1f70882b5b95
Instruction Fuzzy Hash: 0BE06D71F00A250B4B08EBBFA44486AF6DBAEE8511318C46FC40E8B634ED719C018680

Function 033D2808 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction ID: 1c91db882cfbd14187c1b7d959e82653d5e016d81b58a295c7462b327ec51df1
Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction Fuzzy Hash: 01E0E5367604148FC714DB2ED848D56B7E9EF89A2131640BAF209CB372DA61EC02CB90

Function 033D86C9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb27abe13bfa7591f2c2bb3698189d30055d9076f497a32d6914093715906fb
Instruction ID: d393614b5c476d871c3d8f5e6119e691631f7ffd59539b9ccaa36683196dde47
Opcode Fuzzy Hash: 3bb27abe13bfa7591f2c2bb3698189d30055d9076f497a32d6914093715906fb
Instruction Fuzzy Hash: 5DF0A071A05244EFCB11DFB8E9909ACBBB5EF46300B54829AC840D7315E7362F24DB00

Function 033DBE40 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f9bc6af88c5e941f3771312d381d33b3d66a564a6bfc99c2da4ea57f08b81f
Instruction ID: 2dd9fe1bd85c6bae3b4ba12b95d0168d6cc33fc2485e07e1f866dc2d0e6063c5
Opcode Fuzzy Hash: e3f9bc6af88c5e941f3771312d381d33b3d66a564a6bfc99c2da4ea57f08b81f
Instruction Fuzzy Hash: 5DE0D83220D7451B8216D65DB884C4BFBAAEEE6210705496FD5058B235DE64DC09C3D2

Function 033D24F4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f775c30f5a1a040f6bfd22fb56329860aa22f9e88ff2a3a776b78db9c47689c9
Instruction ID: ce89cd3048ab7ca9013760318e92fbe4b49d4277415eab72f93a9489905fac6a
Opcode Fuzzy Hash: f775c30f5a1a040f6bfd22fb56329860aa22f9e88ff2a3a776b78db9c47689c9
Instruction Fuzzy Hash: 09E08C313507049F8328DA1CE880C6AF7EDEF883103158A6AF109C3A20CAA0EC088684

Function 033D989E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ff89635605ecad6d04061cd8182b8b38038234efd8a2faf0f6621483c7e574
Instruction ID: 2c0602cc4030e7838674c394e83482b73fdcdcdaeb556e08924d7bac61f64bbd
Opcode Fuzzy Hash: e1ff89635605ecad6d04061cd8182b8b38038234efd8a2faf0f6621483c7e574
Instruction Fuzzy Hash: 29E01A76E5021DDACB10DF91F5847EDFB75FB45A17F204416E116B1951C7710944CA90

Function 033D2840 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0695b96b59d7b8ff2c80ccff69321d9444958319d7102c4b785c10f7e165bfb7
Instruction ID: e21eee74efff1ab7b02a350781719d8d89696c8b88bd982f384da01362b9be54
Opcode Fuzzy Hash: 0695b96b59d7b8ff2c80ccff69321d9444958319d7102c4b785c10f7e165bfb7
Instruction Fuzzy Hash: E0E02671B046614FC318E63A68808A6BBE2AEE4201308856FD0898B620EA715D12C780

Function 033D4CE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03127198815048fdd08a56450571659e924131271abdec8b204e77afad97d6a
Instruction ID: 34fb7df074669dda0988f0862742cef482018ffe7f0d779b53f82df10c6d0d44
Opcode Fuzzy Hash: c03127198815048fdd08a56450571659e924131271abdec8b204e77afad97d6a
Instruction Fuzzy Hash: BEF0AE3AA01108CBCB15EFA5F6946ECB7B5EB88216F2000AAC506B7254DB365E04CB60

Function 033D3061 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1de1158281e388425e023fb3aea3e5ca888f6dd17f1dd60f8b6e6cb66385424
Instruction ID: 21897f229f518a26330ee5d889ebd9aefaebe4e136572990da35ea54cec136e8
Opcode Fuzzy Hash: d1de1158281e388425e023fb3aea3e5ca888f6dd17f1dd60f8b6e6cb66385424
Instruction Fuzzy Hash: BBE0C2322011249FCB019F28E594C587FEDDB4E31070641A7F505CB365CA21DC40CB81

Function 033D09E8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0a908f34b01380dfb62aae3ff1e40fcbe8852010d3f96755b44062b1e3d2d5
Instruction ID: 9cfe25f4097ccc144129285c0db4577ba9fa5923b212dbfeacdfea8b5721957f
Opcode Fuzzy Hash: cb0a908f34b01380dfb62aae3ff1e40fcbe8852010d3f96755b44062b1e3d2d5
Instruction Fuzzy Hash: 82D0A7363003344B9B1876B9741406E37DC9F84A66300007EF50EC7321DE61C80183C8

Function 033DB3BF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e301286fe399def3682148b6ee1435e9c24e7d5d2536453c3cd4e3d5259b9e49
Instruction ID: dc4874d9704511ae02c7958394d42351644473cf998c074cc16b215c7382ceaf
Opcode Fuzzy Hash: e301286fe399def3682148b6ee1435e9c24e7d5d2536453c3cd4e3d5259b9e49
Instruction Fuzzy Hash: FDD017317507109FC76CCA1CF880CAAB7EAAF8831032586BEF00AC7760CAA0EC058B40

Function 033D86D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ae027940bdc9eac22c5c28941ffcda807875b7b7b40579ab86036736ad3595
Instruction ID: acae76a5f69303591eb4744a592ac6e14ed6facd11ecad74f727b8b40e267356
Opcode Fuzzy Hash: 97ae027940bdc9eac22c5c28941ffcda807875b7b7b40579ab86036736ad3595
Instruction Fuzzy Hash: F7E04F71A01108EFCB00EFE4E64095CBBB9EB45200F908169D804A3314EB366F049B51

Function 033D05CB Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1722a9996f3910d8075b28794f0bac747efd35f8c04c7f490db82c59d9fee7c6
Instruction ID: b481ec93a56f4ad033ce44f24c16c3da630ea8d1f38e11b2158d9a9428a3ff54
Opcode Fuzzy Hash: 1722a9996f3910d8075b28794f0bac747efd35f8c04c7f490db82c59d9fee7c6
Instruction Fuzzy Hash: 31E01A36A05109EBDF00DF80E940BDEBB72FB88311F108016EA0127250C7724A21DB90

Function 033D09D9 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e4fe0ace74fe621f1d3d557f9b3cd39b6523c6b9643a99140d68b1d6560f96
Instruction ID: a820f469c60fdae2fff8f78d45f7d24fa0b7bb4d25efd71d07215f99bfb3bb96
Opcode Fuzzy Hash: a6e4fe0ace74fe621f1d3d557f9b3cd39b6523c6b9643a99140d68b1d6560f96
Instruction Fuzzy Hash: 58D0A73331D3640FCB0597A9FC916467FFCAE0761070804FBE445C7155E954D801C786

Function 033D3070 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317743012029e7f1fb6aa72409e5d238295ac98b9290a047b902aec553524691
Instruction ID: f71ea61eeed3e6645381156ebeb0ec31bf9aec8584f83577c11bcb110f81f43b
Opcode Fuzzy Hash: 317743012029e7f1fb6aa72409e5d238295ac98b9290a047b902aec553524691
Instruction Fuzzy Hash: C0D0C9363101249F8704AB68E558CA9BBEEEB9D761715806AFA09CB321DA71DC108BD4

Function 033D0400 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90

Function 033D9D60 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82c509ffebebba7f1c1229c4e107380eb8ed121daa5540adb30817d59e6ccc6
Instruction ID: d39bc3baf4763a1ca3a87615ff28d5d910d3f2f9d6ef9777ec29b2a5f7f8753c
Opcode Fuzzy Hash: f82c509ffebebba7f1c1229c4e107380eb8ed121daa5540adb30817d59e6ccc6
Instruction Fuzzy Hash: 5BB09B2671433513D708719D74107BD728E4785565F400067951D9B7419CD59D4103DA

Function 033D05C2 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction ID: 8725dd8a84a1708fc3c5eb3afbd8e27bde656ae0e6cadbd5bc47e45f57e00dab
Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction Fuzzy Hash: 95B09277A0810889DB008A84B4813EEF724E780225F104063C611524418372116496D1

Function 033D0998 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c31353ce3bacdd63e494b373454701abee0ee3104e848d414ba61ebd83df867
Instruction ID: 630aa7f3897b4e893cf04cd0169b4aea66781ce4731e79d2d5557c1ce57fbbd7
Opcode Fuzzy Hash: 0c31353ce3bacdd63e494b373454701abee0ee3104e848d414ba61ebd83df867
Instruction Fuzzy Hash: F6B0121ED6810801910CF1391DD083F401AEAC1B04F84CC111181544144C28C0144016

Non-executed Functions

Function 033D3C8A Relevance: 41.7, Strings: 33, Instructions: 438COMMON

Download Yara Rule

Strings

4']q, xrefs: 033D41BB
4']q, xrefs: 033D4137
4']q, xrefs: 033D3E5F
4']q, xrefs: 033D3EA5
4']q, xrefs: 033D3DD3
4']q, xrefs: 033D3EEB
4']q, xrefs: 033D410B
4']q, xrefs: 033D41E7
4']q, xrefs: 033D3F77
4']q, xrefs: 033D3D6A
4']q, xrefs: 033D3F54
4']q, xrefs: 033D402F
4']q, xrefs: 033D423F
4']q, xrefs: 033D3FBD
4']q, xrefs: 033D418F
4']q, xrefs: 033D405B
4']q, xrefs: 033D3F31
4']q, xrefs: 033D3D8D
4']q, xrefs: 033D3E19
4']q, xrefs: 033D4087
4']q, xrefs: 033D3F9A
4']q, xrefs: 033D3EC8
4']q, xrefs: 033D3E82
4']q, xrefs: 033D4213
4']q, xrefs: 033D3DF6
4']q, xrefs: 033D3E3C
4']q, xrefs: 033D4163
4']q, xrefs: 033D40B3
4']q, xrefs: 033D3FE0
4']q, xrefs: 033D40DF
4']q, xrefs: 033D3F0E
4']q, xrefs: 033D4003
4']q, xrefs: 033D3DB0

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-2711123852
Opcode ID: eacf7508665dc555c2eaa0f01917f98b731faa8541130543e7d6ab61012825f1
Instruction ID: 9da0fc836cb42ff0a3a0cf7f3e143a7493fa65b850e426adaa3f1afecb6f9cd5
Opcode Fuzzy Hash: eacf7508665dc555c2eaa0f01917f98b731faa8541130543e7d6ab61012825f1
Instruction Fuzzy Hash: BE12B630A0120A8FCB28EF79E990A9E77B6FF94704F90856DD0499B268DF346D45CF91

Function 033D3C98 Relevance: 41.7, Strings: 33, Instructions: 434COMMON

Download Yara Rule

Strings

4']q, xrefs: 033D41BB
4']q, xrefs: 033D4137
4']q, xrefs: 033D3E5F
4']q, xrefs: 033D3EA5
4']q, xrefs: 033D3DD3
4']q, xrefs: 033D3EEB
4']q, xrefs: 033D410B
4']q, xrefs: 033D41E7
4']q, xrefs: 033D3F77
4']q, xrefs: 033D3D6A
4']q, xrefs: 033D3F54
4']q, xrefs: 033D402F
4']q, xrefs: 033D423F
4']q, xrefs: 033D3FBD
4']q, xrefs: 033D418F
4']q, xrefs: 033D405B
4']q, xrefs: 033D3F31
4']q, xrefs: 033D3D8D
4']q, xrefs: 033D3E19
4']q, xrefs: 033D4087
4']q, xrefs: 033D3F9A
4']q, xrefs: 033D3EC8
4']q, xrefs: 033D3E82
4']q, xrefs: 033D4213
4']q, xrefs: 033D3DF6
4']q, xrefs: 033D3E3C
4']q, xrefs: 033D4163
4']q, xrefs: 033D40B3
4']q, xrefs: 033D3FE0
4']q, xrefs: 033D40DF
4']q, xrefs: 033D3F0E
4']q, xrefs: 033D4003
4']q, xrefs: 033D3DB0

Memory Dump Source

Source File: 00000008.00000002.2206406187.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-2711123852
Opcode ID: 420a7b4b9f30728ba9511b71900df74438d90242267eb4c42eb85c421c09dae3
Instruction ID: 9a65620bf6798a07680f806e6b0217f057048201dffbbf85576d503c29462b33
Opcode Fuzzy Hash: 420a7b4b9f30728ba9511b71900df74438d90242267eb4c42eb85c421c09dae3
Instruction Fuzzy Hash: 5812B730A0120A8FCB28EF79E990A9E77B6FF90704F90856DD0496B268DF346D45CF91

Analysis Process: Exccelworkbook.exePID: 7716, Parent PID: 7568COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	87
Total number of Limit Nodes:	11

Executed Functions

Function 0812B2C0 Relevance: 3.5, Strings: 2, Instructions: 1019COMMON

Download Yara Rule

Strings

(aq, xrefs: 0812BEEB
(aq, xrefs: 0812B8A0

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq$(aq
API String ID: 0-3916115647
Opcode ID: 736c514b00d29271b548fb69eb1e6b99b67de8e8bb4681488af6b826e2df62c3
Instruction ID: 744421bf42635b44f564557e4e5d081247fc513bea32bb3afc377e32f2dcac61
Opcode Fuzzy Hash: 736c514b00d29271b548fb69eb1e6b99b67de8e8bb4681488af6b826e2df62c3
Instruction Fuzzy Hash: B4829C71B04665CFCB19CF68C49466EBBF2BF84311F14866DE55A8B3A1CB34E812CB90

Function 08129700 Relevance: 9.2, Strings: 7, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 081299DE
Haq, xrefs: 08129BFD
(aq, xrefs: 08129B7A
(aq, xrefs: 08129BA6
(aq, xrefs: 08129ED8
(aq, xrefs: 08129A48
Haq, xrefs: 08129BD2

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq$(aq$(aq$Haq$Haq
API String ID: 0-2223377583
Opcode ID: edc7180ac7311ff42c044b84cc606c5bbcdbbb3cf6cd8f432d9b551ed707e3f7
Instruction ID: 0c7e5d7ee50669592dc066ce8bfdaf1cdc5e671448bccd9f199862849a892ef5
Opcode Fuzzy Hash: edc7180ac7311ff42c044b84cc606c5bbcdbbb3cf6cd8f432d9b551ed707e3f7
Instruction Fuzzy Hash: CEE1D130A00615CFCB15DF6CD494A6EBFE2FF85216F588A59D44ACB795CB30E822CB91

Function 02EE6518 Relevance: 6.1, APIs: 4, Instructions: 139
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02EE65BE
GetCurrentThread.KERNEL32 ref: 02EE65FB
GetCurrentProcess.KERNEL32 ref: 02EE6638
GetCurrentThreadId.KERNEL32 ref: 02EE6691

Memory Dump Source

Source File: 0000000A.00000002.4495589759.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ee0000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 734daca34609f6131a399a38e76093555398a8903b26921acd829bfa297b0b55
Instruction ID: 616c60948c4b4aad18502be6bb1078c780b88b63a17ac7ea6453d186fdd366f8
Opcode Fuzzy Hash: 734daca34609f6131a399a38e76093555398a8903b26921acd829bfa297b0b55
Instruction Fuzzy Hash: 325167B091030ACFDB04DFA9D549B9EBFF5BF48304F248459E509A72A0DB389844CBA5

Function 02EE6540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02EE65BE
GetCurrentThread.KERNEL32 ref: 02EE65FB
GetCurrentProcess.KERNEL32 ref: 02EE6638
GetCurrentThreadId.KERNEL32 ref: 02EE6691

Memory Dump Source

Source File: 0000000A.00000002.4495589759.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ee0000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 983661add623d1ab7c0be032055c1f135d1bcd38877e89bd76b9768e07b925b4
Instruction ID: 9378c3e1ac9801c2c7a5ae7afc0ec6d0b89d937702ed4d6061717dbdfd417e47
Opcode Fuzzy Hash: 983661add623d1ab7c0be032055c1f135d1bcd38877e89bd76b9768e07b925b4
Instruction Fuzzy Hash: AA5146B091030ACFDB14DFA9D548BAEBBF5FF88314F20C459E409A72A0DB389944CB65

Function 08128F40 Relevance: 4.3, Strings: 3, Instructions: 507
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 08129045
(aq, xrefs: 08129308
(aq, xrefs: 081294E0

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq
API String ID: 0-2593664646
Opcode ID: 26cf5805c76387e7dd20ce32e13238993fc4488f48bb3d7a2d960994dce011e3
Instruction ID: cc570ba0d0dece6add3f2e7acac98d813235d85fc9dbf5ffbb05a60a7286a024
Opcode Fuzzy Hash: 26cf5805c76387e7dd20ce32e13238993fc4488f48bb3d7a2d960994dce011e3
Instruction Fuzzy Hash: 70029C34B0061ACFC754DF68C494A6EBBE6FF88310B148A69D44ADB791DB34ED02CB91

Function 081228A0 Relevance: 4.1, Strings: 3, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 08122A21
(aq, xrefs: 081229F5
(aq, xrefs: 081229C9

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq$(aq$Haq
API String ID: 0-2456560092
Opcode ID: c493d68e8ba372f631e89e6e0ade09a4a54a73799a701fc827d90933d0e49d38
Instruction ID: 62591097282116d475b177e562ccd30a9fe56db122dd701350b68b6ecf13be80
Opcode Fuzzy Hash: c493d68e8ba372f631e89e6e0ade09a4a54a73799a701fc827d90933d0e49d38
Instruction Fuzzy Hash: A7E19734A00219DFCB44EF64D5949AEBBB2FF89310F118569E906AB364DF30ED46CB91

Function 08127920 Relevance: 2.8, Strings: 2, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 08127C09
4']q, xrefs: 08127BD2

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: c9aa4f24d88c69e2ea98e95db924909c45560a435e20a5b195dcb3632f6c2d92
Instruction ID: b22734cffc99c11008b22050531a3373f254f3b16c0c8e90c6a2d805e9f25956
Opcode Fuzzy Hash: c9aa4f24d88c69e2ea98e95db924909c45560a435e20a5b195dcb3632f6c2d92
Instruction Fuzzy Hash: 59C1C974B00218CFCB44EFA4D994A9EB7F6FF88301F114569E506AB3A5DB71AD42CB50

Function 08127912 Relevance: 2.8, Strings: 2, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 08127C09
4']q, xrefs: 08127BD2

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 5725f92e356bb7d1fd8227a174fcbc5c2fa2e9e262ed5e280b8e3edab95d01cb
Instruction ID: 52c6ae0aaad75aff5f4ffed8d92456fbd1391ff2ad147140c0fa17a8078d91a3
Opcode Fuzzy Hash: 5725f92e356bb7d1fd8227a174fcbc5c2fa2e9e262ed5e280b8e3edab95d01cb
Instruction Fuzzy Hash: A9C1D974B00218CFCB44EFA4D994EAEB7B6BF89301F114568E506AB3A5DB71ED42CB50

Function 0812AE38 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0812AF5D
Haq, xrefs: 0812AF89

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq$Haq
API String ID: 0-3785302501
Opcode ID: c94657743ff86a721c6a70281964945441ad3e0217c4061b9f41f441811c797c
Instruction ID: 7fa52028737003163bd0a53ed0d6b232c963c6970498b726ddebc3390dd3189f
Opcode Fuzzy Hash: c94657743ff86a721c6a70281964945441ad3e0217c4061b9f41f441811c797c
Instruction Fuzzy Hash: D451D331300765DFD725DF29C890B5ABBE6FF84321F10892EE55A8B2A1DB75D806CB60

Function 08127238 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 08127251
(aq, xrefs: 081272B1

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq$,aq
API String ID: 0-1929014441
Opcode ID: e808af41253c112da1ded9c22a40f245e261c4b2737d3c91d13e838429070051
Instruction ID: ceea4543ea4181eeb85a5ed13cb292e89f12c16742b056a2fdfe875fc2f6ba00
Opcode Fuzzy Hash: e808af41253c112da1ded9c22a40f245e261c4b2737d3c91d13e838429070051
Instruction Fuzzy Hash: 9A41D5327001596FCF429EEA9C508FFBBEEEF89211B04406AFA05D7291DE35C92597B0

Function 02EEBFF0 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02EEC256

Memory Dump Source

Source File: 0000000A.00000002.4495589759.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ee0000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 51c3f60a9941997295fd4b8874561e12713f164fe935ce11abaa1dcbc1547476
Instruction ID: d79e3f2e85417c21a9e91a5b7eeb78d28c947768ad907b066c61122de34669d7
Opcode Fuzzy Hash: 51c3f60a9941997295fd4b8874561e12713f164fe935ce11abaa1dcbc1547476
Instruction Fuzzy Hash: 5D8156B0A00B058FDB64DF69D44079ABBF2BF88304F10992ED48AD7B50DB75E846CB90

Function 02EE6414 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02EE7421

Memory Dump Source

Source File: 0000000A.00000002.4495589759.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ee0000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e3dc782afed77bed191883a425a2d9e1ea06a4d34b86b6d18f419d5187651c2f
Instruction ID: ce32112eb5f5cc0b68f64d6ad3208f6ebb4d5c4ccabab5c10d5adecfbc97a562
Opcode Fuzzy Hash: e3dc782afed77bed191883a425a2d9e1ea06a4d34b86b6d18f419d5187651c2f
Instruction Fuzzy Hash: 3541DFB0C00619CADB24DFA9C884B9EFBF5BF48304F20806AD419AB255DB756946CF90

Function 02EE7364 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02EE7421

Memory Dump Source

Source File: 0000000A.00000002.4495589759.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ee0000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 61b05300c8492152ff3ddf92eb422f4c0bbfb914a1051042c503ce3ce1b5c2e8
Instruction ID: 40e2fccd4d09e30635a064cee31f5a9da54af7cf7c8f0fc11f5402916b324baf
Opcode Fuzzy Hash: 61b05300c8492152ff3ddf92eb422f4c0bbfb914a1051042c503ce3ce1b5c2e8
Instruction Fuzzy Hash: 9841F0B1C00719CADB25CFA9C944BDDFBF5BF48308F20806AD419AB255DB75694ACF90

Function 02EE6780 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EE680F

Memory Dump Source

Source File: 0000000A.00000002.4495589759.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ee0000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 08ba5efc13c74da264bf2419f22b78c3af555f13b5419792ac18fa7212af95c3
Instruction ID: d149472a56502a128840ce37407ad87598f0cabbf2493411e9661b7bf56acd32
Opcode Fuzzy Hash: 08ba5efc13c74da264bf2419f22b78c3af555f13b5419792ac18fa7212af95c3
Instruction Fuzzy Hash: 122107B59002489FDF10CF99D984ADEBFF8FB48324F14841AE915A7351D379A940CFA5

Function 02EE6788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EE680F

Memory Dump Source

Source File: 0000000A.00000002.4495589759.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ee0000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 11b48db3cff0029e2300f65bd9cee78d9e398a1289bb914e2d252b2658b35a9c
Instruction ID: 230f68e9dc5ce92bd77c9f5a33ec435efee68efb112cc7b512208721d9d0061e
Opcode Fuzzy Hash: 11b48db3cff0029e2300f65bd9cee78d9e398a1289bb914e2d252b2658b35a9c
Instruction Fuzzy Hash: 0E21C4B59002489FDB10CF9AD984ADEBFF9FB48310F14841AE918A3350D379A944CFA5

Function 08126680 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

Pl]q, xrefs: 0812669F

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: Pl]q
API String ID: 0-2207481929
Opcode ID: b744ffa187ab91b4fbc92b5821301050d7a7b7b589a7f1f05ea56fa73b37cafa
Instruction ID: a28eb339fb3f1128359b798c7545ee1d8b28b9dadaa0222276d6a5845cb8f2f6
Opcode Fuzzy Hash: b744ffa187ab91b4fbc92b5821301050d7a7b7b589a7f1f05ea56fa73b37cafa
Instruction Fuzzy Hash: 4AD10C74B11218DFCB44EFA9D994E9EB7B6FF88700F118558E906AB3A5CB71AC01CB50

Function 02EEC1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02EEC256

Memory Dump Source

Source File: 0000000A.00000002.4495589759.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2ee0000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9dfc55aef5a2de5fd22fc86a4f8b2fe7bae7450da75e231319779f1a1017df38
Instruction ID: 679e4a97502513d40770ec43eed65767a37f9b4428fce76c88033b195a79abd5
Opcode Fuzzy Hash: 9dfc55aef5a2de5fd22fc86a4f8b2fe7bae7450da75e231319779f1a1017df38
Instruction Fuzzy Hash: EA110FB5C007498FCB10DF9AD444A9EFBF4AB88614F20842AD429B7200C379A545CFA1

Function 08126672 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

Pl]q, xrefs: 0812669F

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: Pl]q
API String ID: 0-2207481929
Opcode ID: 2c1ab592e8835914bc855a5ffc68a512ca9be0f303e93156dfd654fc6262d1c1
Instruction ID: 8da77bb75e1ceb5cc07d7eadd1eba2b93c82bce1002607460d80ef19b53e61f1
Opcode Fuzzy Hash: 2c1ab592e8835914bc855a5ffc68a512ca9be0f303e93156dfd654fc6262d1c1
Instruction Fuzzy Hash: CEB10F74B11218DFCB44EFA9D994E9EBBB6FF88700F114558E905AB3A5CB71AC01CB50

Function 08120F18 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

Haq, xrefs: 08120FB5

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 8ae1ad708ab57b304bacf6329613f67421e2965b52f744331b1f852cc1c8b430
Instruction ID: b02eab0d5fa06243685103687381b7f4861a95512379f028875345a7c0796322
Opcode Fuzzy Hash: 8ae1ad708ab57b304bacf6329613f67421e2965b52f744331b1f852cc1c8b430
Instruction Fuzzy Hash: 7D518E34B006158FC744EF68C95496EBBB6FF89710B1185AAE506DB361DF30ED06CBA1

Function 08121EF5 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4']q, xrefs: 08121FAA

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 2c54ac976d07527c65607416a8b72aaece23a186b70b409076481338810ebbc1
Instruction ID: 21624fc5966b920d4ff16530c5fa41e26c27a6627f30cbf58c98c6ed89d8a36e
Opcode Fuzzy Hash: 2c54ac976d07527c65607416a8b72aaece23a186b70b409076481338810ebbc1
Instruction Fuzzy Hash: 7D418B21B083949BD716BB28DC55BAE7FA7AFC2700F06005AE581DF2D2CFB1490AC791

Function 08121F70 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

4']q, xrefs: 08121FAA

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 3b10fcfa874e512558f3bbde8e324fc0bd3e5220e91b07949854057aa56dbb1d
Instruction ID: d9fae357adc7243bbbd66cb9c97c776989a046e9ce91f57ac7bfe502fcc1c724
Opcode Fuzzy Hash: 3b10fcfa874e512558f3bbde8e324fc0bd3e5220e91b07949854057aa56dbb1d
Instruction Fuzzy Hash: 62415E30B106148FCB94FB64D85496EB7BBBFC9700F12452AE912AB394CF749D06CB95

Function 08123CD9 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

4']q, xrefs: 08123D8E

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 764314573d57b77d71085ea89efb81d7b5dcfa51e0fb3f20f2a555ab7fbb40e1
Instruction ID: 794cfa36fbb3870cbc1c098729211e26b357b0fcef4bf9d1860d723e3b536c19
Opcode Fuzzy Hash: 764314573d57b77d71085ea89efb81d7b5dcfa51e0fb3f20f2a555ab7fbb40e1
Instruction Fuzzy Hash: CA414B313406149FD358EB69D954F2A7BEAAFC8704F104568E6068F3A6CF75EC02C7A1

Function 08123CE8 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4']q, xrefs: 08123D8E

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 0444d764286ce22582b1eb033b052eb74d3d6535928dd07f8f8690b634c41b8e
Instruction ID: f1046c309879dc297f43d48bbd8184a06cd2cb6a26a85db54b3cf5c43ee31410
Opcode Fuzzy Hash: 0444d764286ce22582b1eb033b052eb74d3d6535928dd07f8f8690b634c41b8e
Instruction Fuzzy Hash: 33314B357406149FD358EB69D994F2B77EAAFC8704F104568E60A8B3A5CF75EC02C7A0

Function 081230A8 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

(aq, xrefs: 08123105

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: ff8bf410dbce9e2c28298bea654a0cd02b14c3ec9a458a08f493f2acd0381962
Instruction ID: e4c5a8b6b569b95f7551544fc988bc0713f002e48698f7612c2d52450ac5f0b3
Opcode Fuzzy Hash: ff8bf410dbce9e2c28298bea654a0cd02b14c3ec9a458a08f493f2acd0381962
Instruction Fuzzy Hash: 8C216036604254AFC7469F69D814C59BFB6FF8A22030680D6E509CB272DB35D811DBA1

Function 08120E88 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

(aq, xrefs: 08120ED6

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 6b116562761746a2de87f535a2d3a56c1ee39de7f82f73d20384d94e32df31fb
Instruction ID: 947260c39fc66735893e18358cbc2c6bcd8f69123eccf61c0d1942be64820df3
Opcode Fuzzy Hash: 6b116562761746a2de87f535a2d3a56c1ee39de7f82f73d20384d94e32df31fb
Instruction Fuzzy Hash: 38017B213086A58FC7466738442067F3E979FC6601F0541AED901CF3C2DF688C12C3E6

Function 0812A551 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

xaq, xrefs: 0812A551

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: xaq
API String ID: 0-793007810
Opcode ID: 2c7a6b74312817a34216455e04529a533105bc2d5e8bbbca1617dc2fcc99b51e
Instruction ID: 5c7684b704ef63582681a921cd4ceab455cb50e8d505bd6102efd94725be4809
Opcode Fuzzy Hash: 2c7a6b74312817a34216455e04529a533105bc2d5e8bbbca1617dc2fcc99b51e
Instruction Fuzzy Hash: D7F0A0347002149FDB04CB18D950A5ABBF5FF88324F158099E50A9F362C772FC028B90

Function 081221B0 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec7655e2f3d172c395f9d213faada1aef94e3a75275505188cf5087ad2d0bce
Instruction ID: b28a3614f083de32d0ec998459a9a06405aca0e6c6c201f078b6029d7b58f534
Opcode Fuzzy Hash: eec7655e2f3d172c395f9d213faada1aef94e3a75275505188cf5087ad2d0bce
Instruction Fuzzy Hash: 18122A34A00219CFCB54EF68C994AADB7B2BF89300F5185A8D54AAB365DF70ED85CF50

Function 08126B14 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74f719190f5cd704624a4dd08b12e927d98c9dba8dee3108da2084f6ac84068
Instruction ID: c93e0f91e3ccb3f11cf587b66691d80735a37bc33f3c565096e4b20eb305500d
Opcode Fuzzy Hash: a74f719190f5cd704624a4dd08b12e927d98c9dba8dee3108da2084f6ac84068
Instruction Fuzzy Hash: 46A16A34700618CFCB44EF78C86496E7BB2BF89700F004669E5069B3A5DF75AD46CBA1

Function 08126B48 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d380157ae033eeb07b1c9a9abb408bcea1520fbcb746328d2d56e8b2c24949b
Instruction ID: 0f2c4c3d9df75f92a97b56f716565e30a9ad598b859ebcc8d45877824f68ac6f
Opcode Fuzzy Hash: 5d380157ae033eeb07b1c9a9abb408bcea1520fbcb746328d2d56e8b2c24949b
Instruction Fuzzy Hash: 75A15A34B00618CFCB48EF68C99496E7BB3BF89700F104668E5169B3A4DF75AD46CB91

Function 08123170 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284b2c673004d52eda73f8f5ea2525b81a73c40e644ecbf17b3775b730347064
Instruction ID: d4ebe1d41500270a461ab4f73c0c93ce2c1ed8c2cb2ab1079bde7ef7e3ad5bcf
Opcode Fuzzy Hash: 284b2c673004d52eda73f8f5ea2525b81a73c40e644ecbf17b3775b730347064
Instruction Fuzzy Hash: 2D914A34700214DFCB44EF68D894A6EBBB6BF89701F1541A9E916DB3A1CB34ED52CB90

Function 08125AC8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b5beb7d406f812b2cafaffef1d7c945cd1f1ce569d974bd3a53acc2f38e471
Instruction ID: 2042bac6c5500fecf93f4667631161bfed427bf8ec135d78473a84727fc75d4c
Opcode Fuzzy Hash: 52b5beb7d406f812b2cafaffef1d7c945cd1f1ce569d974bd3a53acc2f38e471
Instruction Fuzzy Hash: 56815E34B00619DFDB48EF64D4A4BAEB7B3AF88701F104229D502AB794CF75AD52CB91

Function 0812A6CB Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7355aedbba185b924d4bc09f121b3995563f7ce05c9d5ff04206b275882a7782
Instruction ID: 67acdbc21dca5c041ea8e7e21aa3889292aea16b37671f856d526d36055663ec
Opcode Fuzzy Hash: 7355aedbba185b924d4bc09f121b3995563f7ce05c9d5ff04206b275882a7782
Instruction Fuzzy Hash: F381E274A21229EFCB54CF98D980EADB7B6FF88310F164159E905AB361E731EC41CB40

Function 08123161 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1deebfadd584625211b8a79b09f34594b6b56820a7b88ce3e74b69dd18b14f1e
Instruction ID: ace575507dc2f4f81ecbfb5e0a57a88bb005cbfae636a29f2669256caea6ba52
Opcode Fuzzy Hash: 1deebfadd584625211b8a79b09f34594b6b56820a7b88ce3e74b69dd18b14f1e
Instruction Fuzzy Hash: DC614B34B10614DFCB44EF68D894A6DB7B6FF88701F1581A9E9169B3A1CB70ED42CB90

Function 08125AB8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c89ab64db3b229a4ccaf49d7381ec1e7798c0848e009d6701a5bd57f9ad9641
Instruction ID: 9f0cc4c479bd4f16b7166d62edda7195b1a45a92cb92cdb19be8e9a5be6bf606
Opcode Fuzzy Hash: 4c89ab64db3b229a4ccaf49d7381ec1e7798c0848e009d6701a5bd57f9ad9641
Instruction Fuzzy Hash: 2E51A334B00628DFDB49EF64E494BAE77B3AF88301F104168D4029B794CF75AD52CBA1

Function 08122E38 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31f3061113f22da04ec0c2ff36aa9c9b39d14f44ef57263a38e468fd1e79f92
Instruction ID: 499681f9d425c6a3eca41f08332cdd4b26602cf8dae8b5a347dab473be8efb51
Opcode Fuzzy Hash: a31f3061113f22da04ec0c2ff36aa9c9b39d14f44ef57263a38e468fd1e79f92
Instruction Fuzzy Hash: 03518E30340611CFD729AB24C994B3AB7A3AFC9305F14856CE6068F7A5DB76EC42C791

Function 0812B158 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b85a171084a48bda04f28d62fdcb3c4b4f72fc96f60889365f9825c4cee94e7
Instruction ID: 91c5482093078f798115cd1de2bbb1a42d381b6f4c8eac4887de2aedddedb321
Opcode Fuzzy Hash: 6b85a171084a48bda04f28d62fdcb3c4b4f72fc96f60889365f9825c4cee94e7
Instruction Fuzzy Hash: 6541AF31B04B25CFCB64DB78E55029EBBF2AF84320B44896ED55ACBA54DB30E911CB91

Function 0812AA70 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5595bea54aa6b9a1efc8004f7c37394ac2143fb144a23e2fb537cf57197fa715
Instruction ID: 3cea45cdd057d6391d74fa0df7a965a984ab089f7456a4f8fed0e998f9f520bf
Opcode Fuzzy Hash: 5595bea54aa6b9a1efc8004f7c37394ac2143fb144a23e2fb537cf57197fa715
Instruction Fuzzy Hash: E8418C32B002158FC744DF68C950A9ABBF6BFC9310B2585AAE509EB361DB31EC11CB90

Function 08125E11 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee665d8a5ff27d83348b261e426f6630eb2059ed4f836162aeb6acb196404b5f
Instruction ID: 57089faa2b2aae1b6e1a7176cbfb4f98d1f606ea9c6f035820010e60b192b78e
Opcode Fuzzy Hash: ee665d8a5ff27d83348b261e426f6630eb2059ed4f836162aeb6acb196404b5f
Instruction Fuzzy Hash: 5D318E34B106188FCB45FF78C9549AEBBB6BFC9600B01815AD502DB365DF709A06CBE1

Function 081234A0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48f2ccbdd159f9f824afb68139c0e2f1f0d6ce2ef4a8b3028c1fa3dc7460dd6
Instruction ID: c7315eb40049244ace18020a0eb899c55e54e30a2594b9086dd271bcba4f69f1
Opcode Fuzzy Hash: a48f2ccbdd159f9f824afb68139c0e2f1f0d6ce2ef4a8b3028c1fa3dc7460dd6
Instruction Fuzzy Hash: 50314B35A00118DBDB14DF69D855AEEB7B6FF88311F108129E816BB3A4CB359D19CFA0

Function 08125E28 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685dd55ff2b69d76dc65cbea6556fb71711be6ea6b60671e31381b95956bfb6f
Instruction ID: 32fa41a5e6759d325ce94aacd27fbde1dd459352c5cdf04dc890b642d8e2e444
Opcode Fuzzy Hash: 685dd55ff2b69d76dc65cbea6556fb71711be6ea6b60671e31381b95956bfb6f
Instruction Fuzzy Hash: 0A314B34B105188FCB84FF64C994AAEB7B7BFC9700B11855AD9069B364DF709A02CBE1

Function 0812ABB8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30c3305557edc74083db461bee66b0765e531947f097bf930fb6fb53f223f86
Instruction ID: 1129c07c54b7d93289299e13c3cf970c2523a3dac4a9c481d50acee333e9f740
Opcode Fuzzy Hash: c30c3305557edc74083db461bee66b0765e531947f097bf930fb6fb53f223f86
Instruction Fuzzy Hash: 83218E31A00219DFCB15DFA8C8449EE7FBBEF8D320F149129E511AB3A0CB719855CBA1

Function 0156D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4495083376.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_156d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2eff684d7048a5447678e789f83189bb0e916ca7b0b4c87557ebb2b617af990
Instruction ID: 0f73df53db8fc6ab560c7c470f086e73c08e1a46fe10c16f3776500146425dae
Opcode Fuzzy Hash: b2eff684d7048a5447678e789f83189bb0e916ca7b0b4c87557ebb2b617af990
Instruction Fuzzy Hash: 64210375604204DFCB15DF68D580B26BFB9FB88324F20C969D9890F256D33BD406CAA1

Function 08122D78 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7585f930644d7a459e4a9843b53acebc6013a474091d39ad147f1904014932
Instruction ID: 0b652e7d3a478864230b3ff1ff5dd510f4edd8d8ccf0a35087452d077d621139
Opcode Fuzzy Hash: ca7585f930644d7a459e4a9843b53acebc6013a474091d39ad147f1904014932
Instruction Fuzzy Hash: A721AE307106048FCB54EF34D984AAEBBF6BF85210F154569E5069B361DB70ED05DBA1

Function 0812ABC8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6f25d4bc0e4f46d2f9e99f2b338ca65b4ac14796348eff9225f0ea7fe4956c
Instruction ID: bf461c5fc7d8521d9df9f37215eb58d7a3e9558a439cfca673430fb3b82b5fe4
Opcode Fuzzy Hash: de6f25d4bc0e4f46d2f9e99f2b338ca65b4ac14796348eff9225f0ea7fe4956c
Instruction Fuzzy Hash: AD213A31A00219DFCB159FA8C8549EE7FB7EF8C321F149129E515A73A0DB719841CBA0

Function 0156D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4495083376.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_156d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395e43eff318f161ada2d1a86243109eaaf0bca53fe4a293d4cd7d9300c8029c
Instruction ID: bed918291da03b5c45d0c9a1838c39bd5ac9f0eec7f1bc434a592506cd3f78f6
Opcode Fuzzy Hash: 395e43eff318f161ada2d1a86243109eaaf0bca53fe4a293d4cd7d9300c8029c
Instruction Fuzzy Hash: 162183755093808FD703CF24D594715BF71FB46214F28C5DAD8898F267C33A980ACBA2

Function 08122D88 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f463e087c146f4df18323c0f8b114f4ce8ff2d0b296452726dbeea5df845bc
Instruction ID: c62dbd81c1cb72e8e3634a5a12822df59e1bc770992639ac159cde238492ad68
Opcode Fuzzy Hash: 48f463e087c146f4df18323c0f8b114f4ce8ff2d0b296452726dbeea5df845bc
Instruction Fuzzy Hash: 29118834B006048FCB54EF28D984AAEB7F6FF88300F154529E9069B360DB70EE05DBA1

Function 0812A8C8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d686fb10f51f5782164e5d6792250b922526e9f153145e01ca97333ba2c1fc1
Instruction ID: d9f65fb066d1c52dd493e75a8ad56a997f2be2daf1a1b959918c190f386e7062
Opcode Fuzzy Hash: 8d686fb10f51f5782164e5d6792250b922526e9f153145e01ca97333ba2c1fc1
Instruction Fuzzy Hash: 87115A30A11239DFCB54CF58D894EADBBB2FF48220F060159E512AB3A2CB359C05CB40

Function 081235D9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4516481258eaa7ecf6fad30a37bc764dae42eabef12d4e9b868cd0e3a45a35a
Instruction ID: 07401ba58f4ee371037247f790eb1c77f68707caea4a4d7c6304c65141ecc8ce
Opcode Fuzzy Hash: a4516481258eaa7ecf6fad30a37bc764dae42eabef12d4e9b868cd0e3a45a35a
Instruction Fuzzy Hash: 1101E1313043508FC3259B34E454A36BBB2AFC5311F1886ADE1668B7A1CB79E816DB60

Function 08120991 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bae69650bac927f1973d238d22a988d900489f0ccadfcf84d8224f3d09def8
Instruction ID: f3c76d7a87e96ea39a3bf1d844ab89be3d3c370c7d37d6bd37b53ecd0f5ac3db
Opcode Fuzzy Hash: 74bae69650bac927f1973d238d22a988d900489f0ccadfcf84d8224f3d09def8
Instruction Fuzzy Hash: 670171357006109FC7069B24E46496ABBB3EFC971171181ADEA068B7A5CB75EC12CB91

Function 081235E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73e7e24ac79ceb78545a1b00fbf1930f0e0b0fcc4e80db9347984d78255c835
Instruction ID: 20c4e4fae93e173b2ea02036423835217cc8469ef118ef0f087fab4e409eac91
Opcode Fuzzy Hash: a73e7e24ac79ceb78545a1b00fbf1930f0e0b0fcc4e80db9347984d78255c835
Instruction Fuzzy Hash: A001B131300614DFD724AB24E454A3BBBA7AFC9311F14866CE6264B7A4CB76EC12DB90

Function 0812B6D0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca9c2bfdbd42c054414d051c30ba33cb83f1adf05bbc1cf41d33c708fb30c86
Instruction ID: 06b11aed71cdcf758daf8fa22879d0e355ec1e982bbffe08046ca898b5dd9f99
Opcode Fuzzy Hash: 2ca9c2bfdbd42c054414d051c30ba33cb83f1adf05bbc1cf41d33c708fb30c86
Instruction Fuzzy Hash: 9D019E31E04619DFCB01DFACD40499DBFB5AF89711B0181AEE049E7360EB309A08CB61

Function 08120718 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2a9a06f4cce715562b8f2372a8b408f5d0c492625d4ea837522b7667dcff0e
Instruction ID: e46c1e953e1fcb5282d7d8588c28c197533707a1a0e1f11513a6f57e09f2b78e
Opcode Fuzzy Hash: da2a9a06f4cce715562b8f2372a8b408f5d0c492625d4ea837522b7667dcff0e
Instruction Fuzzy Hash: FD018135341300AFC3059B28D854D6A7BABEF8A620B1540A9F946CB372CA31DC42CBA0

Function 08120E78 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fb09a05b4ed1480d208d74509755657019c194bdc38b285601fc92f96d87ef
Instruction ID: 973e3087c000023bbdac1db1c63a16881352093dcfb0c6be4fcfb89286076617
Opcode Fuzzy Hash: f5fb09a05b4ed1480d208d74509755657019c194bdc38b285601fc92f96d87ef
Instruction Fuzzy Hash: 17F05921305A60ABC70161295904E7F3F9F8FC6511B05016FEA01CF342CF748D9283F1

Function 081209A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5031789c154f095c5020570a29373ba430db0e64ee9e3532807ad84b37c0be4f
Instruction ID: 5b6eb0380d854fa6875aa02ee4e45fdc3719e2b96aaded3a9caca4aa50907f8d
Opcode Fuzzy Hash: 5031789c154f095c5020570a29373ba430db0e64ee9e3532807ad84b37c0be4f
Instruction Fuzzy Hash: DE01A435700610DFC7059B25E42891AB7A7EFCC7117108169EA068B794CFB5EC02CBD0

Function 0812B6E0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c6b0eb9f1b3faf2823ccf81b7a10630553466bd0e23f75afe8aad5c4fa4e3c
Instruction ID: 68798ecf2136cebb7ae56cb74de12b44cf2dd4ea3ea30b0ba8839bc994012589
Opcode Fuzzy Hash: 17c6b0eb9f1b3faf2823ccf81b7a10630553466bd0e23f75afe8aad5c4fa4e3c
Instruction Fuzzy Hash: 29014B35E00619DFCB00DFA9D54499EBBF9FF89711F10816AE519E7360EB30AA14CBA1

Function 0155D603 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4495023664.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_155d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a2403fb5e2f37a61322292e1f9ee664ef8d1680ede1596d9b9f2fd95f6a57e
Instruction ID: a3e53cfcc844743171d9d35d29d4689674671486482ad276969fc2ff005fd2e1
Opcode Fuzzy Hash: a3a2403fb5e2f37a61322292e1f9ee664ef8d1680ede1596d9b9f2fd95f6a57e
Instruction Fuzzy Hash: 1CF0E7B6200640AF97208F0AD885C27FBEDFBD4670715C55AE94A8B612C671EC42CEA0

Function 0155D5F4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4495023664.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_155d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de8f4a55d02b5dda1070b33efcd90f22f8f4d205471b969b83ae54842685650
Instruction ID: f5231714c7e7d2d991d523e0f90cc1c0265bb26aacc5e180a91d585e88528372
Opcode Fuzzy Hash: 0de8f4a55d02b5dda1070b33efcd90f22f8f4d205471b969b83ae54842685650
Instruction Fuzzy Hash: 70F03775104680AFD725CF06CC94C22BBF9FF89660719848AE84A8B762C631FC42CFB0

Function 0812A96C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49e9997638674fe917106eca2454d20ba852f8e2aa19ee7a1b0be2342596b86
Instruction ID: 6659351d5351fc0c4dbee151f497353a788419b09900282545cc88f6c107f1a1
Opcode Fuzzy Hash: e49e9997638674fe917106eca2454d20ba852f8e2aa19ee7a1b0be2342596b86
Instruction Fuzzy Hash: EAF09AB0A01239EFDF149F55DD5ABEEBBB2FF44621F024019E416A72A1CB758C05CB40

Function 08120728 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40db30041cb6ed18d881a8ac74c5944267ad74febfa7d5d26a16ed92d0a4d6da
Instruction ID: c1171e2e751efc08eef853b47793b19508e54da3287a979b51da7683fdfa7b56
Opcode Fuzzy Hash: 40db30041cb6ed18d881a8ac74c5944267ad74febfa7d5d26a16ed92d0a4d6da
Instruction Fuzzy Hash: 0CF05E353002009FC704DB19D854D3A77ABEFC9B21B1140ADFA068B371CA71EC42CB90

Function 0812AA20 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923aa5be0a455293822923c0126d63c28c2472ef0641bb585ed38c3e0c221784
Instruction ID: ba62c9c4e2a17c54235018049091a29664cc7b80086d49529aa3da1e084f071a
Opcode Fuzzy Hash: 923aa5be0a455293822923c0126d63c28c2472ef0641bb585ed38c3e0c221784
Instruction Fuzzy Hash: 6FE0CD2130C3644BC345E2B5583005BBBCB8BC6120745C09FD54D87781D9759C028775

Function 08120E51 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17059c95d42d19fdf0fe788683543688e085fac57b7955a02c4cd6f9eddf7ab8
Instruction ID: b90c40a3a1bef6bf7fb6dfebffaaff64d11f973257f32c1596270f03ae8e5a68
Opcode Fuzzy Hash: 17059c95d42d19fdf0fe788683543688e085fac57b7955a02c4cd6f9eddf7ab8
Instruction Fuzzy Hash: 40D05E3014A7805FD70657208914C933F33EBC3300305449AF442CF162C2314D4AC761

Function 0812B120 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6db2d1eb9d16d9c6310ac9d96cfc8f0eb4725c3059df640c847410c815a61a
Instruction ID: 486d522c4d720053ac6331c74f388db8ed58626c11b421e60e9f3c7575dd3ba9
Opcode Fuzzy Hash: 9d6db2d1eb9d16d9c6310ac9d96cfc8f0eb4725c3059df640c847410c815a61a
Instruction Fuzzy Hash: F1D09E3914F6C06FC346CB18C990846BF666F9B214719C4CAF5458F263C6329E1BD7A2

Function 0812AA30 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b99445dfa991133f5e6e09f7337cda50a578a86d15eb9022ac3ba44b558f7a
Instruction ID: b12daca4e2b80ae2a7a3326ae5e6e0b66a5ec34996f1b846d3572dbce389ed64
Opcode Fuzzy Hash: 36b99445dfa991133f5e6e09f7337cda50a578a86d15eb9022ac3ba44b558f7a
Instruction Fuzzy Hash: B9D0C73531412457C714E6A9945056F76CFDBC9161745802AD90D83744CD79AC0146B9

Function 081206F1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d088c12e852cc7c36019c12a41fe762fda7cc83494d4125cc911f2af376342
Instruction ID: 675624da65c49de896db6328868e66bb8a37d2841ae6d200cc5f886538e56509
Opcode Fuzzy Hash: 98d088c12e852cc7c36019c12a41fe762fda7cc83494d4125cc911f2af376342
Instruction Fuzzy Hash: E9D05E31249A80AFC3024B24DC04C803F71DB173A130940C2F445CF132C2328849D761

Function 081238B1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7582fa70e5d01bc9d6e558159bad466350ab690b9d42ad9b0f3429fb33ed51
Instruction ID: 941beba69fd8ce119e91608e17b575590deada6376fa96f536c5428dd54732cb
Opcode Fuzzy Hash: 2b7582fa70e5d01bc9d6e558159bad466350ab690b9d42ad9b0f3429fb33ed51
Instruction Fuzzy Hash: D5D0A9310093C4AFC302DF24E90688A7F7AAF0260070940DBF1828E023CF31980AC3B2

Function 08128F08 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55da8576b5d82dc6714aa04aee290277e5dda472bec67248a76b789e441540f8
Instruction ID: 3c6ece29ff8021d4506ed21135093fc2788a3d6c0a100b54f38ebccfdbf35dd0
Opcode Fuzzy Hash: 55da8576b5d82dc6714aa04aee290277e5dda472bec67248a76b789e441540f8
Instruction Fuzzy Hash: 23D0C9391091805FC351DA10C955C55BFA1AF95708B18C4DEA9898B263EB32AD3BD751

Function 08129F78 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93137172d6ac510287f5a681c68fb1256276b2a49937ead7ace15263d127ba4d
Instruction ID: 8566d74a8b317ce463b1c0513c8e378301bcf14d798b139d408117991c605132
Opcode Fuzzy Hash: 93137172d6ac510287f5a681c68fb1256276b2a49937ead7ace15263d127ba4d
Instruction Fuzzy Hash: 9AC08C3480023CCFFBA05A64D409B247F9CEB0433BF10229CEC08051018B7348E3C6A3

Function 08120700 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 081238C0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1474a839b2569a9590049a7cdf5ed44a5468b53a2953ae0cdeac6dd9c05b5a4d
Instruction ID: a2933af4276a84d2188d37cc106f30eb2cc41b53e1f58c9e5b4fac6a2c197c78
Opcode Fuzzy Hash: 1474a839b2569a9590049a7cdf5ed44a5468b53a2953ae0cdeac6dd9c05b5a4d
Instruction Fuzzy Hash: 22B09232004208AB86009E84E905855BBA9AB596007008025B6090A5518B72E822EB94

Non-executed Functions

Function 08121108 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

(_]q, xrefs: 0812182A
(_]q, xrefs: 081217B3
(_]q, xrefs: 081217F4
(_]q, xrefs: 081217BD

Memory Dump Source

Source File: 0000000A.00000002.4525757736.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8120000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: (_]q$(_]q$(_]q$(_]q
API String ID: 0-2651352888
Opcode ID: 89aa8dbfb7328d562fa816076f9bdee67da9e2adc0d43e8d749cb2ca4fd0971c
Instruction ID: 694b2598341ee2018b97d34c778c0b175f494257c70924a6feb0ce421d50079a
Opcode Fuzzy Hash: 89aa8dbfb7328d562fa816076f9bdee67da9e2adc0d43e8d749cb2ca4fd0971c
Instruction Fuzzy Hash: D361DF75B04244DFCB05DB78D8A08AA7FF2BF8A210B1445ADD546DB362DB31EC52CB90

Analysis Process: Exccelworkbook.exePID: 7940, Parent PID: 7648COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	86
Total number of Limit Nodes:	12

Executed Functions

Function 01926530 Relevance: 6.1, APIs: 4, Instructions: 137
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 019265BE
GetCurrentThread.KERNEL32 ref: 019265FB
GetCurrentProcess.KERNEL32 ref: 01926638
GetCurrentThreadId.KERNEL32 ref: 01926691

Memory Dump Source

Source File: 0000000D.00000002.2219470730.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1920000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8e11fcb63f1ea1f95167e59c69e6bd3f896ed3f7fefc0611af102dbf5c3a8eb3
Instruction ID: a9c8c34d889d3f2f61d58381827d959d0844c3738db7a77a67a6ba9f210af035
Opcode Fuzzy Hash: 8e11fcb63f1ea1f95167e59c69e6bd3f896ed3f7fefc0611af102dbf5c3a8eb3
Instruction Fuzzy Hash: D55166B0A003498FDB14DFA9C648BAEBFF5FF48304F248459E409A7660D738A985CF65

Function 01926540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 019265BE
GetCurrentThread.KERNEL32 ref: 019265FB
GetCurrentProcess.KERNEL32 ref: 01926638
GetCurrentThreadId.KERNEL32 ref: 01926691

Memory Dump Source

Source File: 0000000D.00000002.2219470730.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1920000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 00bb320f7d8e6320f82997d2a7e70b314ba90142ee8b8c5aba448de9df6b746e
Instruction ID: a247b98d7abd65d68475b5d6389b24b05c2191f234525b6374b6b7c5bc99f750
Opcode Fuzzy Hash: 00bb320f7d8e6320f82997d2a7e70b314ba90142ee8b8c5aba448de9df6b746e
Instruction Fuzzy Hash: 6F5124B0A003098FDB14DFA9D648B9EBBF5FF48304F208459E419A7250D778A985CB65

Function 0192BFF0 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0192C256

Memory Dump Source

Source File: 0000000D.00000002.2219470730.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1920000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4964bbde62b7d9a2d95e55d452e263b108395b9268c77c6be08acd5e9bcdeb69
Instruction ID: 5d8ca3b8b4a6298b6a7ecf6725c09ddd7b78fb5f1893f9ad8ac7b998e14d143b
Opcode Fuzzy Hash: 4964bbde62b7d9a2d95e55d452e263b108395b9268c77c6be08acd5e9bcdeb69
Instruction Fuzzy Hash: 1E8178B0A00B158FDB24DF69D44079ABBF5FF88700F10892DD48ADBA55D779E846CB90

Function 01927364 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01927421

Memory Dump Source

Source File: 0000000D.00000002.2219470730.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1920000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4950560e3ffe83fa2d7ac69bd0f4c2251fefc16d94fff295a39ffc9543020c1e
Instruction ID: 77f29f31afab17ee4892eb737b103277e557bc1b24bca95c223d2724560d4ab7
Opcode Fuzzy Hash: 4950560e3ffe83fa2d7ac69bd0f4c2251fefc16d94fff295a39ffc9543020c1e
Instruction Fuzzy Hash: 9541D2B0C00719CFDB29CFA9C844B9EBBF6BF49704F20805AD419AB255D775694ACF90

Function 01926414 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01927421

Memory Dump Source

Source File: 0000000D.00000002.2219470730.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1920000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8bdfdfacacfda778ecaf4808cf33717930128e7a7d3fff2045a2bed462ad51e8
Instruction ID: e758eb786edd6a8363435daa3dd8bdf45ee32a82cc3ee322368670c3340ad8c6
Opcode Fuzzy Hash: 8bdfdfacacfda778ecaf4808cf33717930128e7a7d3fff2045a2bed462ad51e8
Instruction Fuzzy Hash: 1241D2B0C00719CEDB28DFA9C844B9DBBB6BF44704F20805AD419AB255DB756946CF90

Function 01926780 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0192680F

Memory Dump Source

Source File: 0000000D.00000002.2219470730.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1920000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 283f3a34ee36950f6ece90d08905892b9407e57f6038db2d378117e265048cf1
Instruction ID: bac81753afcf87bb68ba9de85ec9a795d396ffeb6f375ad028c9ac2e606f8c7b
Opcode Fuzzy Hash: 283f3a34ee36950f6ece90d08905892b9407e57f6038db2d378117e265048cf1
Instruction Fuzzy Hash: 7421F6B59002599FDB10CFA9D584AEEFFF4FB48310F14845AE918A7211D379A940CF61

Function 01926788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0192680F

Memory Dump Source

Source File: 0000000D.00000002.2219470730.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1920000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b5b39dbe30b590f0a76e5d19859ccc31bf0666f4386e6b345bcea8555e5a9f72
Instruction ID: e5127de8a30292c010bfb09c52d6a32f66079e75cb9e8df09b0e8cbb79836000
Opcode Fuzzy Hash: b5b39dbe30b590f0a76e5d19859ccc31bf0666f4386e6b345bcea8555e5a9f72
Instruction Fuzzy Hash: 5021B3B59002589FDB10CFAAD984ADEBFF9FB48310F14841AE918A3250D379A944CFA5

Function 05BB23A8 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 05BB240D

Memory Dump Source

Source File: 0000000D.00000002.2240590808.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5bb0000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 43850b33acad26da6c8fb5ab1fe059771edb15c3c9ea55fcc5c457612171d4bf
Instruction ID: 876941487ae75c76b5a7871fac3ceccf1cd2bdb9630d9f7c82d0950d496b3a4c
Opcode Fuzzy Hash: 43850b33acad26da6c8fb5ab1fe059771edb15c3c9ea55fcc5c457612171d4bf
Instruction Fuzzy Hash: 3E11C2BA8003499FDB10DF9AD885BDEFFF8EB48320F148459E519A7600D3B9A544CFA1

Function 0192C1F0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0192C256

Memory Dump Source

Source File: 0000000D.00000002.2219470730.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1920000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 410410d36fb0287556fb27488563f377832dcedd7108fea6741a772f01ed589b
Instruction ID: c0b535f9d284a24e9a7543133169ce0dcd3bc36df2fad8b9264689884eb67def
Opcode Fuzzy Hash: 410410d36fb0287556fb27488563f377832dcedd7108fea6741a772f01ed589b
Instruction Fuzzy Hash: 51110FB5C002598FDB10DF9AC444ADEFBF8AF89220F10841AD929A7200C379A545CFA1

Function 05BB0EA8 Relevance: 1.5, APIs: 1, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 05BB0F0D

Memory Dump Source

Source File: 0000000D.00000002.2240590808.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5bb0000_Exccelworkbook.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6791696df6ea86b867d02c02e1271bc03559d0c40e8396dc1c09ab129e9f3452
Instruction ID: 9249df2c62afa71fe99b8bd81ff085dbfcb32b9c9f2463edcf1736fa4b0fd153
Opcode Fuzzy Hash: 6791696df6ea86b867d02c02e1271bc03559d0c40e8396dc1c09ab129e9f3452
Instruction Fuzzy Hash: A61103B69002499FDB10DF99D549BEEFBF8FB08310F10844AE519A3640D3B9AA44CFA0

Function 05BB0EB0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05BB0F0D

Memory Dump Source

Source File: 0000000D.00000002.2240590808.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5bb0000_Exccelworkbook.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 83f82eee8646f5bfee3a7c26b434ce11ecd27239ac10c47ddae4bf04deac9fa1
Instruction ID: fcc6a66ce8e213edd437a485243e49b709b0f0754fc41efbdc049cf14732a62f
Opcode Fuzzy Hash: 83f82eee8646f5bfee3a7c26b434ce11ecd27239ac10c47ddae4bf04deac9fa1
Instruction Fuzzy Hash: E611E5B59007499FDB10DF9AD449BEEFBF8FB48310F108459E519A7600C3B9A644CFA1

Function 05BB23B0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05BB240D

Memory Dump Source

Source File: 0000000D.00000002.2240590808.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5bb0000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2516fa628db6e3240cb64e308ca460218243d5a260992ad1123a6de56722abc4
Instruction ID: 058939fa92e029de658a1fc7c1adbc43f828eb77f6af37935adb15ac2f736a11
Opcode Fuzzy Hash: 2516fa628db6e3240cb64e308ca460218243d5a260992ad1123a6de56722abc4
Instruction Fuzzy Hash: 3011D3B58003499FDB10DF9AD445BDEFBF8FB48310F108459E519A7600C3B9A544CFA1

Function 05BB2690 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 05BB2730

Memory Dump Source

Source File: 0000000D.00000002.2240590808.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5bb0000_Exccelworkbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f229e54e290da77e16f6b75c065da093e8577d2fa46b57520bd1e0c5f228ab2f
Instruction ID: abfd7da87b3a6fb388e4d645baf421612716ad8a9e523af2af82340ec4d9de25
Opcode Fuzzy Hash: f229e54e290da77e16f6b75c065da093e8577d2fa46b57520bd1e0c5f228ab2f
Instruction Fuzzy Hash: A12169B6900208CFCB10DF99C544AEEBBF5FF08310F10849AD558A7251D779E944CFA0

Function 05BB147C Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 05BB2730

Memory Dump Source

Source File: 0000000D.00000002.2240590808.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5bb0000_Exccelworkbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6036e5d8d294b6e2ec01aaf6f7bac8667b01b91f5bcfb490acc1982efbbfc3d4
Instruction ID: 38f0491dcb09d7d24f9682d2b7c222d2112c8d2e43857fbc94fc3a0a8ef0e51b
Opcode Fuzzy Hash: 6036e5d8d294b6e2ec01aaf6f7bac8667b01b91f5bcfb490acc1982efbbfc3d4
Instruction Fuzzy Hash: 271125B58002498FDB20DF9AC548BEEFBF4EB48320F108459E959A7240D3B8A944CFA5

Function 0169D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2216812003.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_169d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3133582eb52a45096093ab995e272b6bb8a3c2c80cd1c7cd9d316f792dd580f8
Instruction ID: cf948148d0bc5d3c3fbf77094b0b8a0c76cc8dfe0bddc0c6adf47685ab86e07b
Opcode Fuzzy Hash: 3133582eb52a45096093ab995e272b6bb8a3c2c80cd1c7cd9d316f792dd580f8
Instruction Fuzzy Hash: 80210071604200DFDF15DFA8D984B26BF69FB88354F20C579D90A0B396C33AD407CA61

Function 0169D006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2216812003.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_169d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c243d87846a209092497f1b85f6d88016745191cb4d1e658ab64446f17b9557a
Instruction ID: cf285cfb3fcb6c70a4068f0e987ebdf55d2d598ffbc21c445d2c1afe8787f2dc
Opcode Fuzzy Hash: c243d87846a209092497f1b85f6d88016745191cb4d1e658ab64446f17b9557a
Instruction Fuzzy Hash: 7F219F755083809FDB02CF64D994B11BFB5FB46314F24C5EAD8498F2A7C33A980ACB62

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UoEDaAjHGW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Exccelworkbook.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UoEDaAjHGW.exe.log

C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
UoEDaAjHGW.exe

Function 076D75E8 Relevance: 6.9, Strings: 5, Instructions: 622
COMMON

Function 031BD551 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 031BD560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre