Edit tour

Windows Analysis Report
pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Overview

General Information

Sample name:	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Analysis ID:	1590630
MD5:	7ced1e3728202bb14170fdbcde4f69b2
SHA1:	bf67ce43accf497ffa74caa94a5c09209b974f07
SHA256:	3bee4d2ab33ac3f0605136f09cba556140d62ce9a0c1bdb1639159b43ae58943
Tags:	exeuser-TeamDreier
Infos:

Detection

PureLog Stealer, Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe (PID: 5392 cmdline: "C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe" MD5: 7CED1E3728202BB14170FDBCDE4F69B2)

pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe (PID: 5160 cmdline: "C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe" MD5: 7CED1E3728202BB14170FDBCDE4F69B2)

schtasks.exe (PID: 3532 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Exccelworkbook.exe (PID: 6636 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 7CED1E3728202BB14170FDBCDE4F69B2)

Exccelworkbook.exe (PID: 3200 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 7CED1E3728202BB14170FDBCDE4F69B2)

Exccelworkbook.exe (PID: 1132 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 7CED1E3728202BB14170FDBCDE4F69B2)

Exccelworkbook.exe (PID: 6288 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 7CED1E3728202BB14170FDBCDE4F69B2)

schtasks.exe (PID: 6128 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Exccelworkbook.exe (PID: 6664 cmdline: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe MD5: 7CED1E3728202BB14170FDBCDE4F69B2)

Exccelworkbook.exe (PID: 5204 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 7CED1E3728202BB14170FDBCDE4F69B2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Exccelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-869aeiQec514992", "StartupKey": "pdfdocument", "Tag": "CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2350603816.0000000002E97000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000003.00000002.2291672265.0000000000720000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2265586466.0000000002F27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2267186078.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2297451860.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2410546923.00000000029CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5392	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5392	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5160	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Exccelworkbook.exe PID: 6636	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Exccelworkbook.exe PID: 6636	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Exccelworkbook.exe PID: 6664	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Exccelworkbook.exe PID: 6664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Exccelworkbook.exe PID: 6288	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.3f17590.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.3f17590.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.5a40000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.5a40000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab7f2:$x4: Uninstalling... good bye :-( 0x2acfe7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada4:$f1: FileZilla\recentservers.xml 0x2aade4:$f2: FileZilla\sitemanager.xml 0x2aae26:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab072:$b1: Chrome\User Data\ 0x2ab0c8:$b1: Chrome\User Data\ 0x2ab3a0:$b2: Mozilla\Firefox\Profiles 0x2ab49c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd520:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f4:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ae:$b5: YandexBrowser\User Data\ 0x2ab71c:$b5: YandexBrowser\User Data\ 0x2ab3f0:$s4: logins.json 0x2ab126:$a1: username_value 0x2ab144:$a2: password_value 0x2ab430:$a3: encryptedUsername 0x2fd464:$a3: encryptedUsername 0x2ab454:$a4: encryptedPassword 0x2fd482:$a4: encryptedPassword 0x2fd400:$a5: httpRealm
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8dc:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2feb4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d0d8:$x1: Quasar.Common.Messages 0x29d43b:$x1: Quasar.Common.Messages 0x2a99f2:$x4: Uninstalling... good bye :-( 0x2ab1e7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fa4:$f1: FileZilla\recentservers.xml 0x2a8fe4:$f2: FileZilla\sitemanager.xml 0x2a9026:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a9272:$b1: Chrome\User Data\ 0x2a92c8:$b1: Chrome\User Data\ 0x2a95a0:$b2: Mozilla\Firefox\Profiles 0x2a969c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb720:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a97f4:$b4: Opera Software\Opera Stable\Login Data 0x2a98ae:$b5: YandexBrowser\User Data\ 0x2a991c:$b5: YandexBrowser\User Data\ 0x2a95f0:$s4: logins.json 0x2a9326:$a1: username_value 0x2a9344:$a2: password_value 0x2a9630:$a3: encryptedUsername 0x2fb664:$a3: encryptedUsername 0x2a9654:$a4: encryptedPassword 0x2fb682:$a4: encryptedPassword 0x2fb600:$a5: httpRealm
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9adc:$s3: Process already elevated. 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb9a:$s5: GetKeyloggerLogsDirectory 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords 0x2fcd4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed8:$x1: Quasar.Common.Messages 0x29f23b:$x1: Quasar.Common.Messages 0x2ab7f2:$x4: Uninstalling... good bye :-( 0x2acfe7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada4:$f1: FileZilla\recentservers.xml 0x2aade4:$f2: FileZilla\sitemanager.xml 0x2aae26:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab072:$b1: Chrome\User Data\ 0x2ab0c8:$b1: Chrome\User Data\ 0x2ab3a0:$b2: Mozilla\Firefox\Profiles 0x2ab49c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd520:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f4:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ae:$b5: YandexBrowser\User Data\ 0x2ab71c:$b5: YandexBrowser\User Data\ 0x2ab3f0:$s4: logins.json 0x2ab126:$a1: username_value 0x2ab144:$a2: password_value 0x2ab430:$a3: encryptedUsername 0x2fd464:$a3: encryptedUsername 0x2ab454:$a4: encryptedPassword 0x2fd482:$a4: encryptedPassword 0x2fd400:$a5: httpRealm
3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8dc:$s3: Process already elevated. 0x28ebd7:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e99a:$s5: GetKeyloggerLogsDirectory 0x28ebfa:$s6: set_PotentiallyVulnerablePasswords 0x2feb4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x5f08f8:$x1: Quasar.Common.Messages 0x600c5b:$x1: Quasar.Common.Messages 0x60d212:$x4: Uninstalling... good bye :-( 0x60ea07:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x60c7c4:$f1: FileZilla\recentservers.xml 0x60c804:$f2: FileZilla\sitemanager.xml 0x60c846:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x60ca92:$b1: Chrome\User Data\ 0x60cae8:$b1: Chrome\User Data\ 0x60cdc0:$b2: Mozilla\Firefox\Profiles 0x60cebc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x65ef40:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x60d014:$b4: Opera Software\Opera Stable\Login Data 0x60d0ce:$b5: YandexBrowser\User Data\ 0x60d13c:$b5: YandexBrowser\User Data\ 0x60ce10:$s4: logins.json 0x60cb46:$a1: username_value 0x60cb64:$a2: password_value 0x60ce50:$a3: encryptedUsername 0x65ee84:$a3: encryptedUsername 0x60ce74:$a4: encryptedPassword 0x65eea2:$a4: encryptedPassword 0x65ee20:$a5: httpRealm
0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x4c6936:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x60d2fc:$s3: Process already elevated. 0x5f05f7:$s4: get_PotentiallyVulnerablePasswords 0x5da678:$s5: GetKeyloggerLogsDirectory 0x6003ba:$s5: GetKeyloggerLogsDirectory 0x5f061a:$s6: set_PotentiallyVulnerablePasswords 0x66056e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe, ParentProcessId: 6288, ParentProcessName: Exccelworkbook.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, ProcessId: 6128, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe", ParentImage: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, ParentProcessId: 5160, ParentProcessName: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, ProcessId: 3532, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:54:30.100509+0100	2035595	1	Domain Observed Used for C2 Detected	94.156.177.117	9792	192.168.2.6	49797	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:54:30.100509+0100	2027619	1	Domain Observed Used for C2 Detected	94.156.177.117	9792	192.168.2.6	49797	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Exccelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-869aeiQec514992", "StartupKey": "pdfdocument", "Tag": "CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Virustotal: Detection: 34%			Perma Link
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	ReversingLabs: Detection: 39%

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2350603816.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291672265.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2265586466.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2410546923.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6288, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Joe Sandbox ML: detected

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:49814 version: TLS 1.2

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ntCC.pdb source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, Exccelworkbook.exe.3.dr
Source:	Binary string: ntCC.pdbSHA256 source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, Exccelworkbook.exe.3.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 94.156.177.117:9792 -> 192.168.2.6:49797
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 94.156.177.117:9792 -> 192.168.2.6:49797

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: twart.myfirewall.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49797 -> 94.156.177.117:9792

Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: twart.myfirewall.org
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: Exccelworkbook.exe, 0000000A.00000002.4698075820.0000000001292000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Exccelworkbook.exe, 0000000A.00000002.4698075820.0000000001292000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.10.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.isd
Source: Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/d
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2303799911.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4700727831.000000000302B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, Exccelworkbook.exe.3.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003236000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:49814 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2350603816.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291672265.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2265586466.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2410546923.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6288, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: initial sample	Static PE information: Filename: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_015A4204	0_2_015A4204
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_015A7018	0_2_015A7018
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_015AD8EC	0_2_015AD8EC
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_04F642E8	0_2_04F642E8
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_09019E18	0_2_09019E18
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_09016020	0_2_09016020
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_0901C9D8	0_2_0901C9D8
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_0901EA60	0_2_0901EA60
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_09013F50	0_2_09013F50
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_09013F70	0_2_09013F70
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_09019E08	0_2_09019E08
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_0901CE18	0_2_0901CE18
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_0901CE28	0_2_0901CE28
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_0901BE80	0_2_0901BE80
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_0901600F	0_2_0901600F
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_09015300	0_2_09015300
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_0901D260	0_2_0901D260
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_090152F0	0_2_090152F0
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 0_2_0901F410	0_2_0901F410
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Code function: 3_2_0328F03C	3_2_0328F03C
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 6_2_01514204	6_2_01514204
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 6_2_01517018	6_2_01517018
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 6_2_0151D8EC	6_2_0151D8EC
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 6_2_04ED45A8	6_2_04ED45A8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_00F14204	7_2_00F14204
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_00F17018	7_2_00F17018
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_00F1D8EC	7_2_00F1D8EC
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 7_2_04A042E8	7_2_04A042E8
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_02FBF03C	10_2_02FBF03C
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_05569068	10_2_05569068
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_05560518	10_2_05560518
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_05560508	10_2_05560508
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_05569EE0	10_2_05569EE0
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_0800B6E0	10_2_0800B6E0
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 10_2_08007E48	10_2_08007E48
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Code function: 14_2_02FBF03C	14_2_02FBF03C

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000000.2239954952.0000000000C4E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamentCC.exeB vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2263374958.000000000120E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2265586466.0000000002F27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2297451860.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000720000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Binary or memory string: OriginalFilenamentCC.exeB vs pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/5@2/2

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\025351e291-5d1041-4fa37-932c7-869aeiQec514992
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:936:120:WilError_03

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Exccelworkbook.exe.3.dr

Binary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Virustotal: Detection: 34%
Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

File read: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static file information: File size 3779584 > 1048576

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x39a200

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntCC.pdb source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, Exccelworkbook.exe.3.dr
Source:	Binary string: ntCC.pdbSHA256 source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, Exccelworkbook.exe.3.dr

Source: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Static PE information: 0xEDEB4335 [Wed Jun 27 06:52:37 2096 UTC]

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Code function: 10_2_08008ADF push 0000005Eh; iretd

10_2_08008ADE

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

File created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	File opened: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6664, type: MEMORYSTR

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: 15A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: 4EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: 9F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: 9050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: AF30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: BF30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: C3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: 33C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 4E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 9D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 7260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: AD40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: BD40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: C1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 4990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 90A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: A0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: A3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: B3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: B7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Window / User API: threadDelayed 5938			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Window / User API: threadDelayed 3812			Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

API coverage: 5.4 %

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe TID: 6540	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe TID: 5808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 6808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 4832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 5892	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 1912	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 6876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Exccelworkbook.exe, 0000000A.00000002.4715443547.0000000005877000.00000004.00000020.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4715443547.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4715443547.00000000058A9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Memory written: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process created: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe "C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.3f17590.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.3f17590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.5a40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.5a40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2267186078.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2297451860.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2350603816.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291672265.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2265586466.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2410546923.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6288, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.3f17590.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.3f17590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.5a40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.5a40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2267186078.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2297451860.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.460cb70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.42ab150.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2350603816.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291672265.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2265586466.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2410546923.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Exccelworkbook.exe PID: 6288, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	35%	Virustotal		Browse
pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	39%	ReversingLabs	Win32.Trojan.Leonem
pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe	39%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label	Link
http://schemas.datacontract.org/2004/07/d	0%	Avira URL Cloud	safe
http://ipwho.isd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
ipwho.is	195.201.57.90	true	false	high
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	high
twart.myfirewall.org	94.156.177.117	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
twart.myfirewall.org	false		high
https://ipwho.is/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/d	Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003033000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://ipwho.isd	Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003248000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DataSet1.xsd	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, Exccelworkbook.exe.3.dr	false		high
https://ipwho.is	Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003236000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354sCannot	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe, 00000003.00000002.2303799911.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.4700727831.000000000302B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipwho.is	Exccelworkbook.exe, 0000000A.00000002.4700727831.0000000003248000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.117	twart.myfirewall.org	Bulgaria		43561	NET1-ASBG	false
195.201.57.90	ipwho.is	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590630
Start date and time:	2025-01-14 11:53:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/5@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 176 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 13.107.253.45, 2.23.242.162, 172.202.163.200
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:54:17	API Interceptor	1x Sleep call for process: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe modified
05:54:22	API Interceptor	9750352x Sleep call for process: Exccelworkbook.exe modified
11:54:07	Task Scheduler	Run new task: {B6B2796E-8847-4D15-8C43-AE464551DC67} path: .
11:54:22	Task Scheduler	Run new task: pdfdocument path: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.117	UoEDaAjHGW.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse
	QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe	Get hash	malicious	Quasar	Browse
195.201.57.90	SPt4FUjZMt.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLine	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	WfKynArKjH.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, RedLine	Browse	/?output=json
	ubes6SC7Vd.exe	Get hash	malicious	Unknown	Browse	ipwhois.app/xml/
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json
	Clipper.exe	Get hash	malicious	Unknown	Browse	/?output=json
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	UoEDaAjHGW.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	195.201.57.90
	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	195.201.57.90
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	195.201.57.90
	QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	UXxZ4m65ro.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	ny9LDJr6pA.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	jaTDEkWCbs.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	2Mi3lKoJfj.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	YJaaZuNHwI.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	108.181.61.49
s-part-0017.t-0009.fb-t-msedge.net	RFQ____PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://Rtasia-sharepoint.zonivarnoth.ru/ITb4aThU/#Deddie.chan@rtasia.com.hk	Get hash	malicious	Unknown	Browse	13.107.253.45
	JDQS879kiy.exe	Get hash	malicious	DBatLoader	Browse	13.107.253.45
	3.19.1+SetupWIService.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://app.box.com/s/it1hhxczqyf0qxif41bma48tat7sqs32	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	http://id1223.adsalliance.xyz	Get hash	malicious	Unknown	Browse	13.107.253.45
	NursultanAlphaCrack.bat.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	13.107.253.45
	https://sites.google.com/view/01-25sharepoint/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	YYYY-NNN AUDIT DETAIL REPORT .docx	Get hash	malicious	Unknown	Browse	13.107.253.45
	setup64v.2.9.7.msi	Get hash	malicious	Unknown	Browse	13.107.253.45
twart.myfirewall.org	UoEDaAjHGW.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	94.156.177.117
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	127.0.0.4
	QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe	Get hash	malicious	Quasar	Browse	127.0.0.4
	Zam#U00f3wienie 89118 _ Metal-Constructions.pdf.com.exe	Get hash	malicious	Quasar	Browse	45.88.3.229
	Pedido09669281099195.com.exe	Get hash	malicious	DarkTortilla, Quasar	Browse	213.159.74.80
	doc_Pedido 02024091622008176.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	doc_Zapytanie - Oferta POLSKA 91044PL.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	doc_Zapytanie - Oferta KH 09281.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	doc_rfq Oferta KH 09281.pdf.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	Client.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
bg.microsoft.map.fastly.net	PO 2025918 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.210.172
	1579614525244583223.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	New purchase order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.210.172
	35491083472324549.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	28236151432955330765.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	ProductBOMpq_v4.xlsm	Get hash	malicious	Unknown	Browse	199.232.214.172
	17201670993971103.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	Scanned-IMGS_from NomanGroup IDT.scr.exe	Get hash	malicious	FormBook	Browse	199.232.210.172
	12.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	UoEDaAjHGW.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	UoEDaAjHGW.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	195.201.57.90
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	195.201.57.90
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
NET1-ASBG	UoEDaAjHGW.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	94.156.177.117
	kzQ25HVUbf.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	YvVDV4cbjy.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	EozUxz4ybi.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	oAUBqI6vQ7.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	IpykYx5iwz.exe	Get hash	malicious	Remcos, GuLoader	Browse	94.156.177.164
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	94.156.177.117
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	95.87.199.40
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	93.123.77.220
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	12.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	https://cys-bombasml.com	Get hash	malicious	Unknown	Browse	195.201.57.90
	UoEDaAjHGW.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	195.201.57.90
	009.vbe	Get hash	malicious	AgentTesla	Browse	195.201.57.90
	RFQ.exe	Get hash	malicious	Quasar, PureLog Stealer	Browse	195.201.57.90
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	195.201.57.90
	https://performancemanager10.successfactors.com/sf/hrisworkflowapprovelink?workflowRequestId=V4-0-a1-iHQRWD3bQis7XhhWNKzjfWwnvURbEsN0CxUc27Zt3ml0ag&company=oceanagoldT2&username=dave.oliver@oceanagold.com	Get hash	malicious	Unknown	Browse	195.201.57.90
	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	195.201.57.90
	https://ipfs.io/ipfs/bafkreidfpb2invnj4i76skys5sfmk3hycbkxhquyb7d6uhnbls3gwf4a5q	Get hash	malicious	HTMLPhisher	Browse	195.201.57.90
	http://pub-575fb9d74c7a46f0828b37cda8dd9c40.r2.dev/docu/e_protocol.html?e	Get hash	malicious	HTMLPhisher	Browse	195.201.57.90

Process:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2360072131993585
Encrypted:	false
SSDEEP:	6:kK8z9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:LDImsLNkPlE99SNxAhUe/3
MD5:	F6A253DAB0B9C4A86FB082A9E96B50AA
SHA1:	0B2131944267B7FF4AF64179D3C3BDE7F7E68AFE
SHA-256:	8BA5C1F90BC026E823B0A7F6DCB3952E9A36118149965E6FCE0F5109301241BB
SHA-512:	B0954C0C6AEFFE55C2C028E66EB71FFB3FE35260270C1FE5C5F41DC233FACD85019E763321C45561DDBE1261F88D2E2FB4CA09CB2BDEFB7161665CBBF8C66A52
Malicious:	false
Reputation:	low
Preview:	p...... ..........k.sf..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Exccelworkbook.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.log

Download File

Process:	C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Download File

Process:	C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3779584
Entropy (8bit):	7.97695133421818
Encrypted:	false
SSDEEP:	98304:K4QM2Ie6bMOMcv6NVhbK3H055W5XHx85mSQVaT+50WkdEZM:lsILGjbKkfWhHW5mnVapWcg
MD5:	7CED1E3728202BB14170FDBCDE4F69B2
SHA1:	BF67CE43ACCF497FFA74CAA94A5C09209B974F07
SHA-256:	3BEE4D2AB33AC3F0605136F09CBA556140D62CE9A0C1BDB1639159B43AE58943
SHA-512:	E71A9B4EC8AB4CB18C990E77ECB2FEA86DD28CB769274BC34B31095B8124985EDF4A5B3426C4CAD59429CCAE85726FCB476CF6E4053AF0D902C4BB05CA703B3C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5C................0...9.........j.9.. ....9...@.. ....................... :...........@...................................9.O.....9.......................:.....D.9.p............................................ ............... ..H............text.....9.. ....9................. ..`.rsrc.........9.......9.............@..@.reloc........:.......9.............@..B................I.9.....H.......hK..\=......9....... 9..........................................0..L.........}.....(.......(......(............s......(.....o......( ....o!.....(".....0..K.........}........(#........($.....,5...(............s......(.....o......(.....o!....8.....r...p.J...(%...o&...tJ.......('..........9.....s.........s(...s)...o.......o+...(,.......o-...(........o/...(0.......o1...(2.......o3...(4.......o5...(6.........(7.....(......+....s(...s)...(*........(8...........s......(..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.97695133421818
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
File size:	3'779'584 bytes
MD5:	7ced1e3728202bb14170fdbcde4f69b2
SHA1:	bf67ce43accf497ffa74caa94a5c09209b974f07
SHA256:	3bee4d2ab33ac3f0605136f09cba556140d62ce9a0c1bdb1639159b43ae58943
SHA512:	e71a9b4ec8ab4cb18c990e77ecb2fea86dd28cb769274bc34b31095b8124985edf4a5b3426c4cad59429ccae85726fcb476cf6e4053af0d902c4bb05ca703b3c
SSDEEP:	98304:K4QM2Ie6bMOMcv6NVhbK3H055W5XHx85mSQVaT+50WkdEZM:lsILGjbKkfWhHW5mnVapWcg
TLSH:	1906338465AADE01D08927391CE3E3F89B36BD96C560C613EFE93FE37D69B122101647
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5C................0...9.........j.9.. ....9...@.. ....................... :...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x79c16a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEDEB4335 [Wed Jun 27 06:52:37 2096 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
call far 0000h : 003E9999h
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x39c115	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39e000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39a944	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x39a180	0x39a200	66406ca4ba88bf338b43d6cdb2596f36	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x39e000	0x5e0	0x600	9034714c9c73dc8be119cca0dad41335	False	0.4322916666666667	data	4.160248195079538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a0000	0xc	0x200	b7b8c5f607bfcf11a1b7754e61120a9f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x39e090	0x350	data			0.4233490566037736
RT_MANIFEST	0x39e3f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T11:54:30.100509+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	94.156.177.117	9792	192.168.2.6	49797	TCP
2025-01-14T11:54:30.100509+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	94.156.177.117	9792	192.168.2.6	49797	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:54:29.354471922 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:29.360608101 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:29.360693932 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:29.366621017 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:29.372612000 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:30.091381073 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:30.091403008 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:30.091501951 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:30.095360041 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:30.100508928 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:30.327966928 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:30.374541998 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:31.962424994 CET	49814	443	192.168.2.6	195.201.57.90
Jan 14, 2025 11:54:31.962476015 CET	443	49814	195.201.57.90	192.168.2.6
Jan 14, 2025 11:54:31.962531090 CET	49814	443	192.168.2.6	195.201.57.90
Jan 14, 2025 11:54:31.963490009 CET	49814	443	192.168.2.6	195.201.57.90
Jan 14, 2025 11:54:31.963530064 CET	443	49814	195.201.57.90	192.168.2.6
Jan 14, 2025 11:54:32.813080072 CET	443	49814	195.201.57.90	192.168.2.6
Jan 14, 2025 11:54:32.813185930 CET	49814	443	192.168.2.6	195.201.57.90
Jan 14, 2025 11:54:32.818753958 CET	49814	443	192.168.2.6	195.201.57.90
Jan 14, 2025 11:54:32.818766117 CET	443	49814	195.201.57.90	192.168.2.6
Jan 14, 2025 11:54:32.819056988 CET	443	49814	195.201.57.90	192.168.2.6
Jan 14, 2025 11:54:32.825184107 CET	49814	443	192.168.2.6	195.201.57.90
Jan 14, 2025 11:54:32.871334076 CET	443	49814	195.201.57.90	192.168.2.6
Jan 14, 2025 11:54:33.016243935 CET	443	49814	195.201.57.90	192.168.2.6
Jan 14, 2025 11:54:33.016319990 CET	443	49814	195.201.57.90	192.168.2.6
Jan 14, 2025 11:54:33.016496897 CET	49814	443	192.168.2.6	195.201.57.90
Jan 14, 2025 11:54:33.085829973 CET	49814	443	192.168.2.6	195.201.57.90
Jan 14, 2025 11:54:33.362149954 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:33.367074966 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:33.367135048 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:33.371968985 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:33.893984079 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:33.968179941 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:34.080080032 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:54:34.171310902 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:59.093360901 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:54:59.098212957 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:55:24.108884096 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:55:24.113720894 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:55:49.124541044 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:55:49.129976988 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:56:14.140187979 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:56:14.144957066 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:56:39.185142040 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:56:39.190042019 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:57:04.195198059 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:57:04.202353001 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:57:29.202706099 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:57:29.207653046 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:57:54.218369007 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:57:54.223427057 CET	9792	49797	94.156.177.117	192.168.2.6
Jan 14, 2025 11:58:19.234774113 CET	49797	9792	192.168.2.6	94.156.177.117
Jan 14, 2025 11:58:19.239759922 CET	9792	49797	94.156.177.117	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:54:29.306684971 CET	63920	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:54:29.321928024 CET	53	63920	1.1.1.1	192.168.2.6
Jan 14, 2025 11:54:31.951817989 CET	56990	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:54:31.958740950 CET	53	56990	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 11:54:29.306684971 CET	192.168.2.6	1.1.1.1	0x32dc	Standard query (0)	twart.myfirewall.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:31.951817989 CET	192.168.2.6	1.1.1.1	0xa003	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 11:54:12.754465103 CET	1.1.1.1	192.168.2.6	0x3b3e	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:54:12.754465103 CET	1.1.1.1	192.168.2.6	0x3b3e	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:54:12.754465103 CET	1.1.1.1	192.168.2.6	0x3b3e	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:29.321928024 CET	1.1.1.1	192.168.2.6	0x32dc	No error (0)	twart.myfirewall.org		94.156.177.117	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:31.167386055 CET	1.1.1.1	192.168.2.6	0x6625	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:31.167386055 CET	1.1.1.1	192.168.2.6	0x6625	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:31.958740950 CET	1.1.1.1	192.168.2.6	0xa003	No error (0)	ipwho.is		195.201.57.90	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49814	195.201.57.90	443	6288	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:54:32 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2025-01-14 10:54:33 UTC	223	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:32 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2025-01-14 10:54:33 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	05:54:16
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe"
Imagebase:	0x8b0000
File size:	3'779'584 bytes
MD5 hash:	7CED1E3728202BB14170FDBCDE4F69B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2265586466.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2267186078.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2297451860.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2309440522.0000000009F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2309440522.000000000AA92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2267186078.0000000003F37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:54:18
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe"
Imagebase:	0xd20000
File size:	3'779'584 bytes
MD5 hash:	7CED1E3728202BB14170FDBCDE4F69B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.2291672265.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.2291672265.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:54:21
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
Imagebase:	0x550000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:54:21
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:54:21
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Imagebase:	0x820000
File size:	3'779'584 bytes
MD5 hash:	7CED1E3728202BB14170FDBCDE4F69B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.2350603816.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:54:22
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Imagebase:	0x2a0000
File size:	3'779'584 bytes
MD5 hash:	7CED1E3728202BB14170FDBCDE4F69B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2410546923.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:54:24
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Imagebase:	0x20000
File size:	3'779'584 bytes
MD5 hash:	7CED1E3728202BB14170FDBCDE4F69B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:54:24
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Imagebase:	0x220000
File size:	3'779'584 bytes
MD5 hash:	7CED1E3728202BB14170FDBCDE4F69B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:54:24
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Imagebase:	0x8e0000
File size:	3'779'584 bytes
MD5 hash:	7CED1E3728202BB14170FDBCDE4F69B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.4700727831.0000000003294000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:54:27
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
Imagebase:	0x550000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:54:27
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:54:32
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
Imagebase:	0x9f0000
File size:	3'779'584 bytes
MD5 hash:	7CED1E3728202BB14170FDBCDE4F69B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.6%
Total number of Nodes:	187
Total number of Limit Nodes:	11

Executed Functions

Function 09016020 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5f59acbbd9afa53e9bd9a175e84d83a18c58b80a4b24e476d01ab99afccbc3
Instruction ID: a2b224b8e9f9dff32990767e1d55a32d63f12b83be508711b092326152568ed1
Opcode Fuzzy Hash: 6b5f59acbbd9afa53e9bd9a175e84d83a18c58b80a4b24e476d01ab99afccbc3
Instruction Fuzzy Hash: 6EC1D274E05228CFDB54CFA9C8447EEBBF2BF89300F1496AAD408A7265DB319985CF50

Function 0901600F Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c5ef8355382f622aa8bc9884b5b700e87cdb55bafb6b8d31befae9c61e2838
Instruction ID: f1d359cde82616a826be0df53ac6b95dbbbd8e3a6cfaaf99eea41e7bbcd37945
Opcode Fuzzy Hash: 19c5ef8355382f622aa8bc9884b5b700e87cdb55bafb6b8d31befae9c61e2838
Instruction Fuzzy Hash: ABC1D1B4E05228CFDB54CFA9C8447AEBBF2BF89300F14D5AAD408A7265DB759985CF40

Function 015A7018 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035940ceb99db727d4a5186e104d9f08ae2add72ea193437036c97c92254f245
Instruction ID: a9a361a82ad148c1eb859ecbfa32289b0b5b75bfc87b432ffb8bc99737e67be2
Opcode Fuzzy Hash: 035940ceb99db727d4a5186e104d9f08ae2add72ea193437036c97c92254f245
Instruction Fuzzy Hash: 5E819074E01219DFDB54DFA9D984AADBBF2FF88300F208129E519AB365EB706945CF40

Function 015A4204 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46902def0e80c53f2565503a132ae8e8df603a4fe3c75564024627df39ce98ec
Instruction ID: 7ab3c50988577268616846a33cdad027f0c2def3a72d5dcaedb82c38418eafbb
Opcode Fuzzy Hash: 46902def0e80c53f2565503a132ae8e8df603a4fe3c75564024627df39ce98ec
Instruction Fuzzy Hash: 7981A174E01219DFDB14DFA9D984AADBBF2FF88300F208529E519AB355EB706945CF40

Function 09019E08 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ffd456404e0e964c86ec0eaaf35ba604a0500a96bb8cf25a1921da78fc9675
Instruction ID: ae39b866955b916b923090e05cd23a8f7c89a114a26f24a0473a7ae8e6bea4db
Opcode Fuzzy Hash: f5ffd456404e0e964c86ec0eaaf35ba604a0500a96bb8cf25a1921da78fc9675
Instruction Fuzzy Hash: E2211AB0D156588BEB18CF67C9443EEBBF7AFC9300F14C46AD409B6264DB7409468B50

Function 09019E18 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360f23c8f50ba142cfc8c8391cff5e0a445250e2bf2f98a4decd67d5cb13c80e
Instruction ID: eaf422448d46d3008526b26a46fdea52532e607927dd98b4dc77fa452d68d9ed
Opcode Fuzzy Hash: 360f23c8f50ba142cfc8c8391cff5e0a445250e2bf2f98a4decd67d5cb13c80e
Instruction Fuzzy Hash: 562108B0E056588BEB18CFABC9443EEFAF7AFC9340F14C46AD40976254DB7009468F90

Function 015AD369 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015AD3F6
GetCurrentThread.KERNEL32 ref: 015AD433
GetCurrentProcess.KERNEL32 ref: 015AD470
GetCurrentThreadId.KERNEL32 ref: 015AD4C9

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7b41cbce8cb9ce157425eba8893da516d35bacda37f2e7cf805d2a9034564f9f
Instruction ID: 6bffc75df349aea1092b81c30f1e7dce3aac81ebf8a18a3c9d213758500b5d26
Opcode Fuzzy Hash: 7b41cbce8cb9ce157425eba8893da516d35bacda37f2e7cf805d2a9034564f9f
Instruction Fuzzy Hash: 005148B090034A8FEB54DFA9D548BDEBFF1FF88314F208459E009A7260DB746944CB66

Function 015AD378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015AD3F6
GetCurrentThread.KERNEL32 ref: 015AD433
GetCurrentProcess.KERNEL32 ref: 015AD470
GetCurrentThreadId.KERNEL32 ref: 015AD4C9

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f00d2333a50b0bcf470070f9687dc2f268ef4ea324541ecca1da99cc33b2fdbb
Instruction ID: b05d57a8f5a4e1112a89df046f082fbdcd1b1ee939b53bc7f0678f50cb558e62
Opcode Fuzzy Hash: f00d2333a50b0bcf470070f9687dc2f268ef4ea324541ecca1da99cc33b2fdbb
Instruction Fuzzy Hash: 875139B090034A8FEB54DFA9D548BDEBFF1FF88314F208459E419A7260DBB46944CB66

Function 0901FB8A Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0901FDC6

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 522b89b68f1faaa396dd8d39517c9a14ec1436fb66148184c77113df21ef24db
Instruction ID: 2876bebc4957cec06ce0f5524408ec7f627dbbd872fdce9f48963ac498025fd7
Opcode Fuzzy Hash: 522b89b68f1faaa396dd8d39517c9a14ec1436fb66148184c77113df21ef24db
Instruction Fuzzy Hash: 01913871D0025ACFEF24CFA8C941BADBBF2FB48314F148969E908A7250DB749985CF91

Function 0901FB90 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0901FDC6

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 98c857d71157049aef5d4f435e76efc76539467d8c2ac894c0c84e51881ee64a
Instruction ID: 472d51a7d05aae1a7296a10de529273bd2f1f577d4fa662f55fc769832961adb
Opcode Fuzzy Hash: 98c857d71157049aef5d4f435e76efc76539467d8c2ac894c0c84e51881ee64a
Instruction Fuzzy Hash: 46913971D0025ACFEF24CF68C941BADBAF2FF48310F148969E908A7250DB749985CF91

Function 015AB3B1 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015AB626

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d777e02997881322e693f3366cae0728dd54cdd725d84c713dad3bbe105ef05a
Instruction ID: 7677d575a91286c59c9284355000e33aecc72d51a5118f96c0e05f25d85f7bae
Opcode Fuzzy Hash: d777e02997881322e693f3366cae0728dd54cdd725d84c713dad3bbe105ef05a
Instruction Fuzzy Hash: 028146B0A00B068FD765DF29D44479EBBF1FF88204F008A2ED58ADBA51E774E845CB91

Function 015A590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015A59C9

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 58cfbb7418b2475908ff38eae441394402d8161734e8f92c83c6b3044185a4a0
Instruction ID: bf5be9c3b03f24923368fa7a62cafac787561b62264b1affbb28e58b92000dae
Opcode Fuzzy Hash: 58cfbb7418b2475908ff38eae441394402d8161734e8f92c83c6b3044185a4a0
Instruction Fuzzy Hash: 4041EFB1D0071DCBDB24CFA9C984BDEBBB5BF48704F60816AD408AB251DBB16945CF90

Function 015A44F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015A59C9

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 62bb362ad53fdd78a175e16428942adaeb4f3e126103d820b70ef3347bd8bc97
Instruction ID: 2722d80c96957f4ceda8c9d37c242991e14b653c706cd039df67e21c7f686065
Opcode Fuzzy Hash: 62bb362ad53fdd78a175e16428942adaeb4f3e126103d820b70ef3347bd8bc97
Instruction Fuzzy Hash: 5241EFB0D0071DCBDB24CFA9C984BDEBBB5BF49704F60806AD508AB251DBB16945CF91

Function 0901F900 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0901F998

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 48d9d7b0fa7ce160855fd5f365c55f20688ca5fa844f9eb42bdc93cc028503bd
Instruction ID: 7b9fac3bdd8aaaec7bf32c5ae04a15a051f2a2f1165b7284998c9665ccdbdec1
Opcode Fuzzy Hash: 48d9d7b0fa7ce160855fd5f365c55f20688ca5fa844f9eb42bdc93cc028503bd
Instruction Fuzzy Hash: 9E2126B190034A9FDF10DFA9C985BDEBBF1FF48314F108829EA19A7240D7789954CBA5

Function 0901F908 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0901F998

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2b122c37208654b5cb8daf765224af9ab64cee8aa7bf133f233b5fd8ef4e018b
Instruction ID: 73bd683703a107003a0dd36534ddf84bf8b5a27bc8d9df7675da9c840ecd9649
Opcode Fuzzy Hash: 2b122c37208654b5cb8daf765224af9ab64cee8aa7bf133f233b5fd8ef4e018b
Instruction Fuzzy Hash: C62126B190034A9FDF10DFAAC985BDEBBF5FF48310F108829E918A7240D7789954CBA5

Function 0901F9F0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0901FA78

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5120cce9fdba2f229a151ac46dbe4acf708eeb2dd664d29fe3bb8eb429348a84
Instruction ID: 4a0eeb1e78243b5cc297334fd8181e4a52c61689c3ca8b72b8e9b018db616763
Opcode Fuzzy Hash: 5120cce9fdba2f229a151ac46dbe4acf708eeb2dd664d29fe3bb8eb429348a84
Instruction Fuzzy Hash: D22148B18003499FDF10DFAAC881BEEBBF1FF48310F10842AE618A7240C7789511CBA1

Function 0901F330 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0901F3B6

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bd44c66d0a1e9b87bb154d1d2a8872073999f6700fb48462b1f9dbbcd400df47
Instruction ID: 0f90ae3e1e2202379ab0813141dd9d7722e097e74c2e5769ec997cf1bb774803
Opcode Fuzzy Hash: bd44c66d0a1e9b87bb154d1d2a8872073999f6700fb48462b1f9dbbcd400df47
Instruction Fuzzy Hash: CA214CB1D003098FDB10DFAAC4857EEBBF4EF88314F14842AD519A7240D7789945CFA1

Function 0901F9F8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0901FA78

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c6d816ba0acd5f161ee7412426692b5aad4a358e3590b9b29b40ff82490629e9
Instruction ID: f3edcaaf3eaa4cdd6a63bc6b768f45d5a290c5110942ec1490a4d8560489ce92
Opcode Fuzzy Hash: c6d816ba0acd5f161ee7412426692b5aad4a358e3590b9b29b40ff82490629e9
Instruction Fuzzy Hash: 942128B19003499FDB10DFAAC881BEEBBF5FF48310F508429E518A7250C7799550CBA5

Function 0901F338 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0901F3B6

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e1fcd17f731a57fb58623f0ef916644783e9b7bc4235e1887ae60b3d3d805422
Instruction ID: 94ea6d78c60b5a06bd0f0384001cbd79261cf244b1f615e7236e8c3ca7c3c0d6
Opcode Fuzzy Hash: e1fcd17f731a57fb58623f0ef916644783e9b7bc4235e1887ae60b3d3d805422
Instruction Fuzzy Hash: 92212C71D003098FDB10DFAAC4857EEBBF4EF48314F14842AD559A7241D7789544CFA5

Function 015AD9C8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ADA4F

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6de7a37d73d9c560b8a9bccc819ff07900bbf491a7c083742500ebb5735d1654
Instruction ID: 37f636a827377739465a031baa13299e46e613c18679b9c7b18911b1a0e769c5
Opcode Fuzzy Hash: 6de7a37d73d9c560b8a9bccc819ff07900bbf491a7c083742500ebb5735d1654
Instruction Fuzzy Hash: 5321C4B5900249DFDB10CF9AD984ADEBFF4FB48320F14841AE918A7350D375A954CF65

Function 015AD9C1 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015ADA4F

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dfe242e450dae7d82ec3d913435dc9f32afedfb85453b6c7e1444af3a8ebe9ce
Instruction ID: 85d9b89c54bdd50124fca1b29709a071d9c3f5d0a6f37e878b2e0e21d32d056c
Opcode Fuzzy Hash: dfe242e450dae7d82ec3d913435dc9f32afedfb85453b6c7e1444af3a8ebe9ce
Instruction Fuzzy Hash: FE21E2B5D00209DFDB10CFA9D984AEEBBF4FB48324F14841AE918A7350D378A954CF61

Function 0901F841 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0901F8B6

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 65a3940f246b74d38cf35d3e46ada0b13b479f47fb55bc1031dfa3b52f0512d2
Instruction ID: 892be0759cfa6790f7304bff1ae81a974e349a497fd82883f6f7e96f90352f08
Opcode Fuzzy Hash: 65a3940f246b74d38cf35d3e46ada0b13b479f47fb55bc1031dfa3b52f0512d2
Instruction Fuzzy Hash: 3711567290024A9FDB20DFAAC845BDFBBF5EF88320F10881AE519A7250C7759951CBA1

Function 0901F848 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0901F8B6

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 364649848b313aeb76b843da9ac4a052e1f650bcb0517d3edbd472dde6658dfb
Instruction ID: c5050aa777bab705de348d37b0c9e5a133b993c6daf01b8149450c05b04a754b
Opcode Fuzzy Hash: 364649848b313aeb76b843da9ac4a052e1f650bcb0517d3edbd472dde6658dfb
Instruction Fuzzy Hash: 8811567290024A9FDB10DFAAC844BDEBBF5EF88320F10881AE519A7250C775A550CBA1

Function 0901F281 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0901F2EA

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b90665f1e6f5e7b275b7c82130d3de0694f648cd8b2413954965bf8a8d2e55b9
Instruction ID: 0b2a468b43e669fca85a628d97deb6e521203096955dfcd42727b58b80533326
Opcode Fuzzy Hash: b90665f1e6f5e7b275b7c82130d3de0694f648cd8b2413954965bf8a8d2e55b9
Instruction Fuzzy Hash: 5C116AB1D003498FDB20DFAAC8457DEFBF4EF88724F208819D519A7240CB79A545CBA5

Function 0901F288 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0901F2EA

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: df0902db0b5d8d96f8f7d3799f8e1e662d368c1696c6983b13ecf6259bd5782f
Instruction ID: 29326f181b3fd8f8c5cbe5d292a703df1ecd491b37b5874bb504c656c2f71d8b
Opcode Fuzzy Hash: df0902db0b5d8d96f8f7d3799f8e1e662d368c1696c6983b13ecf6259bd5782f
Instruction Fuzzy Hash: 81113AB19003498FDB10DFAAC8457DEFBF4EF88724F248819D519A7240CB75A544CBA5

Function 04F62410 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04F62475

Memory Dump Source

Source File: 00000000.00000002.2291861247.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f60000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2fd9fc0580a00b1dd942d9f378af5d3307108aad80b8637c59b28b34ae3b75cd
Instruction ID: f293da51c6b0bf172a18e2b2c6fd8a57f40e315575e89c13f502c42fab68ae13
Opcode Fuzzy Hash: 2fd9fc0580a00b1dd942d9f378af5d3307108aad80b8637c59b28b34ae3b75cd
Instruction Fuzzy Hash: 8B1133B5800349CFDB10CF9AC485BDEBBF4FB48320F10841AD968A7200C375A955CFA1

Function 015AB5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015AB626

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6d7c5c92bc0ed101caf29e4464c0209cb29c4d8471decdfc78b592ca1d98ee76
Instruction ID: f3ce394042ab5d267ecf75f889e2f94be311eb9302ec6b3c5bb8000190a986b0
Opcode Fuzzy Hash: 6d7c5c92bc0ed101caf29e4464c0209cb29c4d8471decdfc78b592ca1d98ee76
Instruction Fuzzy Hash: C3110FB6C003498FDB10CF9AC844ADEFBF4AF88224F14841AD528A7600C379A545CFA1

Function 04F61D90 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04F62475

Memory Dump Source

Source File: 00000000.00000002.2291861247.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f60000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c9164d1b82d698eed0ced7c8c7e236817896cb12893c0bc3e6b306be779091a1
Instruction ID: 85bdc96e38f071ac3dca527d113603fe5b5a23fc37ca993284eefbcc34ab9e56
Opcode Fuzzy Hash: c9164d1b82d698eed0ced7c8c7e236817896cb12893c0bc3e6b306be779091a1
Instruction Fuzzy Hash: D61136B5800349DFDB10DF99C444BEFBBF8EB48320F10845AE919A7201D374A954CFA1

Function 09010168 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 090101C8

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 323f17158eb0a46e582c91cec3d9ecaa0680b8e7ea5a6c8cb7a3ea20ec2b023b
Instruction ID: 20913f1dfde6cacb1c0d4cee6841f16830ae6f7be22947f60cca090aa7cd4eee
Opcode Fuzzy Hash: 323f17158eb0a46e582c91cec3d9ecaa0680b8e7ea5a6c8cb7a3ea20ec2b023b
Instruction Fuzzy Hash: E11136B5800249CFDB10CF9AC644BEEBBF4EF48320F10881AD958A7640D778A594CFA1

Function 09010170 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 090101C8

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8e8d95bfca7df4eeee0980ef2dc6fcc8cf0df41446a241960448853485052712
Instruction ID: 963c74b3758f8d30084cd26fb9fb4ef1dc85972cd3e3cb9926b55f1f20926fec
Opcode Fuzzy Hash: 8e8d95bfca7df4eeee0980ef2dc6fcc8cf0df41446a241960448853485052712
Instruction Fuzzy Hash: 1D1103B6800349CFDB10DF9AC545BEEBBF4EB48324F20881AD958A7640D778A594CFA5

Function 0154D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263955323.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea3529c697258010b8bde8e4d2f539b26242be0fe5988ab4fa6c77350dcd0b7
Instruction ID: be1df80a6920bfd5450aac978e32bb93601b24967fa17e66ff71ab857c9d4358
Opcode Fuzzy Hash: 1ea3529c697258010b8bde8e4d2f539b26242be0fe5988ab4fa6c77350dcd0b7
Instruction Fuzzy Hash: 73214876500204DFDB05DF54D9C0B6ABFB5FB94328F20C56CE9090F256C3BAE456CAA1

Function 0154D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263955323.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44993eef5445c8cfd6363fe059764c466c39008c41bbe7027e4251561de5480
Instruction ID: 01b63b609e0b0e40fbb0c0d3f11517d239d0877625da1d868c7b3aadd51df48e
Opcode Fuzzy Hash: f44993eef5445c8cfd6363fe059764c466c39008c41bbe7027e4251561de5480
Instruction Fuzzy Hash: EB212172600240EFDB05DF54D9C0B6ABFB1FB9831CF208569E9090F256C736D416CAA1

Function 0155D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264127359.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_155d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daee93cda3a6a47c688c2797b7613de03d8f9f21941cd5317ddf0af12da8ed5a
Instruction ID: 2736637391195e9fcba26e67e9c7bbc900c7d82d116a7c3ada6ac807003aed8d
Opcode Fuzzy Hash: daee93cda3a6a47c688c2797b7613de03d8f9f21941cd5317ddf0af12da8ed5a
Instruction Fuzzy Hash: B3210072504200EFDB45DF94D9D0B2ABBB1FB84324F20C96EED0A4F252C77AD446CA61

Function 0155D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264127359.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_155d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131e8200e2f8859d76949cb80094b3d04a8e51ff02ba827856bf00d5e9ff02e6
Instruction ID: cb8bfc4a8395f1b7a87b21635820d7e9d1d245d50a7b9f47014e74c0a53c0d2a
Opcode Fuzzy Hash: 131e8200e2f8859d76949cb80094b3d04a8e51ff02ba827856bf00d5e9ff02e6
Instruction Fuzzy Hash: DE21FF76604204EFDB55DF54D990B2ABBA1FB84314F20C96EDD0A4F262D37AD406CA61

Function 0155D005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264127359.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_155d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e652a1a3cc4af266635d93acdea5bf5b95b27b93dd280fec087367e373df091
Instruction ID: 0c56c2094f64cd076fb3cfb46c1898b8cb46f964166efc6526c3945f82960a98
Opcode Fuzzy Hash: 5e652a1a3cc4af266635d93acdea5bf5b95b27b93dd280fec087367e373df091
Instruction Fuzzy Hash: 532180765083849FDB02CF64D994B15BF71FB46214F28C5EAD8498F2A7D33AD806CB62

Function 0154D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263955323.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 6a5cd4eb0ded3ba2bfd51a0e40e391bdb51468cd3140dc4db7ae3c8fb864af62
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 2311CDB6404280CFCB02CF54D5C4B5ABF71FB94228F2482A9D8090A256C37AE456CBA1

Function 0154D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263955323.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: af81c0a2be1f2edbbaf12def133575797616853eb07358a1ef9976e7b839f76c
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: A211DF76504280CFCB02CF54D5C0B5ABF71FB94318F24C6A9D8090F256C33AD456CBA1

Function 0155D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264127359.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_155d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 39d69b677ebfdb9f22b9b5bd0e1554136b8bac21df02d86d347fea0b969da75c
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 7611BB76504280DFCB42CF54C5D0B19BBB1FB84224F24C6AEDC494F6A6C33AD44ACB61

Function 0154D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263955323.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4e86bbc733d4944ebf40af8009f2325a359754a0cf80294b1dc58dd60cb6eb
Instruction ID: c9f5c1d7a2e13b188404cfc3f071a392852de901f08dad2a76b264865db39abf
Opcode Fuzzy Hash: db4e86bbc733d4944ebf40af8009f2325a359754a0cf80294b1dc58dd60cb6eb
Instruction Fuzzy Hash: 1901F7710043849BF7108FA9CD84B6ABFE8EF51228F08C91AEE084E282C6799440C671

Function 0154D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2263955323.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_154d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a154bd1df4f13c4610a6e69982c093e9b07196bfe365e0cbd644a5a3dc3cfda
Instruction ID: db1e1251164687c28d2bc4ad2e8c838f42dba8ee045dc0c610c978f159b72758
Opcode Fuzzy Hash: 4a154bd1df4f13c4610a6e69982c093e9b07196bfe365e0cbd644a5a3dc3cfda
Instruction Fuzzy Hash: 59F062724053849FE7118E59DD88B66FFA8EB91638F18C45AED084E287C279A844CBB1

Non-executed Functions

Function 0901D260 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Yyn_, xrefs: 0901D2BB

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID: Yyn_
API String ID: 0-3435906727
Opcode ID: 7b42457a9a525a16f0bf3f94317029a8bf8dbe9c847b19fa837b486351e3d470
Instruction ID: e7de832541e95b3f19f7329a4e2e0cd34fb27b2f599c5d749f0df81e5d741aab
Opcode Fuzzy Hash: 7b42457a9a525a16f0bf3f94317029a8bf8dbe9c847b19fa837b486351e3d470
Instruction Fuzzy Hash: 6AE11974E002698FDB14DF99C580AAEBBF2FF89304F248669D415AB355D730AD42CF61

Function 04F642E8 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291861247.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f60000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acca1db6ef1bc9733c7c9c2ea9e19d0d87031bbeab66f6a4f9156de5f2751ae8
Instruction ID: f03c090d9c09465527980061d4eadc1f2b2634e59f4315733a1455d58f0010a6
Opcode Fuzzy Hash: acca1db6ef1bc9733c7c9c2ea9e19d0d87031bbeab66f6a4f9156de5f2751ae8
Instruction Fuzzy Hash: 2AD1DC30B016118FEB29EF75C460BAFBBF6AF89304F1484A9C5469B391DB35E902CB55

Function 0901C9D8 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ae13a7578aabff34a77b09e1b0e6ca551cc6c4e5a4f2e828e0b14c62f7ae92
Instruction ID: b46bb5eed7e054dcc101d8d83e36fce8bbade098223f27018a3e422f76fd0af0
Opcode Fuzzy Hash: d9ae13a7578aabff34a77b09e1b0e6ca551cc6c4e5a4f2e828e0b14c62f7ae92
Instruction Fuzzy Hash: C4E14974E002698FDB14CFA9C580AAEBBF2FF89304F248269D445AB355D770AD42CF61

Function 0901EA60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ab61c0b8a1cb3154b962a54714cbc87278ca6e02127af6bcef27df4f4fdf86
Instruction ID: d7d755a46b4b99d888837fe2e13e12938c4cbfb2fd4f5133ae78f7614da60d15
Opcode Fuzzy Hash: 94ab61c0b8a1cb3154b962a54714cbc87278ca6e02127af6bcef27df4f4fdf86
Instruction Fuzzy Hash: 83E10974E002698FDB14DF99C580AAEFBF2FF88304F248669D815AB355D770A942CF61

Function 0901CE28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b931e1bdca02e569c470466862dc4b200a015b1443d83ab74e5f5467da5e50b
Instruction ID: 4a2185d574bc2e47f21ced7d194c33edc31205e0f55fe8f877b30cd50b54f6cc
Opcode Fuzzy Hash: 6b931e1bdca02e569c470466862dc4b200a015b1443d83ab74e5f5467da5e50b
Instruction Fuzzy Hash: 28E10974E002698FDB14DFA9C580AAEBBF2FF88304F248669D419A7355D770AD42CF61

Function 0901F410 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7133b3e8a51ea65f6bace8d7264947a987a20751ec191b52b03b58e623b4010
Instruction ID: fbc64c59c3e83edcad518104849925dc837f3e76ddeb3081624055c8dc6e14b4
Opcode Fuzzy Hash: a7133b3e8a51ea65f6bace8d7264947a987a20751ec191b52b03b58e623b4010
Instruction Fuzzy Hash: 38E11874E0021A8FDB14DFA9C580AAEBBF2FF88304F248669D515AB355D770AD42CF61

Function 015AD8EC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2265079723.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a0000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea10e43a89dff4a5d015c0ee348e6e1800a081b78e21dc3de1a48f4d4b10e86
Instruction ID: e78a491795f93b65c3b700dc8b18ee5de0311445b38d5834014aa80884310ea3
Opcode Fuzzy Hash: aea10e43a89dff4a5d015c0ee348e6e1800a081b78e21dc3de1a48f4d4b10e86
Instruction Fuzzy Hash: 26A17F32E4021A8FCF15DFB4C8805EEBBB2FF85300B55856AE905AF265DB71E946CB40

Function 09015300 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcb39cdef61edab1363657c8ffa517cec136d92d81be96bcf674f24b1e7211e
Instruction ID: f890eb50cadb42d07687ecbc27006c3bb3fadebbf067b3282b70cd5a06a5ff3c
Opcode Fuzzy Hash: 1dcb39cdef61edab1363657c8ffa517cec136d92d81be96bcf674f24b1e7211e
Instruction Fuzzy Hash: EE91EFB0D05218DFDB14CFA9D884BEDBBF6BF89300F10986AE419AB261DB744985DF40

Function 090152F0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c76dc914c7cb7b46f972446e41bb201549c05d58b61a2532d5128dded34cd4
Instruction ID: 8b026802b5579479e43e1184e03db5f32e433271985900bb21c227e96ebc89c4
Opcode Fuzzy Hash: c0c76dc914c7cb7b46f972446e41bb201549c05d58b61a2532d5128dded34cd4
Instruction Fuzzy Hash: F191DEB0D05218DFDB14CFA9D8847EDBBB2BF89304F10946AE419AB261DB744986DF50

Function 09013F50 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f5b3dc286dfabd578ea0f1e2d1a8dc09f339e4a017505d3c49725b4623c572
Instruction ID: 2cb05f5d3f4a4c6f3622721697fe0fbf070b8d5dcb14a7c82c50a0fae9279f03
Opcode Fuzzy Hash: 32f5b3dc286dfabd578ea0f1e2d1a8dc09f339e4a017505d3c49725b4623c572
Instruction Fuzzy Hash: A871097091121ACFDB48EF6AE84169E7FF2FBC8304F14C56AD105AB268EFB45809DB40

Function 09013F70 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320970ac42fbf6de65c9ba831ae94777739382123004566a6982d2e92dc7fe41
Instruction ID: a5155bc9a4bf8bce0b08c80d230b261304e22fdbe8c22d50f936f295f6d7e937
Opcode Fuzzy Hash: 320970ac42fbf6de65c9ba831ae94777739382123004566a6982d2e92dc7fe41
Instruction Fuzzy Hash: B361E9709112168FDB48EF6AE84169A7FF2FBC8304F14C56AD105AB268EEB458099B50

Function 0901BE80 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe0c30119e2c0fe6654301d91652063b22f165c74ad228244590b65ec8a9565
Instruction ID: 0d2cc947993306253345eeebc3046fa64c30f38a9b40fe40d7e8fed0006d614b
Opcode Fuzzy Hash: 3fe0c30119e2c0fe6654301d91652063b22f165c74ad228244590b65ec8a9565
Instruction Fuzzy Hash: 5451E374E09219CFCF04CFAAD4849EEBBFABF89350F149869E519A7219D7309A41CF50

Function 0901CE18 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2304895426.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9010000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bce01126d0a071fae0ec715d2637dee26dac37cb1bc46a8e7902d199bf83f5f
Instruction ID: 6976702f911981795ce949741bda09bedb8550573cac0a8b896e036f778e63b2
Opcode Fuzzy Hash: 2bce01126d0a071fae0ec715d2637dee26dac37cb1bc46a8e7902d199bf83f5f
Instruction Fuzzy Hash: 3351F975E002698FDB14CFA9C5805AEFBF2FF89304F24866AD458A7355D7309A42CFA1

Analysis Process: pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exePID: 5160, Parent PID: 5392COMMON

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	9

Executed Functions

Function 0328652F Relevance: 6.1, APIs: 4, Instructions: 140
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 032865BE
GetCurrentThread.KERNEL32 ref: 032865FB
GetCurrentProcess.KERNEL32 ref: 03286638
GetCurrentThreadId.KERNEL32 ref: 03286691

Memory Dump Source

Source File: 00000003.00000002.2302656415.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3280000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 05800690993e458206c8f30c1c247bfbaf6a0edab2f0882bf9a01a82232a8599
Instruction ID: 9f10740736429049d2cc50a404d7a43d2f4b17f6ee8d1a4cb6b1da6bed3b0d12
Opcode Fuzzy Hash: 05800690993e458206c8f30c1c247bfbaf6a0edab2f0882bf9a01a82232a8599
Instruction Fuzzy Hash: E25197B191134ACFDB14DFA9D648B9EBBF1EF88314F248019E108A7390DB789985CB65

Function 03286540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 032865BE
GetCurrentThread.KERNEL32 ref: 032865FB
GetCurrentProcess.KERNEL32 ref: 03286638
GetCurrentThreadId.KERNEL32 ref: 03286691

Memory Dump Source

Source File: 00000003.00000002.2302656415.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3280000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d0e2abd2d6ba05739fca9e3e1fe927ea2677cd2eeccbcac15453685c21cb238a
Instruction ID: 5ed581b92c4aea136ba171944fca3064d7bcf00ca2e8d7fd9a7262cd33653072
Opcode Fuzzy Hash: d0e2abd2d6ba05739fca9e3e1fe927ea2677cd2eeccbcac15453685c21cb238a
Instruction Fuzzy Hash: B35176B091134ACFDB14DFA9D548B9EBBF1FF88314F248019E509A7390DB786984CB65

Function 0328BFF0 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0328C256

Memory Dump Source

Source File: 00000003.00000002.2302656415.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3280000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2c4a73037f4d5a4361b304eefb6e2adac24fb6db630b3763f981f2d2175feafa
Instruction ID: 00037e31bbec2c100017e72a67310ba80f6c5b8ae66e3e339bf16bf173dcb91d
Opcode Fuzzy Hash: 2c4a73037f4d5a4361b304eefb6e2adac24fb6db630b3763f981f2d2175feafa
Instruction Fuzzy Hash: 708147B0A11B168FD724EF69D44075ABBF1FF88700F04892ED446DBA90DB75E885CBA1

Function 03286780 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0328680F

Memory Dump Source

Source File: 00000003.00000002.2302656415.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3280000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 37480f2159a1f75f1596fe7c780c3e7185a25c85a342d1dd19e3d228a58c5f45
Instruction ID: a0a50eb3f553fadab8d4f2355b2ed3ab5cf679bd9ed16f4510dcf246ab329c40
Opcode Fuzzy Hash: 37480f2159a1f75f1596fe7c780c3e7185a25c85a342d1dd19e3d228a58c5f45
Instruction Fuzzy Hash: 83415676900249AFCB01DF99D840ADEBFF9EB48320F18805AEA14A7361D775A954CFA0

Function 03286414 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03287421

Memory Dump Source

Source File: 00000003.00000002.2302656415.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3280000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5c967c631e113f9ca558a9b83e7da5b84ddd566856392a7e43192bcc03ecf741
Instruction ID: 82efded2a395542cab0226a8aa466c1ea66ae24d8f54408be6df5553d9fe3098
Opcode Fuzzy Hash: 5c967c631e113f9ca558a9b83e7da5b84ddd566856392a7e43192bcc03ecf741
Instruction Fuzzy Hash: 3341D2B0C0071DCBDB24DFA9C944B9DBBF6BF44304F24806AD418AB255DBB56985CF90

Function 03287364 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03287421

Memory Dump Source

Source File: 00000003.00000002.2302656415.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3280000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0f72d977d9e23da3bb9ecc38a11b33cf0122382bd32bae1873806174a0fb8f95
Instruction ID: 25cd639c5812c6326f1abe0437d61f976e02f023230e08b70968121923d9c4d0
Opcode Fuzzy Hash: 0f72d977d9e23da3bb9ecc38a11b33cf0122382bd32bae1873806174a0fb8f95
Instruction Fuzzy Hash: 2E41D2B1C0072DCBDB24DFA9C944B8EBBF5BF84304F24805AD418AB255DB756945CF90

Function 03286788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0328680F

Memory Dump Source

Source File: 00000003.00000002.2302656415.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3280000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 957a2c51b84d46b3b33d3b6727b32f952c1f1c3bd0845395f033998d3b4172fe
Instruction ID: 9d376963050d30c3d0e0596483594346b758ca987377b2a18621caa0e31c92d3
Opcode Fuzzy Hash: 957a2c51b84d46b3b33d3b6727b32f952c1f1c3bd0845395f033998d3b4172fe
Instruction Fuzzy Hash: 7821B3B59012499FDB10CF9AD984ADEBBF4FB48320F14841AE918A3350D374A954CFA5

Function 0328C1F0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0328C256

Memory Dump Source

Source File: 00000003.00000002.2302656415.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3280000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7721e8f8bb05f4545d020683d0ab2f3ecbdbe65f49ae6fd1a6466ff1e051f5a8
Instruction ID: 5093bce56ec4049f4bcd0a81d19996db7efdde5cd1f7eb3f1a7d6a06ab63faae
Opcode Fuzzy Hash: 7721e8f8bb05f4545d020683d0ab2f3ecbdbe65f49ae6fd1a6466ff1e051f5a8
Instruction Fuzzy Hash: 9F110FB6C002498FCB20DF9AC444B9EFBF4AF88220F14841AD429A7650D3B9A545CFA1

Function 0189D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2299789648.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_189d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264b4fbc0918a987141f8a3d9f8236578ec0063ff3f50789fb4931f34d4dd401
Instruction ID: 77344e56feed2fba444ce2d2282c578223b713d0de63f0855a0d317594a7d2f7
Opcode Fuzzy Hash: 264b4fbc0918a987141f8a3d9f8236578ec0063ff3f50789fb4931f34d4dd401
Instruction Fuzzy Hash: 1D212275604304EFDF15DF68D9C0B26BB61FB84358F28C66DE90A8B252C37AD507CA61

Function 0189D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2299789648.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_189d000_pdf_2025 QUOTATION - #202401146778.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 046542eb57cdd27bd8a83cf889e10502865213f30516b8ab9d726d6c5e87d480
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: CE11BB75504280CFDB12CF58D5C4B15BBA2FB84314F28C6AAD8098B656C33AD50ACBA2

Analysis Process: Exccelworkbook.exePID: 6636, Parent PID: 5160COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	5

Executed Functions

Function 0151B3C1 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0151B626

Memory Dump Source

Source File: 00000006.00000002.2338366809.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1510000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f6a98f77461d046de8adca9a0fb32322c796ae914bb8decd69d9cd9853963822
Instruction ID: e1e234befd96c5b41311342a757fad6bddec942007189c7ecd8070fc45dc5b45
Opcode Fuzzy Hash: f6a98f77461d046de8adca9a0fb32322c796ae914bb8decd69d9cd9853963822
Instruction Fuzzy Hash: F4814970A00B058FE726DF29D44079ABBF2FF88304F008A2DD55ADBA55D774E805CB91

Function 0151590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015159C9

Memory Dump Source

Source File: 00000006.00000002.2338366809.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1510000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2755b67d44d9fb0f18bc7c456279ec6aff0b507a2deb6332e7ede67e24865e7c
Instruction ID: 94d7dc191fe1cacf8447a5993793e6a6f5fa73a9ec53d2915c5b9194da21698a
Opcode Fuzzy Hash: 2755b67d44d9fb0f18bc7c456279ec6aff0b507a2deb6332e7ede67e24865e7c
Instruction Fuzzy Hash: 7541F271C0071DCBEB25CFA9C984BCEBBB6BF89704F20805AD418AB255DBB16946CF50

Function 015144F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015159C9

Memory Dump Source

Source File: 00000006.00000002.2338366809.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1510000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4009fe66c2af85a35cfa50e7fdce935cb0ae3a8907525f02ed15dee41b62fcf9
Instruction ID: 9669d488a7636313e752163880f355a5de59da2f7463b9d1e934db89fa216c77
Opcode Fuzzy Hash: 4009fe66c2af85a35cfa50e7fdce935cb0ae3a8907525f02ed15dee41b62fcf9
Instruction Fuzzy Hash: 91410271C0071DCBEB25CFA9C984B8EBBF5BF89304F20806AD518AB255DBB16945CF90

Function 0151B3B0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0151D586,?,?,?,?,?), ref: 0151DA4F

Memory Dump Source

Source File: 00000006.00000002.2338366809.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1510000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ecab208e698524ade5a95abe2e0c55cbdd26426d48e38b786c5e522d72c8fc6f
Instruction ID: df0c0f50ff62fa1fe0c3c79dfc4cfd2a9643e266c7ba7a30b676d3267dcb331e
Opcode Fuzzy Hash: ecab208e698524ade5a95abe2e0c55cbdd26426d48e38b786c5e522d72c8fc6f
Instruction Fuzzy Hash: 8B21E5B5904209DFDB10CF9AD984AEEBFF5FB48320F14841AE918A7350D378A954CFA1

Function 0151D9C1 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0151D586,?,?,?,?,?), ref: 0151DA4F

Memory Dump Source

Source File: 00000006.00000002.2338366809.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1510000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b5d57e5849fd5a8f1c88d8775065fae142c458da0e40754bb7c184d6b67a3f0c
Instruction ID: b2d972b04587febb7754004a035e95058f6e1d2cf244ed6eeea1f0408e25471d
Opcode Fuzzy Hash: b5d57e5849fd5a8f1c88d8775065fae142c458da0e40754bb7c184d6b67a3f0c
Instruction Fuzzy Hash: 1A21E0B6D00209DFDB10CFA9D985AEEBBF4BB48320F14841AE918B7310D378A954CF60

Function 04ED1DC0 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04ED2575

Memory Dump Source

Source File: 00000006.00000002.2366182330.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ed0000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d5bfe3e9696a9173ec7f4af10bb99ad6acd542c650390e5f984f5018e96921e2
Instruction ID: d6512dcd4b86a93f634aaf9451d1f5e8299d3f7316d4ec28300d03951b8793f0
Opcode Fuzzy Hash: d5bfe3e9696a9173ec7f4af10bb99ad6acd542c650390e5f984f5018e96921e2
Instruction Fuzzy Hash: 9211F5B5800349DFDB10DF99D585BDEFBF8EB48324F108459E518A7200D3B5A954CFA1

Function 0151B5C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0151B626

Memory Dump Source

Source File: 00000006.00000002.2338366809.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1510000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7e1cd721aa1867477da38814d04041733cc143ace6d5ad7fa8fce850232f58b0
Instruction ID: 4c878264be4d50dbc343005dbf988a5a1cad34a7a76442cbd9383756abfce193
Opcode Fuzzy Hash: 7e1cd721aa1867477da38814d04041733cc143ace6d5ad7fa8fce850232f58b0
Instruction Fuzzy Hash: 3B1102B5C003498FDB14CF9AC444A9EFBF4AF88220F10845AD518B7210C375A545CFA1

Function 04ED2511 Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04ED2575

Memory Dump Source

Source File: 00000006.00000002.2366182330.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ed0000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: badf4d776649cad46d9a3ad49d8bdf854c86b1b4fd4819b2c5e7a0ba3396835a
Instruction ID: 553bbf092e1706d8fa9a3b806d8a1caa20c04823d6964260d5e0f982e7f9d112
Opcode Fuzzy Hash: badf4d776649cad46d9a3ad49d8bdf854c86b1b4fd4819b2c5e7a0ba3396835a
Instruction Fuzzy Hash: F811F2B5800349CFDB10CF99D584BDEBBF4EB48324F10855AD518A7610C3B9A645CFA1

Function 013AD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2335602110.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13ad000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fe2165752ce31af42a604c91c9a7ccfc43d55952e5848e60053f0d9eb6d588
Instruction ID: 5569af085cfd670b97d2b0263dfc559b14e3bfa505e14083331ec406ecd57868
Opcode Fuzzy Hash: 12fe2165752ce31af42a604c91c9a7ccfc43d55952e5848e60053f0d9eb6d588
Instruction Fuzzy Hash: 002125B2504244EFDB05DF94D9C0B2ABF65FB88328F60C669ED090BA56C376D416CBA1

Function 013AD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2335602110.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13ad000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5a1ea1bf6709a8b34b7c2b797d83e4a5437236227bbb66d6c651ef549e6eb6
Instruction ID: 2b99b2f58f20a4d212824802ab132c299c43141573e9e58b83f0b908d7d229e2
Opcode Fuzzy Hash: cc5a1ea1bf6709a8b34b7c2b797d83e4a5437236227bbb66d6c651ef549e6eb6
Instruction Fuzzy Hash: 642145B2500244EFDB05DF54D9C0B2ABF65FB8831CF60C56DE9490BA56C336D416CBA1

Function 013BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2336001016.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13bd000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ada6b647c3b74e8c705a4055ca7038b2d9c0134b42c7b03946c0f81b6ff7d7f
Instruction ID: 005f918d7fa232a603062802756ca2091472a994ee87d41631a7e24f5bff3ad3
Opcode Fuzzy Hash: 8ada6b647c3b74e8c705a4055ca7038b2d9c0134b42c7b03946c0f81b6ff7d7f
Instruction Fuzzy Hash: FF214275604204EFCB14DF58D9C0B26BF65FB8831CF20C56DDA0A0BA52D33AC407CA61

Function 013BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2336001016.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13bd000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b2b0b334efc30d5b4b3cac9d111877b9641a5d83458bf2a7ab59d3f5c26e6a
Instruction ID: 9c30fca408c4fdae2df346037741582f76b7fe6c366f0057efd8dde1dab38de6
Opcode Fuzzy Hash: f9b2b0b334efc30d5b4b3cac9d111877b9641a5d83458bf2a7ab59d3f5c26e6a
Instruction Fuzzy Hash: 16216471504284EFDB05DF94D9C0B26BBA5FB8432CF20C56CEA090FA52D336D806CB61

Function 013BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2336001016.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13bd000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d668ad8c30f14396d97fa6f47290e4fe53db0b74b6d52b4b46f8d12462d50c3b
Instruction ID: 14eee865217b42fcdc54dc3e6cb11dd711a97bb7979ccc67df67aff1f50a787f
Opcode Fuzzy Hash: d668ad8c30f14396d97fa6f47290e4fe53db0b74b6d52b4b46f8d12462d50c3b
Instruction Fuzzy Hash: A521B0754083809FCB02CF24D9D4B11BF71EB46218F28C5DAD9498F6A7C33AD806CB62

Function 013AD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2335602110.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13ad000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
Instruction ID: 9a778e24043cab5d3172d26f5359374888556dda306a9635075f7547953925d3
Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
Instruction Fuzzy Hash: 0521DFB6404280CFCB06CF44D9C4B16BF72FB84324F24C2A9DC480B656C33AD426CBA1

Function 013AD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2335602110.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13ad000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 07bc2408bdf9bed2d0c22168070b5ee1eaba317ae3c9fde1b44e4fce7fd58dbd
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 6811E676504284CFCB16CF54D5C4B1ABF71FB84318F24C6A9D8490B657C33AD456CBA1

Function 013BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2336001016.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13bd000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: cfc4e42c5d79424ee4318c50e43af7f238c198d5471e979cd4cacf123dc171de
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: AA11BB75504280DFCB02CF54C5C0B55BFB1FB84228F24C6A9D9494F6A6C33AD40ACB61

Function 013AD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2335602110.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13ad000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb915244da8b66454e412dabc6ad83a6158c2b468fdb7e0540d1fd5554d9e49
Instruction ID: 7f8737fe1b188bb48b2815ff34003e49dd2ccb1f58e7438d229485bd4cdac99f
Opcode Fuzzy Hash: 7fb915244da8b66454e412dabc6ad83a6158c2b468fdb7e0540d1fd5554d9e49
Instruction Fuzzy Hash: 90012B71004384DAF7185EA9CDC4B26BF9CDF41368F48C51AEE090AA96CABA9440C771

Function 013AD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2335602110.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13ad000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6cd0390d65ec7813e8e9b9a548287975ba55e32d461d1fe4bdb37f78466451
Instruction ID: 2e0a938d1dbd2126c75b47224501a909d920397ec86202d7653008cd8a1802af
Opcode Fuzzy Hash: ff6cd0390d65ec7813e8e9b9a548287975ba55e32d461d1fe4bdb37f78466451
Instruction Fuzzy Hash: 13F0F6714043849EF7148E19CCC4B62FF98EF81638F18C05AEE080B697C77A9844CBB1

Analysis Process: Exccelworkbook.exePID: 6664, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	7

Executed Functions

Function 00F1D369 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F1D3F6
GetCurrentThread.KERNEL32 ref: 00F1D433
GetCurrentProcess.KERNEL32 ref: 00F1D470
GetCurrentThreadId.KERNEL32 ref: 00F1D4C9

Memory Dump Source

Source File: 00000007.00000002.2408292210.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 89565c56ecd6acdda59e54dcf616fa0509862417aa8701766ff8d1c18dcd157a
Instruction ID: 4103b32d27dfa6024075697891f52f1589ad657cb30ea0176a89ed53e1ef0a5f
Opcode Fuzzy Hash: 89565c56ecd6acdda59e54dcf616fa0509862417aa8701766ff8d1c18dcd157a
Instruction Fuzzy Hash: D45147B0900349CFEB54DFA9D548BEEBBF1FF88314F208459D409A7251D7746984CB65

Function 00F1D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F1D3F6
GetCurrentThread.KERNEL32 ref: 00F1D433
GetCurrentProcess.KERNEL32 ref: 00F1D470
GetCurrentThreadId.KERNEL32 ref: 00F1D4C9

Memory Dump Source

Source File: 00000007.00000002.2408292210.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: efc4a08c9583d9bde19538fa59b28ccb7444499eb7836c67297f1258d42aed95
Instruction ID: a33fb55b16002d2b03b2eb6fd5a799eb97a29a0838e14e71e5f502845c91947d
Opcode Fuzzy Hash: efc4a08c9583d9bde19538fa59b28ccb7444499eb7836c67297f1258d42aed95
Instruction Fuzzy Hash: 5C5137B0900349CFEB54DFAAD548BEEBBF1FF88314F208459D009A7250DB746984CB65

Function 00F1B3B1 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F1B626

Memory Dump Source

Source File: 00000007.00000002.2408292210.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: abaf016de6e7da2bd4e9838ba4e6d0ea4304d61fe7987e5845926ffed60c8726
Instruction ID: 074a43d98477ed7b74d062ff1a5ab57054ada3c0e8da88dc6b8901588f998bc0
Opcode Fuzzy Hash: abaf016de6e7da2bd4e9838ba4e6d0ea4304d61fe7987e5845926ffed60c8726
Instruction Fuzzy Hash: 0C814370A00B05CFD724DF29D4517AABBF1BF88310F04892EE48AD7A52DB79A845CB91

Function 00F1590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F159C9

Memory Dump Source

Source File: 00000007.00000002.2408292210.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6331b8e9e0bbb5e72568c4584708364fffdcdc0622851f83d779eae848285617
Instruction ID: 8b099706b97d5487764b889740aa8c4e0582cbf213366fe5dcbcea97e50fd959
Opcode Fuzzy Hash: 6331b8e9e0bbb5e72568c4584708364fffdcdc0622851f83d779eae848285617
Instruction Fuzzy Hash: F24102B1C00719CBEB24CFA9C884BDEBBF5BF88714F60815AD408AB251DB756946CF50

Function 00F144F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F159C9

Memory Dump Source

Source File: 00000007.00000002.2408292210.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 78ef04b249c6cf2961e033bf963532f8dd00db4fe87154820b73a743f2567dee
Instruction ID: 50ebbb071a3e494b6c7cc92fa8bab841384bbaa4b8a8108b605b0f54a2605625
Opcode Fuzzy Hash: 78ef04b249c6cf2961e033bf963532f8dd00db4fe87154820b73a743f2567dee
Instruction Fuzzy Hash: 4241DFB0C00719CBEB24CFAAC884BDEBBF5BF88714F60815AD409AB251DB756945CF90

Function 00F1D9C1 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F1DA4F

Memory Dump Source

Source File: 00000007.00000002.2408292210.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c53e9692958ccf166e7a65a5a686713a2c4b2849346d96c454e841ba3d91f45b
Instruction ID: eb15fb236b2a1af5e8303a94541b4763a9002949a32a735d3f8fbec3d06ca0ea
Opcode Fuzzy Hash: c53e9692958ccf166e7a65a5a686713a2c4b2849346d96c454e841ba3d91f45b
Instruction Fuzzy Hash: 5C21B5B5D00249DFDB10CF9AD584AEEBBF4EB48320F14841AE914A3351D379A954CF65

Function 00F1D9C8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F1DA4F

Memory Dump Source

Source File: 00000007.00000002.2408292210.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f15d24d056d5a69cffafbb883fd13ecbaeadf6dc630125aa0d9523a43dfd9e28
Instruction ID: 40d56072c59cb739a13005a61db6916c3628ddab5710d182da81b2a9c2617d61
Opcode Fuzzy Hash: f15d24d056d5a69cffafbb883fd13ecbaeadf6dc630125aa0d9523a43dfd9e28
Instruction Fuzzy Hash: 7921C4B5900249DFDB10CF9AD984ADEBBF4FF48320F14841AE918A3351D379A954CF65

Function 04A02410 Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04A02475

Memory Dump Source

Source File: 00000007.00000002.2468605661.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a00000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 516769cbafbf38d9ceec4ad89e78df7d2b554a0b2e9eaf91b0c96a5f24ba8e55
Instruction ID: 3201b349cf9ed7f814ab5e9b6b09b52fce4e9e4897af08f465d46d1fad53f2cc
Opcode Fuzzy Hash: 516769cbafbf38d9ceec4ad89e78df7d2b554a0b2e9eaf91b0c96a5f24ba8e55
Instruction Fuzzy Hash: BC11F2B6800349DFDB10CF9AD889BDEBBF8EB48724F10845AD558A7250C3B5A945CFA1

Function 04A01D90 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04A02475

Memory Dump Source

Source File: 00000007.00000002.2468605661.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4a00000_Exccelworkbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7bf9cf08c57895cb71d65523deb9ebc300467aa979f1baedf0afe89408ddfd6e
Instruction ID: a9f9eda9997971b9d4fb3f287c2aaca7c146bafbb195368cad4cdad96991bc45
Opcode Fuzzy Hash: 7bf9cf08c57895cb71d65523deb9ebc300467aa979f1baedf0afe89408ddfd6e
Instruction Fuzzy Hash: 1A11F5B6800349DFDB10DF9AD449BDEBBF8EB48324F10845AE515A7250D375A944CFA1

Function 00F1B5C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F1B626

Memory Dump Source

Source File: 00000007.00000002.2408292210.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b59a3bb4d65afb921b4d64889dd856836da583e7cd0bbb768e00ae9b7f1104ef
Instruction ID: bf59c540858237d54af09f8d1840d721907aa06bb95487e53e3927c43c22cf94
Opcode Fuzzy Hash: b59a3bb4d65afb921b4d64889dd856836da583e7cd0bbb768e00ae9b7f1104ef
Instruction Fuzzy Hash: 3711DFB6C00749CFDB10CF9AD444ADEFBF4AF88324F14845AD419A7210D3B9A545CFA5

Function 00D3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2405383671.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d3d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee01d0c96a46ed998cb523b52f87ef35fc06acdbd0a279b37b3ae09f9e36745b
Instruction ID: 5a21c64989169e10bf117823e41a0019d50748f5d1fa59493c541aa569db5799
Opcode Fuzzy Hash: ee01d0c96a46ed998cb523b52f87ef35fc06acdbd0a279b37b3ae09f9e36745b
Instruction Fuzzy Hash: 2E213479504300EFDB05DF10E9C0B26BBA2FB84314F24C56DE9494B292C776D80ACE71

Function 00D3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2405383671.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d3d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f8c70aa202b1ac03ba1cf2e00d8aec82a30f8d2ff9e8e391eb025ee3452bb0
Instruction ID: f0eb650c5df0b9062ad4e5b2c3fc0dec989f5e32a2bdb6fb60c443106af0c46f
Opcode Fuzzy Hash: d1f8c70aa202b1ac03ba1cf2e00d8aec82a30f8d2ff9e8e391eb025ee3452bb0
Instruction Fuzzy Hash: 03212575504200DFCB18DF14E5C0B26BB66FB84B14F24C56DE94A0B292C376D807CE71

Function 00D3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2405383671.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d3d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709b0d71465d8815091fccbb5b968e92c2c25b400da9772d53a917ee4f9a658e
Instruction ID: 8f89f35b9efca4aa8d66764fc05c006f20a76f80fe87e7d0c6eca084d2ffc2c8
Opcode Fuzzy Hash: 709b0d71465d8815091fccbb5b968e92c2c25b400da9772d53a917ee4f9a658e
Instruction Fuzzy Hash: C0214F755093808FCB16CF24D994715BF72AB46614F28C5EAD8498B6A7C33A980ACB62

Function 00D3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2405383671.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d3d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: de1faf9bdfc6149a5e29ee60db977297d971207d215c4c9c99f3e6acad700923
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: F5118B79504284DFCB16CF10D5C4B16BBA2FB84314F28C6A9D8494B6A6C33AD85ACF61

Function 00D2D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2405272700.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d2d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51f28948ec3adc708609d9bb3226e8bb154756970fa0f08c0110e5cfd8b5a47
Instruction ID: 2bfca52ea6236e42e2cb0634c2c5c39ec46c9fe5cc6891fa16d1539a1bd13234
Opcode Fuzzy Hash: a51f28948ec3adc708609d9bb3226e8bb154756970fa0f08c0110e5cfd8b5a47
Instruction Fuzzy Hash: 94012B714083509AF7104E25DD84B67BF98DF51328F1CC55AED4A4B292C6BDD840C6B1

Function 00D2D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2405272700.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d2d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c004acf3fba3f8a6c5a374aa9cba1ca701fafcb5fc6a56210f137d559fcc417
Instruction ID: f9f7434f60e0efe711971686b140a7aa7603de66b505c109791631b68b8f5a67
Opcode Fuzzy Hash: 5c004acf3fba3f8a6c5a374aa9cba1ca701fafcb5fc6a56210f137d559fcc417
Instruction Fuzzy Hash: 30F0C2724043549AF7108E15DC84B62FF98EB91738F18C05AED090B286C27D9C44CBB1

Analysis Process: Exccelworkbook.exePID: 6288, Parent PID: 6636COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	534
Total number of Limit Nodes:	50

Executed Functions

Function 0800B6E0 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b87f81c8e0936aa25bc550c8d3c00711a910ce352362dd6b875a121ce5ca58
Instruction ID: 311af92ab033d3bb2f48def2a39f35e73de114f34bc445337a4f255132776ac2
Opcode Fuzzy Hash: b5b87f81c8e0936aa25bc550c8d3c00711a910ce352362dd6b875a121ce5ca58
Instruction Fuzzy Hash: D5427B74B006068FDB59DF69C4A466EFBF2BF88311F14852EE55A97390DB30A902CB91

Function 07FD1D80 Relevance: 3.2, Instructions: 3213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727087818.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37643ca946d842b3ec7c1fb889336aecff1f5650bd60ae3c9360a53bc4b830c4
Instruction ID: 9f8d4808138f327db54dc40b1da32e8b100f49b6e296a83520e095f5f1a254f4
Opcode Fuzzy Hash: 37643ca946d842b3ec7c1fb889336aecff1f5650bd60ae3c9360a53bc4b830c4
Instruction Fuzzy Hash: 4833C3B2F101268BCB656B6C445423EBAE7BBC9650F5C81AEDE06D7344EF70CC419B92

Function 02FBBFF0 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02FBC256

Memory Dump Source

Source File: 0000000A.00000002.4700215175.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d5f34ecc58a9447cb180ade62e0521a035658aa6315097c2be436a01b5006134
Instruction ID: f39ba0d6b1bb910ee1ca5409088f021c2ccaa0df51e39c9a90780f04d437dddd
Opcode Fuzzy Hash: d5f34ecc58a9447cb180ade62e0521a035658aa6315097c2be436a01b5006134
Instruction Fuzzy Hash: B28147B0A00B058FE725DF6AC44479BBBF1FF88644F00892ED586D7A50DB75E845CB90

Function 0556C90C Relevance: 1.6, APIs: 1, Instructions: 118
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0556E259

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: fd6d38625cc70ea471d00aade89f48a1382f63acba1f1aa7e4bcb7f011a7d045
Instruction ID: 4aa6a8daa0c255bbd9052483435a3202ca5aa288d42613f7550dc31b0a5b8ccb
Opcode Fuzzy Hash: fd6d38625cc70ea471d00aade89f48a1382f63acba1f1aa7e4bcb7f011a7d045
Instruction Fuzzy Hash: 6241D071A05245DFEB14CF99C845BEEBBFAFF88320F14842AD419A7340CB789805CBA4

Function 05562B64 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05564411

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fce9de6e6d38a5fc3fc8191cca65db14c07db2d9c6516ed342ed157ade4ae29e
Instruction ID: 006feba27dd2837c712c5de8ac780fd5f11a640042648cc53b931325a1595c6d
Opcode Fuzzy Hash: fce9de6e6d38a5fc3fc8191cca65db14c07db2d9c6516ed342ed157ade4ae29e
Instruction Fuzzy Hash: 48412AB5900245CFDB14CF99C489AAABBF5FF88314F24C459D519AB321D775A841CFA0

Function 02FB6414 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FB7421

Memory Dump Source

Source File: 0000000A.00000002.4700215175.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 568fb5485abe87871feb4b24dbc015ccb07f0d3565b5bd15ba52e484256535a1
Instruction ID: 3d4f614f071abeef9d9be98372b3ca19ebd994d235a5993f0945956b8fe161ef
Opcode Fuzzy Hash: 568fb5485abe87871feb4b24dbc015ccb07f0d3565b5bd15ba52e484256535a1
Instruction Fuzzy Hash: 1441CF71C0061DCBEB25DFAAC944BDEBBB5BF88305F20806AD508AB251DBB56945CF90

Function 02FB7364 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FB7421

Memory Dump Source

Source File: 0000000A.00000002.4700215175.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2369d46e0a8e8d7b38988e6a13dd0df4b58b12fd11958fde2df963193cd9047a
Instruction ID: ac62f61c76a3a75945a397086db1dbc4890e5931c29572a4ee1cb3b5bcf87134
Opcode Fuzzy Hash: 2369d46e0a8e8d7b38988e6a13dd0df4b58b12fd11958fde2df963193cd9047a
Instruction Fuzzy Hash: A341D2B1C00719CBEB25DFA9CA44BDDFBB5BF88305F20805AD508AB251DB756945CF90

Function 05565A6C Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd9f15aa7866c39f1e3f5627e7695d3cf2484b4fcec1131bea3a18f3f560f86
Instruction ID: 703010124f4d7bb7929150f61210472c22e396a94f286919f26185ab93d67093
Opcode Fuzzy Hash: 5fd9f15aa7866c39f1e3f5627e7695d3cf2484b4fcec1131bea3a18f3f560f86
Instruction Fuzzy Hash: 24213572A043489FCB109B69D844BEEBFF9FF95320F14809AE508D7261CA349845C7A0

Function 0556B168 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 4cfaab7ba97f7b09dde937503128d7e64156333c5760e54eb39b9b6af2708cc8
Instruction ID: 6e6c972643727f1242fc6953fabcd5ea2b1422c482a65f65653930168db7e419
Opcode Fuzzy Hash: 4cfaab7ba97f7b09dde937503128d7e64156333c5760e54eb39b9b6af2708cc8
Instruction Fuzzy Hash: C8319C71904389DFDB11DFA9D844AEEBFF4FF49220F14805AE554A7221C375A854CBA0

Function 02FB611C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02FB674E,?,?,?,?,?), ref: 02FB680F

Memory Dump Source

Source File: 0000000A.00000002.4700215175.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b11e79a451b71df7892e5b91715927812bbc37ccbb993923c9b64bb3e3b0381b
Instruction ID: 50e344da536e5d07687b4a990bd0a694d73126d1ded93f44df7cda591ec42f2b
Opcode Fuzzy Hash: b11e79a451b71df7892e5b91715927812bbc37ccbb993923c9b64bb3e3b0381b
Instruction Fuzzy Hash: FD21D4B5904249DFDB10CF9AD984ADEBBF8FF48320F14845AE914A7210D374A950CFA1

Function 02FB6780 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02FB674E,?,?,?,?,?), ref: 02FB680F

Memory Dump Source

Source File: 0000000A.00000002.4700215175.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9eb3bbae27f9daca15af6d0134bd8d4cf96700caae7dab0d3e771c5e350cbe70
Instruction ID: 7f5c0233402992b88cd79d2f2059da560a8c4ef370161d736c03b35fbc57a6db
Opcode Fuzzy Hash: 9eb3bbae27f9daca15af6d0134bd8d4cf96700caae7dab0d3e771c5e350cbe70
Instruction Fuzzy Hash: AF21D2B5D00249DFDB10CF9AD984AEEBBF8FF48324F14841AE914A7210D778A950CFA5

Function 0556C91C Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0556E259

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 2606b403c20bc3229750b54ffb8e3a9fd167ac52a96d0db8f5786a84289f1ff7
Instruction ID: 2c33bf88f5f27eaef688b4d1847cbe02265a273ece77f780f9f2cf68364d31f4
Opcode Fuzzy Hash: 2606b403c20bc3229750b54ffb8e3a9fd167ac52a96d0db8f5786a84289f1ff7
Instruction Fuzzy Hash: F7213875904249CFDB10CF9AC845BEEFBF9FB88320F14842AD415A7240D7B8A940CFA1

Function 05569D7C Relevance: 1.6, APIs: 1, Instructions: 56
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0556B182,?,?,?,?,?), ref: 0556B227

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 5213d77c1f7bde4e978e1f9c83cbe2a83ce31362a537da7712e0dddc4b17e789
Instruction ID: 08f7e4e27e97c7940df7ed2e4e415c08e308f482cd81d80cc8c1160edd2a9a62
Opcode Fuzzy Hash: 5213d77c1f7bde4e978e1f9c83cbe2a83ce31362a537da7712e0dddc4b17e789
Instruction Fuzzy Hash: 551126B1804249DFDB10CF9AD844BEEBFF8FB48320F14841AE914A7210C379A950CFA4

Function 05562010 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 05562075

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: cc2a3703b6e349f3a7ff09f09a289aed2231e6a14d4b9b06c568a1d0a20cae6e
Instruction ID: 7baa6bd4969f7f25ea23697de25bf02ede2c3e7d1701e6576f23a09d357c53bb
Opcode Fuzzy Hash: cc2a3703b6e349f3a7ff09f09a289aed2231e6a14d4b9b06c568a1d0a20cae6e
Instruction Fuzzy Hash: A211F5B58002499FDB10CF9AD589BDEBBF8FB48320F20851AD919A7200C3B5A944CFA5

Function 05569DC0 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 0556B58D

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 829bcae676d7359c3d2291d4104e1cdb4e804c0608d892e8578713b95f1c08ec
Instruction ID: dff65bc83fb09bedaadf48a44161d0e9b155ac1115f81bf6d348517d0085ebaa
Opcode Fuzzy Hash: 829bcae676d7359c3d2291d4104e1cdb4e804c0608d892e8578713b95f1c08ec
Instruction Fuzzy Hash: 3611F5B5804349DFDB10DF99D545BDEBBF8FB58320F10845AE514A7200D3B5A954CFA1

Function 02FBC1F0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02FBC256

Memory Dump Source

Source File: 0000000A.00000002.4700215175.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 973b6db039de1d8db477c274b563f73f93fb8a35a182fd40084cf02084943db9
Instruction ID: dffc709546353c319873444db94b72a816d8687fe6d60a53d44ffb3e9a42d8db
Opcode Fuzzy Hash: 973b6db039de1d8db477c274b563f73f93fb8a35a182fd40084cf02084943db9
Instruction Fuzzy Hash: B81102B5C002498FDB10CF9AC544BDFFBF4AF88624F10855AD519A7200C3B9A545CFA1

Function 0556B52B Relevance: 1.5, APIs: 1, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 0556B58D

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8c48e8900d71d729ec8846e507c142d8a3beacbda841aec86a74e960c69547b0
Instruction ID: 6ff0355ceda845e652640c45125141bd55648a53e0d156ff5d85068e73b32347
Opcode Fuzzy Hash: 8c48e8900d71d729ec8846e507c142d8a3beacbda841aec86a74e960c69547b0
Instruction Fuzzy Hash: E011F2B5800349DFDB10CF9AC985BDEBBF8FB48324F208419E918A7200D3B5A944CFA1

Function 05562018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 05562075

Memory Dump Source

Source File: 0000000A.00000002.4714637345.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5560000_Exccelworkbook.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5dac81a786aa9b72496f2a7812519f11103cf27eaee53cc8f3a4837c6f510520
Instruction ID: 13314fec035ee6e460f7eae38cbea1a09572eb9235b1495f8158e6e4c40d4aa9
Opcode Fuzzy Hash: 5dac81a786aa9b72496f2a7812519f11103cf27eaee53cc8f3a4837c6f510520
Instruction Fuzzy Hash: C91103B5800249CFDB10CF9AC585BDEBBF8FB48320F20841AD919A7200C3B9A944CFA1

Function 07FD1D64 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

U, xrefs: 07FD1D79

Memory Dump Source

Source File: 0000000A.00000002.4727087818.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 11c579bef802c6a439b152f368700a3b25e61dddcdd12616b7594fe47a53db4d
Instruction ID: d0722bbf7558aabb456b640855e0ff0c9d5350f4ca41c3f386f47e40338a2e08
Opcode Fuzzy Hash: 11c579bef802c6a439b152f368700a3b25e61dddcdd12616b7594fe47a53db4d
Instruction Fuzzy Hash: A3018972A042948BD72617688C1497EBFB7EB82240F0D06BACD85A7240DB358C01C7E2

Function 07FD0908 Relevance: 1.3, Instructions: 1264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727087818.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36296b59b287c082a309d3e9d5c18b0c4778f69e2c52bbf9ecfa1844b4dc2c8b
Instruction ID: 767626c3a3937da890a9b67bf5c8d37aff5c887e9bba7147034129733ec73e65
Opcode Fuzzy Hash: 36296b59b287c082a309d3e9d5c18b0c4778f69e2c52bbf9ecfa1844b4dc2c8b
Instruction Fuzzy Hash: 03A29374A102158FE7149F69C8597BABABBBFD5310F14806EEA0697294DFB08D40CF63

Function 080021B0 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad854215c6f210bf00e81e9584cbf849c0bcec6ed37d81a4ef7297dc371b939
Instruction ID: 06adc16de21b95a6e7adb3b928af92ab4a949e3ebc95225f28cb0f2f6f28d264
Opcode Fuzzy Hash: 5ad854215c6f210bf00e81e9584cbf849c0bcec6ed37d81a4ef7297dc371b939
Instruction Fuzzy Hash: BF122D34A002198FDB55EF68C894B9DB7B2BF89301F5085A9E449AB3A5DF30ED85CF50

Function 08009700 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152538408221e89ed06cab6f75dc8a8ad6282ffcb51f42a7b1eb708449c92948
Instruction ID: af8a3eaa22cfed824cd64696fd8039ba850800135e887900f71071f446bf6ae8
Opcode Fuzzy Hash: 152538408221e89ed06cab6f75dc8a8ad6282ffcb51f42a7b1eb708449c92948
Instruction Fuzzy Hash: F8E1DF30604605CFEB15DBACD49466EBBE3FF85216F588A1AD446CB796CB30E802CF95

Function 07FD0048 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727087818.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c4f504b1db4410b5de75259ca8c67ec25a07864ae7362c7f447a6cb584ecc5
Instruction ID: b7d676daf00fd41ff369d8204fd80ce645114d30c66588f1249a89eda3c56bfe
Opcode Fuzzy Hash: e0c4f504b1db4410b5de75259ca8c67ec25a07864ae7362c7f447a6cb584ecc5
Instruction Fuzzy Hash: 7EE1B1B0B002069FEB14CB69C948A6EBBB3FFC5300F188169E5029B391DF79DD419B51

Function 080028A0 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f60d75d134b47080e91cee8d5cfeca5d867422b2f4cb9f4c185e19b939ecb43
Instruction ID: 4659227805e5f33b10640b32f44a2c007bdd939eda09e2e8f76be55a9778222f
Opcode Fuzzy Hash: 6f60d75d134b47080e91cee8d5cfeca5d867422b2f4cb9f4c185e19b939ecb43
Instruction Fuzzy Hash: 4AE14F34A01209DFDB55EFA8D4949ADBBB2FF89310F108569E405AB3A4DB30ED46CB90

Function 0800B2C0 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca70fc0b08c247f29e6d52db465210447d446ef6438d50d0c8fd050029a0c63
Instruction ID: 4e33ed101b22026e5904359b3a1fc31fb06ad551a8b7edff398d1bd2059ff3de
Opcode Fuzzy Hash: 1ca70fc0b08c247f29e6d52db465210447d446ef6438d50d0c8fd050029a0c63
Instruction Fuzzy Hash: DAC17175A006418FE725CB28C465B6EBBF3BF84322F19855DE4868B6A1CB34E842CF51

Function 08006680 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a088322500a6b1c48cea738c7c805dd4bd3d97db53c1cef1d54c948961e8b0
Instruction ID: d8dafd6024d56bfeeec071e29ac39c96092c94004371474c7fee600f47aa6649
Opcode Fuzzy Hash: 87a088322500a6b1c48cea738c7c805dd4bd3d97db53c1cef1d54c948961e8b0
Instruction Fuzzy Hash: 93D1C834B112189FDB44EFA9D994E9EBBB3FF89700F208459E515AB3A5CE71AC01CB50

Function 08007920 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1381cd6f0900bec561ed328a9f871b69d11e004eaf750a730910534bde153584
Instruction ID: 40bae5c416c8724e76f47d421be495ef445e6afd6681ff4451e5f3f814011ce1
Opcode Fuzzy Hash: 1381cd6f0900bec561ed328a9f871b69d11e004eaf750a730910534bde153584
Instruction Fuzzy Hash: BEC1C474A00218DFDB44EFA8C994E9EB7B6FF88300F104569E506AB3A5DB71AC02CF51

Function 08002E38 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496105f03b1440c018273bab0e80fa769ba69378b870a2359b882d8c8f8e7503
Instruction ID: 6d88244b7e2031ff47cb5f221db32de271d147cb914d072457e7e75d2e02b1d1
Opcode Fuzzy Hash: 496105f03b1440c018273bab0e80fa769ba69378b870a2359b882d8c8f8e7503
Instruction Fuzzy Hash: 8DA1A236301200DFD71A9F68D894F2A7BA3EFC9311F1584A9E2058B3A1DB36EC42DB51

Function 08007912 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eafaae180b33ebd325e37440e8e9b610094809050e20b2e42809d5235ec450
Instruction ID: 4d4e8bc10c112d107621f109160ce0b6d1526c24cbdba7db05c62ad210aaa7b9
Opcode Fuzzy Hash: 71eafaae180b33ebd325e37440e8e9b610094809050e20b2e42809d5235ec450
Instruction Fuzzy Hash: 7AC1C474B00218DFDB44EFA8C994E9EB7B6BF88301F104569E506AB3A5DB71AC02CF50

Function 08006650 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b138a3c012e4beb01f51c71bf889f12b5f605cea41567c986bd955bc2c24c0
Instruction ID: dee297f5c51d95a29f3a07db056c18d10e6554e01a30faca6181839da20181a1
Opcode Fuzzy Hash: 66b138a3c012e4beb01f51c71bf889f12b5f605cea41567c986bd955bc2c24c0
Instruction Fuzzy Hash: 9AB10D34B112189FDB44DFA8D994E9EBBB3FF89300F144069E505AB3A5DB71AC41CB90

Function 08006B48 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b47929a3eb3ea82c971d51e9c7c253389e1cd9de651e2bbd28337a58425a31
Instruction ID: 9d3072a33cf47583afd77b31bde2015ca0f0b6f0193fea2455fbe0d5d8e35d56
Opcode Fuzzy Hash: 55b47929a3eb3ea82c971d51e9c7c253389e1cd9de651e2bbd28337a58425a31
Instruction Fuzzy Hash: 04A17C347006188FDB44EF68C854AAE7BB3AFC9700F104969E5129B3A4DF75AD42CF91

Function 08006B3E Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6491741c9b062bae42194f94f07dfc1f77751569eed22b71595beae28c9977
Instruction ID: 9da09edba5ee02596e568efc1218b825aeee03eef3f6727247e38af9b7a703db
Opcode Fuzzy Hash: 2f6491741c9b062bae42194f94f07dfc1f77751569eed22b71595beae28c9977
Instruction Fuzzy Hash: 9FA15A347006188FDB44EF68C854AAE7BB3AFC9700F504969E5129B3A4DF75AD42CB91

Function 07FD0000 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727087818.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581e7d7a6e0e735c00a84b71c0c6032d0f286f41c33656a7c0283bf479729995
Instruction ID: 21b60cb4921161f0b294de77b60cc16c7d62d1702be1c18c5a39df42649cb36f
Opcode Fuzzy Hash: 581e7d7a6e0e735c00a84b71c0c6032d0f286f41c33656a7c0283bf479729995
Instruction Fuzzy Hash: 4A91D0B1B406029FDB058B28C844B6EBBB7FFC6604F18416AE111DB3A2DF79CD449B91

Function 08003170 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3aee8a67afc6df7b7db6eedf2d329711e70de105764c225ceb1610e3f31d87b
Instruction ID: be2a14252b2f27a6dfe8987231fc4b37884ce87dbf42d0b03c56e1579abad066
Opcode Fuzzy Hash: f3aee8a67afc6df7b7db6eedf2d329711e70de105764c225ceb1610e3f31d87b
Instruction Fuzzy Hash: 1C815B34B10614DFDB45DF68C894AADBBB6AF89711F1580A9E506DB3A5CF30EC02CB90

Function 08000E88 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca89ec00d4663adfa48f1cdf1770cc21700157cf7cfd00b88399430c568b6756
Instruction ID: 11e9f730ddbae6d6329da4469e60d9c724b577639311e76ad6f42fcd47b84b80
Opcode Fuzzy Hash: ca89ec00d4663adfa48f1cdf1770cc21700157cf7cfd00b88399430c568b6756
Instruction Fuzzy Hash: 2D71BF71B006158FC754EB68C554A6EBBF6EFCA700B10416AE506DB3A1DF30AD06CBA2

Function 08005AC8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e10838c86600d0ba36cd3a0f42481d4c6d17add449dbc8c36ca821aec68f72
Instruction ID: 65d2c522dcb215f8e2a1cd28d47a7e5c8b61a4d2bbd042961e1f27c4f3401453
Opcode Fuzzy Hash: 18e10838c86600d0ba36cd3a0f42481d4c6d17add449dbc8c36ca821aec68f72
Instruction Fuzzy Hash: D9812D34B006199BEB55EF68D854BAE77B3EF88601F204529E402AB3D0DF75AD41CF91

Function 08006BE5 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c7c0e4b3b46d6bd2fc5d80d58904a5efa142877627e7b6d28df11bea723103
Instruction ID: 7c3da5eaeb340e78221af12037233509711fc548db62b72fbaa50582c69cbb7a
Opcode Fuzzy Hash: 21c7c0e4b3b46d6bd2fc5d80d58904a5efa142877627e7b6d28df11bea723103
Instruction Fuzzy Hash: 85717D347106188FDB44EF68C890AAE77B3AFC9701F504969E5029B3A4DF75ED42CB91

Function 0800A6CB Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64831b0e6c168b0996ebce8f802cae9666344c3cddbd937c870585e459168ce8
Instruction ID: 7ea253b8376c0932a968c6995a0fd60fae44d30a1e467ae3122baa6657dba525
Opcode Fuzzy Hash: 64831b0e6c168b0996ebce8f802cae9666344c3cddbd937c870585e459168ce8
Instruction Fuzzy Hash: 4C81A074B21229AFDB54CB9CD984EAEB7B2BF88310F154159E905AB3A2D771EC41CF40

Function 08005AB8 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a345c99099a55eb6939097c229fff7a1e810df072b4092f4133100cdf66e8f5
Instruction ID: e1fed5f3ea3273d054864e2e4e800914487afa08a0fee062b01eb774957a44f5
Opcode Fuzzy Hash: 2a345c99099a55eb6939097c229fff7a1e810df072b4092f4133100cdf66e8f5
Instruction Fuzzy Hash: 22618034B016099FEB15DB68D854BAE7BB3AF88201F144429D402AB3D1DF74AD42CF95

Function 0800AE38 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22107e626b12c215d7e331b3ce27fed8586129b61efa123597611e93f490d064
Instruction ID: d2bda8c4fac7051f6586a4bea2d25a70135e6efaa12d206c460c411246eb1af7
Opcode Fuzzy Hash: 22107e626b12c215d7e331b3ce27fed8586129b61efa123597611e93f490d064
Instruction Fuzzy Hash: 2151BF713007518FE724DF2AC880B5B7BE2EF85721F14892EE55A8B7A1DB74DC058B91

Function 08001EF5 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac76fcea222726be01bac707b0c5b7fe47b145dc5fda254790f5fb43415cc12
Instruction ID: 193aa30446ad4a247319dd0a6463fbc547361c4eb8c9fcf9dee1cc88597ea3ea
Opcode Fuzzy Hash: cac76fcea222726be01bac707b0c5b7fe47b145dc5fda254790f5fb43415cc12
Instruction Fuzzy Hash: 10415B71B082905FE716AB288C69BAE7FA79FD6701F14005EE142DF3D2DEA54C06CB91

Function 08003161 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7557e6472eb40f319f7b80f3b40751185e66114a7f5a25cec6742a068715496
Instruction ID: 5f9c985cf37f9bf866e5c5e459091acffadd95fe98e99d47d52304c5357a4031
Opcode Fuzzy Hash: b7557e6472eb40f319f7b80f3b40751185e66114a7f5a25cec6742a068715496
Instruction Fuzzy Hash: 3C613A34B10614DFDB45DF68C894AADB7B6BF88711F1580A9E8069B3A5DB30EC02CF90

Function 08007238 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442d72bee065b4d9c4161de0f44db3156378bf194cfac77114f0196fafc23c00
Instruction ID: a725cc84d25af4e5bd25ffed94a840beca8a618e721b04691f48687abfcec647
Opcode Fuzzy Hash: 442d72bee065b4d9c4161de0f44db3156378bf194cfac77114f0196fafc23c00
Instruction Fuzzy Hash: B041D4327001596FDF029EEA9C508FFBBEAEF88211F04406AFA05D3251DA39D9159BB1

Function 08001F70 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3364820340b8859d7d54649928a58d8a62fcd04fd7c4f4c6aa6a3b411e0e217d
Instruction ID: 1182c00202a76a5b89c0a337206405b715d45e21292fa727373c3578bcf9150b
Opcode Fuzzy Hash: 3364820340b8859d7d54649928a58d8a62fcd04fd7c4f4c6aa6a3b411e0e217d
Instruction Fuzzy Hash: 3141B930B106148FCB45EB68C8A4AADB7BBEFC9700F10441EE102AB7A4CF749C46CB91

Function 0800B158 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a692523b21d9a9bd3513ac9c087cc728c4ef6f8affa78457ca9756f318d4e430
Instruction ID: 2177854c58bf30f9ce150a7880c273a76b30e218591e433638ee7aec0571c7a3
Opcode Fuzzy Hash: a692523b21d9a9bd3513ac9c087cc728c4ef6f8affa78457ca9756f318d4e430
Instruction Fuzzy Hash: D341AC31B00B058FDB64DB6CD55029EB7F2EF84621F54896ED05ACBA84DB30E801CF81

Function 0800AA70 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb456867a7239524982c6fe74656a7478da65c3f1f1370ae2dbc1fa93b38287
Instruction ID: 3505e73112b26a3a3ca7e2fc1083031d5d203530b2e6b5511f2055e78cf75f41
Opcode Fuzzy Hash: 8cb456867a7239524982c6fe74656a7478da65c3f1f1370ae2dbc1fa93b38287
Instruction Fuzzy Hash: 88417931B002158FD744DF69C854A9EBBF6BFCD210B2585AAE509EB3A1DB31AC01CB80

Function 08003CC0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8311df096ad7712459924c4bfd24ccbcceecd56428e91e6e4a6bc927cac7075
Instruction ID: 5a9e62a84faea157b767c61d004ba4e2769f701129c5769c8128fb117c158755
Opcode Fuzzy Hash: a8311df096ad7712459924c4bfd24ccbcceecd56428e91e6e4a6bc927cac7075
Instruction Fuzzy Hash: 0A415C727006049FE3599B68C854F2A7BA7AFC8711F114469E2068B7E6DF75EC02CB91

Function 08003CE8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abdc5d043c114f8e18173d0d6d68798688dca447803ef052ea7e2ed23cb70c3
Instruction ID: d989a395d93a102cfacb5db4456296409145d32e05e22ab718a45895cc1b1858
Opcode Fuzzy Hash: 2abdc5d043c114f8e18173d0d6d68798688dca447803ef052ea7e2ed23cb70c3
Instruction Fuzzy Hash: C43149357006149FE358DB69C854F2B7BEAAFC8710F204468E60A8B3A1DF75EC02CB91

Function 08005E11 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2ab650b5363d135ed4c7ea11e6673c4c556d199fd9717798a8633adf1c4be9
Instruction ID: d4608038f51a9bb061ff25e4165e8c2c5491e058fc9007c8c3319cb6ddd74995
Opcode Fuzzy Hash: 5f2ab650b5363d135ed4c7ea11e6673c4c556d199fd9717798a8633adf1c4be9
Instruction Fuzzy Hash: A341A034B106188FDB44EF68C8556AE7BB6AFC9601F10855BE402EB3A1DF709D06CFA1

Function 080034A0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6f664e276d26e5587881796fecf6dbbe311f704bb52fd89e1f66381a5a93ca
Instruction ID: 31e7e2dad49279c20bc19de6b2c1c2f15b783c46868e7545231b5f88121bbf6b
Opcode Fuzzy Hash: dc6f664e276d26e5587881796fecf6dbbe311f704bb52fd89e1f66381a5a93ca
Instruction Fuzzy Hash: 96313C35A001189BDF54DFA8D854AEEB7B6FF88312F108069E901B73A4CB75AD05CFA0

Function 08005E28 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f35da84c91d3b5d2cd910a8fd98d8361f0c76e34088ff0ed5a598a04672ee4a
Instruction ID: 686fee3288576d6df49a8a41ed892fbc2925dda40d8a56ba3b3ef0e96d2e7958
Opcode Fuzzy Hash: 0f35da84c91d3b5d2cd910a8fd98d8361f0c76e34088ff0ed5a598a04672ee4a
Instruction Fuzzy Hash: 9A318634B105188FCB44EF68C855A6EBBB6EFC9701F10855AE5069B3A4DF70AD06CBE1

Function 0148D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4699267498.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_148d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261fd049525eba4bfca5aec5422b6ddbf3fe9f73a8b3c79dcbe6d03fc538206d
Instruction ID: 53b1ef8e831cc71e725215d20c5ead49e7296add6c5bd613acd21ffc8cd48170
Opcode Fuzzy Hash: 261fd049525eba4bfca5aec5422b6ddbf3fe9f73a8b3c79dcbe6d03fc538206d
Instruction Fuzzy Hash: EF2145B1904300EFDB15EF54D9C0B2ABB61FB85318F20C56ED90A0B3A2C336C407CA61

Function 0800ABB8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe5cc760e21174f9e699658e9ab134a8dbe4afcbc830a595b95c5a8484912b5
Instruction ID: 784175a9086a5c4d1368020e773d56fb37d1acd6fd3baad01d17f4714ed649f1
Opcode Fuzzy Hash: 9fe5cc760e21174f9e699658e9ab134a8dbe4afcbc830a595b95c5a8484912b5
Instruction Fuzzy Hash: 72217A35A002189FDB149FA8C854ADE7FB7EB8C320F14912AE815AB390DB349841CFA1

Function 07FD04F5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727087818.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e434cf2f385163d0e13753ab00362d3f15dcd67d8d35f270ce07600f2457eff0
Instruction ID: 7aef21eccc06a1b84b3ab5766be79831c82c97a533c8da92ca9cbaa9ac974239
Opcode Fuzzy Hash: e434cf2f385163d0e13753ab00362d3f15dcd67d8d35f270ce07600f2457eff0
Instruction Fuzzy Hash: AF21BDB1B4010ADFEB109B64C884BAABBB3FBD4314F188129E4059B391CB35DC81DB61

Function 0800ABC8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc4eb7f2aec964e9191c43dd918ce0708e6435737d555504777ebb9d408ce6f
Instruction ID: e53df1becffd24cabc8c61925c2c9aea96816009a60cdbf729afdf4aeaf75436
Opcode Fuzzy Hash: 1bc4eb7f2aec964e9191c43dd918ce0708e6435737d555504777ebb9d408ce6f
Instruction Fuzzy Hash: 2E216A35A002189FDB149FA8C8549EE7FB6FB8C320F14912AE811AB390DF719841CFA1

Function 07FD49A8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727087818.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea3b78c6e61b25eeb15e0b606eca836cdc5d9e1d6a153d977e6eb0b35079d59
Instruction ID: 080716055d6e0a394390939f8c75307b392e89795b543a949eb31a2651e146ac
Opcode Fuzzy Hash: cea3b78c6e61b25eeb15e0b606eca836cdc5d9e1d6a153d977e6eb0b35079d59
Instruction Fuzzy Hash: 1411E9BAB009928B871A5B3A501543DF6ABAFD656172C806EDC0AC7348EF31DC064B67

Function 0800388F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77cabd22eabfd96758e054695a4125add9e1ca57c74126512180852c95105cb
Instruction ID: a214a4ea68c48d33bc7aad043ba4fc15c25313ccd57762227f09c4d664cc934e
Opcode Fuzzy Hash: e77cabd22eabfd96758e054695a4125add9e1ca57c74126512180852c95105cb
Instruction Fuzzy Hash: 25113DB62493809FD3069B34892475A7B72EF92300F5640EFC1418F7E3D63AD842C716

Function 08002D78 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90df916ea49a4c8afcfc935253e71f0cf4928c3de55006ac9f454e4e5027870d
Instruction ID: 096a43cccfbecd4f9adbcd59cc9ade0d5efb505bffc7c1647c6c1d63e0234e42
Opcode Fuzzy Hash: 90df916ea49a4c8afcfc935253e71f0cf4928c3de55006ac9f454e4e5027870d
Instruction Fuzzy Hash: 3821E175B102048FCB55DF68D994A6EBBF2AFC9311F14456AE502DB3A1DB30EC05CB62

Function 0148D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4699267498.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_148d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8e2305b30127b34b7c3ac2bffb3729ad904fd099f6d8b785c3e02936b61392
Instruction ID: 419414a4c22c9fa8011fd65113716103da08bd822e8a7e778ca9fde5316c1a91
Opcode Fuzzy Hash: aa8e2305b30127b34b7c3ac2bffb3729ad904fd099f6d8b785c3e02936b61392
Instruction Fuzzy Hash: 242180755093848FDB02DF64D590716BF71EB46218F28C5DBD8498B2A7C33A980BCB62

Function 08002D88 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef62ed1a0daf8c2260045f428a0c22121fc62c40652b1a88fb0a9bff8e8f3507
Instruction ID: 0482e227c16402980bd3d81f2e8b572229f5bd1dbb9b924ab9385ba0b7962a31
Opcode Fuzzy Hash: ef62ed1a0daf8c2260045f428a0c22121fc62c40652b1a88fb0a9bff8e8f3507
Instruction Fuzzy Hash: 87118B34B106048FCB54EF68D994A6EB7F6EFC9310F144569E5069B3A0DB70ED05CBA1

Function 0800B6D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63567db5f14a526fb592f307c8bb61365f149bccad7380c279b041f90740d82
Instruction ID: 45d1ebf2b7874663eb8a0d51c56a66c777e1b4bb9d133b47268234d116695f03
Opcode Fuzzy Hash: b63567db5f14a526fb592f307c8bb61365f149bccad7380c279b041f90740d82
Instruction Fuzzy Hash: 7B018435E006099FCB11DF6DD5049DEBBF6BF89621F00815AE449A7350EB349A05CFA1

Function 0800A8C8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a8a4c88b2acc60115a2d5aa2c2e5d11b0daf976adbbb189fceedf4ec41bb11
Instruction ID: 7d0d1f426120f5e9cf7a51a5142c7b02b915c3fccaa9495cb33acaab89bdcb32
Opcode Fuzzy Hash: 22a8a4c88b2acc60115a2d5aa2c2e5d11b0daf976adbbb189fceedf4ec41bb11
Instruction Fuzzy Hash: 7D110634B12229DFCB55CBA8D894EADBBB2BF48221F150159E512AB3A2CB759C41CB40

Function 080035D9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734078369de626af049e04f69ff9d00cacc153f1ebbb36a8fdf1d90e8a730107
Instruction ID: d41aff2c1c81fef0f6cc16b6169447819602a235a7806b38d735978235656530
Opcode Fuzzy Hash: 734078369de626af049e04f69ff9d00cacc153f1ebbb36a8fdf1d90e8a730107
Instruction Fuzzy Hash: 2401C0317006409FD3269B28D454B2BBBA3ABC5221F14896DE5164B7E1CB71EC42DB81

Function 080035E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c9d2afc46178e318ece72ec5efc5073964293149ece99e3668b3f2c6686e38
Instruction ID: cac1dea66ec661d10bcafa0ac700725fad44000d883bd76845dd958cf49eeedb
Opcode Fuzzy Hash: 85c9d2afc46178e318ece72ec5efc5073964293149ece99e3668b3f2c6686e38
Instruction Fuzzy Hash: F601B134700644AFE3269B28D454E2BBBA3EBC5321F14896CE5564B7E0CF75EC02DB80

Function 07FD0AF9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727087818.0000000007FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7fd0000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5910ee63dd23546495a139764682bba2e14706013c619d736297fec54aadc69f
Instruction ID: ca24610fb63b3fd10b041831b5e01d5c244e05d80bf5b10f02e6bee3686a4c83
Opcode Fuzzy Hash: 5910ee63dd23546495a139764682bba2e14706013c619d736297fec54aadc69f
Instruction Fuzzy Hash: 73F0F972F001258BD7149A9C98506BBBABBDBC4710F04417EEA09E7394DFB04D05C7D1

Function 08000991 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b3a9d37be1ea18f08b4f4a4550ba150be9b7ddbe0221e2319ef5b7ee2a0346
Instruction ID: 9a0f67a45fd23bf617e843ea39218e59dd2c7e95222021031bf193bdb41da53f
Opcode Fuzzy Hash: 94b3a9d37be1ea18f08b4f4a4550ba150be9b7ddbe0221e2319ef5b7ee2a0346
Instruction Fuzzy Hash: E701DF7A3016009BC3059B24D564A2EBBA2EFCC722B10852DF90687394DF36EC03CB91

Function 080009A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd9783a203366aa6c4c89094042acfc2e0823e2270bc66c7e2475d5b8a4cfd2
Instruction ID: 6991580f9f6116b7a32b5e0b586509412c74236086a8cc52862ba44fdef2fd10
Opcode Fuzzy Hash: 4cd9783a203366aa6c4c89094042acfc2e0823e2270bc66c7e2475d5b8a4cfd2
Instruction Fuzzy Hash: 9E018176301510AFC7059B24D464D1EBBA6EFCC721B108129F90687390DF36EC02CBD5

Function 0147D603 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4699173666.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_147d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19255bb63343735156501328bc87fd2239307b0758fee6fcc76a2ea2fc7ac5fe
Instruction ID: 509a5030e4a5c76792ce5c52f6930254729731941a98c89edf69344ce7c80e9c
Opcode Fuzzy Hash: 19255bb63343735156501328bc87fd2239307b0758fee6fcc76a2ea2fc7ac5fe
Instruction Fuzzy Hash: 8DF04976600600AFD3208F0AC984C23FBADFFC4670715C15AE84A4B722C671FC02CAA0

Function 0147D5F4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4699173666.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_147d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e2c5d980b5689f1fe2aaaecf734ca1beb400a8746fb1af5d149632d1170db8
Instruction ID: 392b260a333741c2ceb9c6c045ee20b1433c6a8e9402ffedebac1cd70675b879
Opcode Fuzzy Hash: 44e2c5d980b5689f1fe2aaaecf734ca1beb400a8746fb1af5d149632d1170db8
Instruction Fuzzy Hash: DFF03C75104680AFD325CF05CD84C63BFF9FF856607198589E84A8B362C671FC42CBA0

Function 08000718 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0d94de395bfb55c5d59339e517632ebefd62e2ec80ca92595c459a1ebb8b23
Instruction ID: a0bf184f17cb26feb2e17c82bfc66a996f72833326bf468560cb8c5916ee3a5c
Opcode Fuzzy Hash: 5e0d94de395bfb55c5d59339e517632ebefd62e2ec80ca92595c459a1ebb8b23
Instruction Fuzzy Hash: F2F06DBA3013009FC714DB59D864A3A7BA6EFC9722F1580A9F5468B761CA31EC52CB50

Function 08000E78 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071019830b32a92bfe4962f1454725b3864f5123069b22808d041f8273e2f6bc
Instruction ID: 9249f5860fb9d06e9264e4067655aeeb0afb30e32df14593f94fe41a54fac0ac
Opcode Fuzzy Hash: 071019830b32a92bfe4962f1454725b3864f5123069b22808d041f8273e2f6bc
Instruction Fuzzy Hash: D0F055A7300A1487E744111C9920F7F268B8FDA223F04802BE500D73C4EE75DC038392

Function 08000728 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096e95ed48ff391ae18ee9801c30ea68f3ee4ad2824ddba12462022379f29853
Instruction ID: 4e8319938061e26358933702b5470a1cb55b7d9f4a112d12714d91897a157775
Opcode Fuzzy Hash: 096e95ed48ff391ae18ee9801c30ea68f3ee4ad2824ddba12462022379f29853
Instruction Fuzzy Hash: 9FF05E393117049FC714DB59D854D3A7BAAEFC9721B144069F9068B370CE31EC42CB90

Function 0800A96C Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2f20b52c7612cfba01e542e27eb26ed0d1daec9a25be2ddaa337f56dd132e0
Instruction ID: 8f63e1e8d54bb9e06514b00e569671cbdfd50b2b75f658a4f028bf50d67481b2
Opcode Fuzzy Hash: 4d2f20b52c7612cfba01e542e27eb26ed0d1daec9a25be2ddaa337f56dd132e0
Instruction Fuzzy Hash: 4EF06D30B01229DBEB159B98C85AFEDBBBABF84211F064019E006AB6A1CB755C05CB40

Function 0800A551 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b0352fde4b75ec9cf230363e1813628507f415e86a6239c196d0b7fbce293a
Instruction ID: 9ada8d73907b0498ec36f92edf6307912bc4a2bcafddeb527fe667dd660c2357
Opcode Fuzzy Hash: 53b0352fde4b75ec9cf230363e1813628507f415e86a6239c196d0b7fbce293a
Instruction Fuzzy Hash: 56F0A0707001009FEB04CB18D980A99BBF2FF88314F158199E509AB361C671FC068F90

Function 0800AA20 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef133065002e87680c71437a3126dedb961e0181d1a2be1221b9bd57751f639
Instruction ID: 017ae00b33a08eefc716f0b6d10bc94c9f16b9a5b29f4160d6e98a6f7d7ba50a
Opcode Fuzzy Hash: 2ef133065002e87680c71437a3126dedb961e0181d1a2be1221b9bd57751f639
Instruction Fuzzy Hash: 99E0C27134A2E14BC744E2B478104AF7F97CFC612070880DBA64AC7A80C971580087A5

Function 0800AA30 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95bb408675919ca39c536d8b38b799339ae8cca5974639f6c2cfb83acc07811
Instruction ID: 902f448de4e8f37510559df51063c882dd6801dc9274051d5d50646c822062a6
Opcode Fuzzy Hash: a95bb408675919ca39c536d8b38b799339ae8cca5974639f6c2cfb83acc07811
Instruction Fuzzy Hash: 8ED0C97630512447C648A6AAB4145AF7A8FDBC9650B04806AAA0A83B44CD71AC0147A9

Function 080006F1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598e9fd18aad0ea1225eed1a531e6fd12c6fcccc1ebe7b5f3d23d367d5b2abcc
Instruction ID: 790ec515eef192548fc8140caded1ad53ac1f0d5226e9db23811874ccd85aace
Opcode Fuzzy Hash: 598e9fd18aad0ea1225eed1a531e6fd12c6fcccc1ebe7b5f3d23d367d5b2abcc
Instruction Fuzzy Hash: 1AD012F76A19408FE3008728DE46F1137E19B69712B168192E0048B676C231DC51CA12

Function 08000E51 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c625901efa9d323e61bbca9eaeaa6346019fc15c44c02fa85be1c91796d4152
Instruction ID: 988a2dd7b8d7a4ea908002c0da2ebf5e5eae949af81b26e1717480aa799a6baa
Opcode Fuzzy Hash: 8c625901efa9d323e61bbca9eaeaa6346019fc15c44c02fa85be1c91796d4152
Instruction Fuzzy Hash: ECC012F35116408BF301CB219C16743B722EBF1306B258866D0028B6A4D23AEC93C626

Function 08009F78 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad3df679b61b90ab59cda358e29f69149cf3895bc251f09b3a80d2ccfe1eefa
Instruction ID: 9799742c76716f0e4e7ed8dbb7da4002b667036dbcff6e9c873888a84c2794e1
Opcode Fuzzy Hash: 4ad3df679b61b90ab59cda358e29f69149cf3895bc251f09b3a80d2ccfe1eefa
Instruction Fuzzy Hash: D3C01238400208EFFA705A64D4097253B9CE70433BF1062ADEC08052828B7654928993

Function 08008F08 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd13b6672071f463ec0578a2ab7f3a36feb928cced4d1b552c555836c8d055e
Instruction ID: dfd848730448593cf8cc853d3265a061de33f5595ee8011754a62d176d169a47
Opcode Fuzzy Hash: 1dd13b6672071f463ec0578a2ab7f3a36feb928cced4d1b552c555836c8d055e
Instruction Fuzzy Hash: 63C012B410D2455FC322DA50D814C10BF625FA6304B09C4EEAD45CB257E7329C56E716

Function 08000700 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 080038C0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4727145820.0000000008000000.00000040.00000800.00020000.00000000.sdmp, Offset: 08000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_8000000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894781626bb6f108c90138acae5c1a1113c4c3caafca747ea2007466834e5d14
Instruction ID: e1c448589b4da6832f71d680cecb3cb9d57995fb41a1738ce5dc9aed8bf6ade6
Opcode Fuzzy Hash: 894781626bb6f108c90138acae5c1a1113c4c3caafca747ea2007466834e5d14
Instruction Fuzzy Hash: E7B09232004208AB86009B84E904855BB6DAB686007008066B609061218B32A822DB94

Analysis Process: Exccelworkbook.exePID: 5204, Parent PID: 6664COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	89
Total number of Limit Nodes:	12

Executed Functions

Function 02FB6518 Relevance: 6.1, APIs: 4, Instructions: 143
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02FB65BE
GetCurrentThread.KERNEL32 ref: 02FB65FB
GetCurrentProcess.KERNEL32 ref: 02FB6638
GetCurrentThreadId.KERNEL32 ref: 02FB6691

Memory Dump Source

Source File: 0000000E.00000002.2432901079.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5c6f773a509f6c4e85decce9a86953a37861e9d3993502ed1aa8c435b43607b2
Instruction ID: 176712c89eb4691a801cbc67a5dc9c6deddaacf14b263c250135e6db3ac86624
Opcode Fuzzy Hash: 5c6f773a509f6c4e85decce9a86953a37861e9d3993502ed1aa8c435b43607b2
Instruction Fuzzy Hash: AA5155B1900209CFDB05CFAAD548BDEBFF1AF88318F24845AE109AB390DB745944CF65

Function 02FB6540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02FB65BE
GetCurrentThread.KERNEL32 ref: 02FB65FB
GetCurrentProcess.KERNEL32 ref: 02FB6638
GetCurrentThreadId.KERNEL32 ref: 02FB6691

Memory Dump Source

Source File: 0000000E.00000002.2432901079.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 02721557969fb5394b9d62aceb35ff42a9508d5765c5320ab30db33cd76a1647
Instruction ID: 182cd7c64cb8dc45941ea8d41633f32f03e20c56e7655ff8c28a1b0c1a6e6d43
Opcode Fuzzy Hash: 02721557969fb5394b9d62aceb35ff42a9508d5765c5320ab30db33cd76a1647
Instruction Fuzzy Hash: 055124B090024ACFDB15CFAAD548BDEBBF5BF88318F208459E509A7290DB746944CF65

Function 02FBBFF0 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02FBC256

Memory Dump Source

Source File: 0000000E.00000002.2432901079.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 71198db0149efc6fd728669cd6f4a0edd0f8d253e9f68e986188a38491465a21
Instruction ID: 98a25510aa4f832c69412fe9926f3a1b2f2b81272bd40470efb0558e545d4247
Opcode Fuzzy Hash: 71198db0149efc6fd728669cd6f4a0edd0f8d253e9f68e986188a38491465a21
Instruction Fuzzy Hash: C58135B0A00B058FD725DF6AD44479BBBF1FF88684F00892ED18ADBA40DB75E845CB90

Function 02FB6414 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FB7421

Memory Dump Source

Source File: 0000000E.00000002.2432901079.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1598fb415478b8d6de6d3968ef00b085dc400f98f5d4ba1dca4ad05e638cef8b
Instruction ID: d58be388509581b8dd374f031977bd27def13c53e8eb233de24bea7859886b19
Opcode Fuzzy Hash: 1598fb415478b8d6de6d3968ef00b085dc400f98f5d4ba1dca4ad05e638cef8b
Instruction Fuzzy Hash: DD41CF71C0061DCBDB25DFAAC944BDEBBB5BF88304F60806AD508AB251DB756945CF90

Function 02FB7364 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FB7421

Memory Dump Source

Source File: 0000000E.00000002.2432901079.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bbe6b4c1611c61dedd014b27969c4cd140b174f34408b9a58e4696239c0fe9db
Instruction ID: 177ae51e81f14ce1e2989904f8f2421f456900e68a8037a01f26c147ef666466
Opcode Fuzzy Hash: bbe6b4c1611c61dedd014b27969c4cd140b174f34408b9a58e4696239c0fe9db
Instruction Fuzzy Hash: C741D0B1C00719CBDB25DFAAC944BCEFBB5BF88305F20816AD508AB251DB756949CF90

Function 02FB6780 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FB680F

Memory Dump Source

Source File: 0000000E.00000002.2432901079.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5ce2d21b89d7fd977c3aa6ff34bd61a3ec44fb828a98e110b32bb8a55bfd8e6f
Instruction ID: aaa2d93d398112b4ed0abafe14499df9041502e25fbc6759f1243e2d52cb3dbe
Opcode Fuzzy Hash: 5ce2d21b89d7fd977c3aa6ff34bd61a3ec44fb828a98e110b32bb8a55bfd8e6f
Instruction Fuzzy Hash: 312126B1900208DFDB11CFAAD884ADEBBF8EF48324F14851AE914A3250D779A944CF64

Function 02FB6788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FB680F

Memory Dump Source

Source File: 0000000E.00000002.2432901079.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0513080c6daa375f334cc1c9203067a11e485170ce7c48da3ca806cfe2207b4b
Instruction ID: c03f3bbb5038ba050be8fc000f08d84391490076eff568d038617434a408d68c
Opcode Fuzzy Hash: 0513080c6daa375f334cc1c9203067a11e485170ce7c48da3ca806cfe2207b4b
Instruction Fuzzy Hash: BD21E3B59002099FDB10CF9AD984ADEBBF8FF48324F14801AE914A3310D374A954CFA5

Function 02FBC1F0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02FBC256

Memory Dump Source

Source File: 0000000E.00000002.2432901079.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2fb0000_Exccelworkbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a588d29b713db6ed4c68b8421506846039b7a422dd9a8dac9ba57255527d44e1
Instruction ID: 18f0e5a58f5ae8b87bf1278325bf1410d54cf67b3a241785ebfc17e3998f9f0e
Opcode Fuzzy Hash: a588d29b713db6ed4c68b8421506846039b7a422dd9a8dac9ba57255527d44e1
Instruction Fuzzy Hash: 4F110FB6C002498FCB10CF9AC444ADFFBF4AF88624F10856AD529A7200C3B9A545CFA1

Function 02E4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2432405815.0000000002E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2e4d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79bd04b126a77f99c368d61039cebe1391d489b99ec71a7f48c64703c3f2d9e
Instruction ID: edab9d36b8ecdefd54f7f2f74c4716ae9f8400326e598f9e830d2cae5596f94d
Opcode Fuzzy Hash: f79bd04b126a77f99c368d61039cebe1391d489b99ec71a7f48c64703c3f2d9e
Instruction Fuzzy Hash: 72213475644300EFDB14DF14E9C0B26BB66FB84318F20C56DD90A4B292CB7AE807CA61

Function 02E4D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2432405815.0000000002E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2e4d000_Exccelworkbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38c3f64ee2118149c128960c766226d9f136db33ca15f26bbcdeb93ebc885d3
Instruction ID: 18a79a3ab2bfddecbbb4018c5810264c66e40293608b90aa12f7834f8f07ae4b
Opcode Fuzzy Hash: d38c3f64ee2118149c128960c766226d9f136db33ca15f26bbcdeb93ebc885d3
Instruction Fuzzy Hash: 9F2165755493C08FCB16CF24D994715BF71EB46218F28C5DAD8498F6A7C33AD40ACB62

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Exccelworkbook.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe.log

C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
pdf_2025 QUOTATION - #202401146778.pdf (83kb).com.exe

Function 015AD369 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Function 015AD378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0901FB8A Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre