Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Aviso de transferencia.exe

Overview

General Information

Sample name:Aviso de transferencia.exe
Analysis ID:1538536
MD5:8d664129af173ed945236efb82d4ad67
SHA1:7e0f8f79786ebbeb561171032ea65fcfcd6db437
SHA256:ae26ace2f3bcb3c94a3a8af4a6684da129aa08d73c18a5311d7491d006b20042
Tags:exeuser-lowmal3
Infos:

Detection

AsyncRAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Aviso de transferencia.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\Aviso de transferencia.exe" MD5: 8D664129AF173ED945236EFB82D4AD67)
    • Aviso de transferencia.exe (PID: 7212 cmdline: "C:\Users\user\Desktop\Aviso de transferencia.exe" MD5: 8D664129AF173ED945236EFB82D4AD67)
      • cmd.exe (PID: 7588 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7684 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 7608 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCD5C.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 7740 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • windowsBook.exe (PID: 7800 cmdline: "C:\Users\user\AppData\Local\Temp\windowsBook.exe" MD5: 8D664129AF173ED945236EFB82D4AD67)
          • windowsBook.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\windowsBook.exe" MD5: 8D664129AF173ED945236EFB82D4AD67)
  • windowsBook.exe (PID: 7760 cmdline: C:\Users\user\AppData\Local\Temp\windowsBook.exe MD5: 8D664129AF173ED945236EFB82D4AD67)
    • windowsBook.exe (PID: 7840 cmdline: "C:\Users\user\AppData\Local\Temp\windowsBook.exe" MD5: 8D664129AF173ED945236EFB82D4AD67)
    • windowsBook.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Local\Temp\windowsBook.exe" MD5: 8D664129AF173ED945236EFB82D4AD67)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "quin.ydns.eu", "Port": "1962", "Version": "0.5.8", "MutexName": "8xLI57IVXCDFxeWa@", "Autorun": "true", "Group": "null"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x76ba1:$x1: AsyncRAT
  • 0x76bdf:$x1: AsyncRAT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1276809734.0000000009470000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000014.00000002.1444950747.0000000005630000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x15cb:$x1: AsyncRAT
    • 0x1609:$x1: AsyncRAT
    00000008.00000002.1321474542.0000000001F88000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xaf53:$x1: AsyncRAT
    • 0xaf91:$x1: AsyncRAT
    00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xa10b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Aviso de transferencia.exe.294e1e0.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.2.Aviso de transferencia.exe.294e1e0.1.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0x8479:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x9838:$a2: Stub.exe
        • 0x98c8:$a2: Stub.exe
        • 0x509d:$a3: get_ActivatePong
        • 0x8691:$a4: vmware
        • 0x8509:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0x5e97:$a6: get_SslClient
        0.2.Aviso de transferencia.exe.294e1e0.1.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0x850b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        0.2.Aviso de transferencia.exe.295a0bc.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.2.Aviso de transferencia.exe.295a0bc.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
          • 0x8479:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
          • 0x9838:$a2: Stub.exe
          • 0x98c8:$a2: Stub.exe
          • 0x509d:$a3: get_ActivatePong
          • 0x8691:$a4: vmware
          • 0x8509:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          • 0x5e97:$a6: get_SslClient
          Click to see the 30 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Invoke-Obfuscation CLIP+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Aviso de transferencia.exe", ParentImage: C:\Users\user\Desktop\Aviso de transferencia.exe, ParentProcessId: 7212, ParentProcessName: Aviso de transferencia.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, ProcessId: 7588, ProcessName: cmd.exe
          Sigma detected: Invoke-Obfuscation VAR+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Aviso de transferencia.exe", ParentImage: C:\Users\user\Desktop\Aviso de transferencia.exe, ParentProcessId: 7212, ParentProcessName: Aviso de transferencia.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, ProcessId: 7588, ProcessName: cmd.exe
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7588, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' , ProcessId: 7684, ProcessName: schtasks.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-21T14:18:28.281688+020020355951Domain Observed Used for C2 Detected185.38.142.2401962192.168.2.749775TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-21T14:18:28.281688+020020356071Domain Observed Used for C2 Detected185.38.142.2401962192.168.2.749775TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-21T14:18:28.281688+020028424781Malware Command and Control Activity Detected185.38.142.2401962192.168.2.749775TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "quin.ydns.eu", "Port": "1962", "Version": "0.5.8", "MutexName": "8xLI57IVXCDFxeWa@", "Autorun": "true", "Group": "null"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeReversingLabs: Detection: 23%
          Multi AV Scanner detection for submitted file
          Source: Aviso de transferencia.exeReversingLabs: Detection: 23%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: Aviso de transferencia.exeJoe Sandbox ML: detected
          Source: Aviso de transferencia.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Aviso de transferencia.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: CYFA.pdb source: Aviso de transferencia.exe, windowsBook.exe.8.dr
          Source: Binary string: CYFA.pdbSHA256~ source: Aviso de transferencia.exe, windowsBook.exe.8.dr
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 4x nop then jmp 0BF60C02h0_2_0BF60457
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 4x nop then jmp 09C70C02h17_2_09C70457
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 4x nop then jmp 09850C02h18_2_09850457

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.38.142.240:1962 -> 192.168.2.7:49775
          Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.38.142.240:1962 -> 192.168.2.7:49775
          Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.38.142.240:1962 -> 192.168.2.7:49775
          Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.38.142.240:1962 -> 192.168.2.7:49775
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: quin.ydns.eu
          Yara detected Generic Downloader
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2edae1c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2ee6cf8.0.raw.unpack, type: UNPACKEDPE
          Source: global trafficTCP traffic: 192.168.2.7:49775 -> 185.38.142.240:1962
          Source: Joe Sandbox ViewASN Name: NETSOLUTIONSNL NETSOLUTIONSNL
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: quin.ydns.eu
          Source: 77EC63BDA74BD0D0E0426DC8F80085060.22.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: windowsBook.exe, 00000016.00000002.2483789589.000000000133B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabo
          Source: windowsBook.exe, 00000016.00000002.2483789589.00000000012E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en2U
          Source: Aviso de transferencia.exe, 00000008.00000002.1322217899.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Aviso de transferencia.exe, windowsBook.exe.8.drString found in binary or memory: http://tempuri.org/DatabaseWalletDataSet.xsd

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.294e1e0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.295a0bc.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Aviso de transferencia.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2edae1c.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2ee6cf8.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2edae1c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2ee6cf8.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Aviso de transferencia.exe PID: 6756, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Aviso de transferencia.exe PID: 7212, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7928, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 8.2.Aviso de transferencia.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 8.2.Aviso de transferencia.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 17.2.windowsBook.exe.2edae1c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 17.2.windowsBook.exe.2edae1c.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 17.2.windowsBook.exe.2ee6cf8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 17.2.windowsBook.exe.2ee6cf8.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 17.2.windowsBook.exe.2edae1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 17.2.windowsBook.exe.2edae1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 17.2.windowsBook.exe.2ee6cf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 17.2.windowsBook.exe.2ee6cf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000014.00000002.1444950747.0000000005630000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000008.00000002.1321474542.0000000001F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000016.00000002.2483789589.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000016.00000002.2483789589.000000000133B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000008.00000002.1322217899.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000008.00000002.1322217899.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000014.00000002.1440972671.000000000304C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: Aviso de transferencia.exe PID: 6756, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: Aviso de transferencia.exe PID: 7212, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: Aviso de transferencia.exe PID: 7212, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: windowsBook.exe PID: 7760, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: windowsBook.exe PID: 7848, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: windowsBook.exe PID: 7928, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: windowsBook.exe PID: 7928, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_0111D3240_2_0111D324
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094D00400_2_094D0040
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094D39800_2_094D3980
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094DC8200_2_094DC820
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094D4B580_2_094D4B58
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094DCC580_2_094DCC58
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094D00160_2_094D0016
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094DD0900_2_094DD090
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094DC3E80_2_094DC3E8
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094DC3B40_2_094DC3B4
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_094DE7380_2_094DE738
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeCode function: 0_2_0BF62A990_2_0BF62A99
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_02CED32417_2_02CED324
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073F004017_2_073F0040
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073FE73817_2_073FE738
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073FC3E817_2_073FC3E8
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073FC3D217_2_073FC3D2
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073F000617_2_073F0006
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073FD09017_2_073FD090
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073FCC5817_2_073FCC58
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073F4B5817_2_073F4B58
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073F4B4817_2_073F4B48
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073F396F17_2_073F396F
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073F398017_2_073F3980
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_073FC82017_2_073FC820
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_09C72BD817_2_09C72BD8
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_00FCD32418_2_00FCD324
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FE004018_2_06FE0040
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FEE73818_2_06FEE738
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FEC3E818_2_06FEC3E8
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FEC3D118_2_06FEC3D1
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FED09018_2_06FED090
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FE000718_2_06FE0007
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FECC5818_2_06FECC58
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FE4B5818_2_06FE4B58
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FE4B4818_2_06FE4B48
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FEC82018_2_06FEC820
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FE398018_2_06FE3980
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_06FE396F18_2_06FE396F
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_09852A7F18_2_09852A7F
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 22_2_02CD63D822_2_02CD63D8
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 22_2_02CD6CA822_2_02CD6CA8
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 22_2_02CD609022_2_02CD6090
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 22_2_02CD75A822_2_02CD75A8
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 22_2_02CDAE8822_2_02CDAE88
          Source: Aviso de transferencia.exe, 00000000.00000002.1276938859.00000000096E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Aviso de transferencia.exe
          Source: Aviso de transferencia.exe, 00000000.00000002.1275781875.0000000003909000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Aviso de transferencia.exe
          Source: Aviso de transferencia.exe, 00000000.00000002.1274459240.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Aviso de transferencia.exe
          Source: Aviso de transferencia.exe, 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs Aviso de transferencia.exe
          Source: Aviso de transferencia.exe, 00000008.00000002.1320113027.000000000040E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs Aviso de transferencia.exe
          Source: Aviso de transferencia.exeBinary or memory string: OriginalFilenameCYFA.exeF vs Aviso de transferencia.exe
          Source: Aviso de transferencia.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 8.2.Aviso de transferencia.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 8.2.Aviso de transferencia.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 17.2.windowsBook.exe.2edae1c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 17.2.windowsBook.exe.2edae1c.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 17.2.windowsBook.exe.2ee6cf8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 17.2.windowsBook.exe.2ee6cf8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 17.2.windowsBook.exe.2edae1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 17.2.windowsBook.exe.2edae1c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 17.2.windowsBook.exe.2ee6cf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 17.2.windowsBook.exe.2ee6cf8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000014.00000002.1444950747.0000000005630000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000008.00000002.1321474542.0000000001F88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000016.00000002.2483789589.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000016.00000002.2483789589.000000000133B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000008.00000002.1322217899.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000008.00000002.1322217899.0000000003581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000014.00000002.1440972671.000000000304C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: Aviso de transferencia.exe PID: 6756, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: Aviso de transferencia.exe PID: 7212, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: Aviso de transferencia.exe PID: 7212, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: windowsBook.exe PID: 7760, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: windowsBook.exe PID: 7848, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: windowsBook.exe PID: 7928, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: windowsBook.exe PID: 7928, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Aviso de transferencia.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: windowsBook.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.Aviso de transferencia.exe.391e790.2.raw.unpack, at4ONG9F0NYCELN5Tj.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Aviso de transferencia.exe.9470000.5.raw.unpack, at4ONG9F0NYCELN5Tj.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, OiHoolIAygQAXBT.csBase64 encoded string: 'yKawK3VpaUozVt7nSUZH+FnSyshePzOpFVCnRwX7U4ZB280WpfMTuTYeExR0FWuvbGpl3SI6rcp8bs+ljbVa2lDFNksGpMvQB+F6XFct3J60IeY1leqgjx0W7B1p+kqD/QtuP0XvjgWxZQ6bRM4s9auajVMXd2Y/Hgg/g2fz1ZipgNNWkwZoA0gfIfq8C+K+1i+++6eXPAokDnmrOM+EdaCtg8b5VGEj6UB1qrLieygyNrM6/SLeKezb1PA9AtA8U9IirRGLrYGl6gMwhQMH2ARPD9qVLreMF1ObJjWzeBmp1rLB4uTd/LTYiXbqf6vQ0SDyFPN74YEHEw5+xR5zSVxycirzV/2lIOJHuy1HYcQQVxoGAbLnZhMKMRQLzJEbpb/BoXIMSlHILNCGdkzsajyh/2CB9lgbze0+hcs7lWIUdnw/NG2Lh+NR9mTGqyRD8f6ztxYyBny2t7mnfhtYWyzP1/oxh+pwDbttOmnidk8vgIy4Z86FP2GdusQdiJac8alNHOjVOQGfiXF1PcBfUm0+IMYZU4BlX5S+8VjvPRSmWrd8hHO2nB+OflZE7cZ8+IQabffVZ7nGtNlcs5hpJV1n36PHaPpfOV1mftpl3KQ/IIepioZKvI0zVhG1R/MDkTxlmx+JcLVsaDJq02tWIAWR0dPcX5suErDeDucMUjXits8r7bCJ2GjAjghT1eu5Gu8Zl2ZRza7Iq/EA6DhGs5wcDpKYuHB/TOLrBxZV2S40V+lpzYBpbpzWEs6c6tIMHE3ejTrM0WAZR05tqWOuh+XvN4Ar/1NfvOHGxiSB8QZCoSyrCyJ785MPSL3gf49u/vm6Lkh1zPqAiS8w6VA1PpaEyeGajroYXuiWPP7obfDHTOwblMA6mf6orYIWZpWrFo94fu5vde5No6HKP5Yxo+VyFfKP4BwkSC75N4rviWlv81OiGc2r2X9HA3Jsc4Q6hrZSFiE7SoJhlraD1pP6yLDzfyNBmuuHE5I/e/deR6sSSPiejRj0u+JUrT+/h9acgZHQCTragNKUSpZMseB7Fiw5qpkclFu2scGyuXx+nKoO2KzPSbRjsXOfaApX/1ofb5tCm+hSFwTTih4mq7N0Tkh2mMQ4Z0ubCatWr9VO6bw3/EX5cF4oe3WV5uKBXly7ztB7lplwxOVmAxWZ3rbBOJofvRitOUtUmf/4Lgn1akzk/X8n4brrIUAMz9YS+lYKd0rLTpKme2XK3WRSa5DL/Z5Ar6MyscXBmwcY24C0yatbtGPlxZ1Lfj6Aexhbamrq8W2Ck6bqubyV+HSJvGJUcarOxwSAmQzDVNKmW3RxN452KM2y9VLc5jNxaYZdGdqteQFoDrrZb5fv0ZWR/fdDBAQCMhHQKkgfhVLIdWTr6hOpiDs9NnzmdYo0ER1y7Gj8J2whXqEYXznmo8y372z7j9PUPQhWCnEs/veEaNpHUpG4Yjy0GEvrzdp7tNpOxzDr433hsmkDwTgJHr3sD8uUGNJ0sgBTbOTtIC/hZCKqq1iieLppecA846W0MkBwrFZKesVwH/bmBMZlgbomvWhhIhEs9nGYSEAzLj0x4JkF//exESLXp6840pAL1HFBOLRknjEBXOFecVxcEgIRQZG/8NcfTlNUgJVm9re1UQP39qvdNyoESg/luLQ84lGy0DjQQpo5utjubbf0mggLLHic6Aaimct7g3buEckjUdLvvlK2LReaDwvkENlysrHLxpamLm6RRV139k/R3GBI1F1H6PbTST0J12/oFDv/1btrRvDU22dYPOLgAgRhzBOg4MlI4XrVvQUwcr2wMQbPZk1k5jixKcbjh5uJq8zl5ro3hrR5k7aWO71Qy9uxmbmD1EkZDOtYxLCMYe+eBkuE7FN7A/ioFIr/TVhMbSeP4iF4R8YS1DpJ7+1skdNZ6GeMfw/XBZJJGp/jH9ulBEolRrJ2NvXvgKDwWSw5lSEYKT5qXrX99BqwBqy3VLDQqpVEvVfuaMzqQVwpCPQI1blHF2FwZKXd6DSiO0Npi2XtAQcZjb/9SaEwoORNr8cowR/HkJIdV/pkk//7f/Y9gWsmNtiivR6bi6C0pvtSkYA+nGIVS3IRHiVt2PljPWGwCQcO/nI5qxksSsByYMBvdS5+VYRdzEQUhFPzTZPmiXi4LIMAwGcQ0NKTsb5u7zrIqhVwnBp75hJntAArJAccK1GWqjX4e+CCBwgKc1JuLSCaxzooKaKL7XfAP81lGd/phOldRleApUAXNeOHSqQN8Ru1jj3AhjYtVlIr58wknbZNIEc8atQcpyGUOAWCvCfBgeg5rqVm04R+2HJyheDy7nBnxT+rbnGvPMgGU0gwrhduZlOYsaM=', 'TYJElFG2H7en+iOkEBBBshDsd73cVMDmVb2esMoaqK3ap/chQz9T0P6HrfFDa2qaJroiBJ7K3yAqjpqTIVjRxBGcO//r84OI+XSGVvklW2xU4tMk0xCf8fYRCF3nC1MK1T36SdD+olDlwDwNYBOpJ+quxN1K0yjv0Enplty0LH3CI++7Du1qe4oa7T3GfqtG7Gg2hixaqdvtncI03OnYCHdIMzlpsPKKuImMi1U5VrUDc4G33ZmIIRjPq+RYE4+gzcJi7YXdEPQdBEboEuPTypjBpeK98De7DF3t1Iglhok0NsXWFhcEPpbpIKY8x7N9nd/XtPPMXgsoZF8EDsG8++tdPvZtENZOOKcvZsoNGSoNXZdL7TlzLViZEe8OBa+eHViDh/hq9kMqpUSesUwIh3LzOHz8TnflPbJmN9rW8zYfWH7GRKoqcJTO/TdXKBnSLoNJZzBMylfCRKYnFoZtIzWguBG9nIFBpWU3FkNt90At31OvSPSLEjYoUyl6ahl+7ueEoN04/m+aviBO7uO7GtKaXKxMbhdkSE85iaZNhZbNPfCizOGE89m3FGi/O+YRx7BnPUUsnIRv/+dDFiXzqqRS7hd/xQv0OY8Q1wIUESHkj9QAGFk+kCMnTogSiHIuWR3PUzq
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, OiHoolIAygQAXBT.csBase64 encoded string: 'yKawK3VpaUozVt7nSUZH+FnSyshePzOpFVCnRwX7U4ZB280WpfMTuTYeExR0FWuvbGpl3SI6rcp8bs+ljbVa2lDFNksGpMvQB+F6XFct3J60IeY1leqgjx0W7B1p+kqD/QtuP0XvjgWxZQ6bRM4s9auajVMXd2Y/Hgg/g2fz1ZipgNNWkwZoA0gfIfq8C+K+1i+++6eXPAokDnmrOM+EdaCtg8b5VGEj6UB1qrLieygyNrM6/SLeKezb1PA9AtA8U9IirRGLrYGl6gMwhQMH2ARPD9qVLreMF1ObJjWzeBmp1rLB4uTd/LTYiXbqf6vQ0SDyFPN74YEHEw5+xR5zSVxycirzV/2lIOJHuy1HYcQQVxoGAbLnZhMKMRQLzJEbpb/BoXIMSlHILNCGdkzsajyh/2CB9lgbze0+hcs7lWIUdnw/NG2Lh+NR9mTGqyRD8f6ztxYyBny2t7mnfhtYWyzP1/oxh+pwDbttOmnidk8vgIy4Z86FP2GdusQdiJac8alNHOjVOQGfiXF1PcBfUm0+IMYZU4BlX5S+8VjvPRSmWrd8hHO2nB+OflZE7cZ8+IQabffVZ7nGtNlcs5hpJV1n36PHaPpfOV1mftpl3KQ/IIepioZKvI0zVhG1R/MDkTxlmx+JcLVsaDJq02tWIAWR0dPcX5suErDeDucMUjXits8r7bCJ2GjAjghT1eu5Gu8Zl2ZRza7Iq/EA6DhGs5wcDpKYuHB/TOLrBxZV2S40V+lpzYBpbpzWEs6c6tIMHE3ejTrM0WAZR05tqWOuh+XvN4Ar/1NfvOHGxiSB8QZCoSyrCyJ785MPSL3gf49u/vm6Lkh1zPqAiS8w6VA1PpaEyeGajroYXuiWPP7obfDHTOwblMA6mf6orYIWZpWrFo94fu5vde5No6HKP5Yxo+VyFfKP4BwkSC75N4rviWlv81OiGc2r2X9HA3Jsc4Q6hrZSFiE7SoJhlraD1pP6yLDzfyNBmuuHE5I/e/deR6sSSPiejRj0u+JUrT+/h9acgZHQCTragNKUSpZMseB7Fiw5qpkclFu2scGyuXx+nKoO2KzPSbRjsXOfaApX/1ofb5tCm+hSFwTTih4mq7N0Tkh2mMQ4Z0ubCatWr9VO6bw3/EX5cF4oe3WV5uKBXly7ztB7lplwxOVmAxWZ3rbBOJofvRitOUtUmf/4Lgn1akzk/X8n4brrIUAMz9YS+lYKd0rLTpKme2XK3WRSa5DL/Z5Ar6MyscXBmwcY24C0yatbtGPlxZ1Lfj6Aexhbamrq8W2Ck6bqubyV+HSJvGJUcarOxwSAmQzDVNKmW3RxN452KM2y9VLc5jNxaYZdGdqteQFoDrrZb5fv0ZWR/fdDBAQCMhHQKkgfhVLIdWTr6hOpiDs9NnzmdYo0ER1y7Gj8J2whXqEYXznmo8y372z7j9PUPQhWCnEs/veEaNpHUpG4Yjy0GEvrzdp7tNpOxzDr433hsmkDwTgJHr3sD8uUGNJ0sgBTbOTtIC/hZCKqq1iieLppecA846W0MkBwrFZKesVwH/bmBMZlgbomvWhhIhEs9nGYSEAzLj0x4JkF//exESLXp6840pAL1HFBOLRknjEBXOFecVxcEgIRQZG/8NcfTlNUgJVm9re1UQP39qvdNyoESg/luLQ84lGy0DjQQpo5utjubbf0mggLLHic6Aaimct7g3buEckjUdLvvlK2LReaDwvkENlysrHLxpamLm6RRV139k/R3GBI1F1H6PbTST0J12/oFDv/1btrRvDU22dYPOLgAgRhzBOg4MlI4XrVvQUwcr2wMQbPZk1k5jixKcbjh5uJq8zl5ro3hrR5k7aWO71Qy9uxmbmD1EkZDOtYxLCMYe+eBkuE7FN7A/ioFIr/TVhMbSeP4iF4R8YS1DpJ7+1skdNZ6GeMfw/XBZJJGp/jH9ulBEolRrJ2NvXvgKDwWSw5lSEYKT5qXrX99BqwBqy3VLDQqpVEvVfuaMzqQVwpCPQI1blHF2FwZKXd6DSiO0Npi2XtAQcZjb/9SaEwoORNr8cowR/HkJIdV/pkk//7f/Y9gWsmNtiivR6bi6C0pvtSkYA+nGIVS3IRHiVt2PljPWGwCQcO/nI5qxksSsByYMBvdS5+VYRdzEQUhFPzTZPmiXi4LIMAwGcQ0NKTsb5u7zrIqhVwnBp75hJntAArJAccK1GWqjX4e+CCBwgKc1JuLSCaxzooKaKL7XfAP81lGd/phOldRleApUAXNeOHSqQN8Ru1jj3AhjYtVlIr58wknbZNIEc8atQcpyGUOAWCvCfBgeg5rqVm04R+2HJyheDy7nBnxT+rbnGvPMgGU0gwrhduZlOYsaM=', 'TYJElFG2H7en+iOkEBBBshDsd73cVMDmVb2esMoaqK3ap/chQz9T0P6HrfFDa2qaJroiBJ7K3yAqjpqTIVjRxBGcO//r84OI+XSGVvklW2xU4tMk0xCf8fYRCF3nC1MK1T36SdD+olDlwDwNYBOpJ+quxN1K0yjv0Enplty0LH3CI++7Du1qe4oa7T3GfqtG7Gg2hixaqdvtncI03OnYCHdIMzlpsPKKuImMi1U5VrUDc4G33ZmIIRjPq+RYE4+gzcJi7YXdEPQdBEboEuPTypjBpeK98De7DF3t1Iglhok0NsXWFhcEPpbpIKY8x7N9nd/XtPPMXgsoZF8EDsG8++tdPvZtENZOOKcvZsoNGSoNXZdL7TlzLViZEe8OBa+eHViDh/hq9kMqpUSesUwIh3LzOHz8TnflPbJmN9rW8zYfWH7GRKoqcJTO/TdXKBnSLoNJZzBMylfCRKYnFoZtIzWguBG9nIFBpWU3FkNt90At31OvSPSLEjYoUyl6ahl+7ueEoN04/m+aviBO7uO7GtKaXKxMbhdkSE85iaZNhZbNPfCizOGE89m3FGi/O+YRx7BnPUUsnIRv/+dDFiXzqqRS7hd/xQv0OY8Q1wIUESHkj9QAGFk+kCMnTogSiHIuWR3PUzq
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, QovWQ95hEMVPSioj6l.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, QovWQ95hEMVPSioj6l.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, QovWQ95hEMVPSioj6l.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, QlQTgMLzdOeM.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, QlQTgMLzdOeM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, hfqTgZkGrRl1qdRosh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, hfqTgZkGrRl1qdRosh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, hfqTgZkGrRl1qdRosh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, QovWQ95hEMVPSioj6l.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, QovWQ95hEMVPSioj6l.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, QovWQ95hEMVPSioj6l.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, QovWQ95hEMVPSioj6l.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, QovWQ95hEMVPSioj6l.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, QovWQ95hEMVPSioj6l.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, QlQTgMLzdOeM.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, QlQTgMLzdOeM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@23/7@1/1
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Aviso de transferencia.exe.logJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMutant created: NULL
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMutant created: \Sessions\1\BaseNamedObjects\8xLI57IVXCDFxeWa@
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeFile created: C:\Users\user\AppData\Local\Temp\windowsBook.exeJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCD5C.tmp.bat""
          Source: Aviso de transferencia.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Aviso de transferencia.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: windowsBook.exe.8.drBinary or memory string: INSERT INTO Games (user_id, wins, ties, losses) VALUES ((SELECT id FROM Users WHERE id = {0}), 0, 1, 0);tiesaUPDATE Games SET ties = {0} WHERE user_id = {1};
          Source: windowsBook.exe.8.drBinary or memory string: INSERT INTO Games (user_id, wins, ties, losses) VALUES ((SELECT id FROM Users WHERE id = {0}), 1, 0, 0);winsaUPDATE Games SET wins = {0} WHERE user_id = {1};
          Source: windowsBook.exe.8.drBinary or memory string: INSERT INTO Games (user_id, wins, ties, losses) VALUES ((SELECT id FROM Users WHERE id = {0}), 0, 0, 1);
          Source: Aviso de transferencia.exeReversingLabs: Detection: 23%
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeFile read: C:\Users\user\Desktop\Aviso de transferencia.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Aviso de transferencia.exe "C:\Users\user\Desktop\Aviso de transferencia.exe"
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Users\user\Desktop\Aviso de transferencia.exe "C:\Users\user\Desktop\Aviso de transferencia.exe"
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCD5C.tmp.bat""
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe C:\Users\user\AppData\Local\Temp\windowsBook.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Users\user\Desktop\Aviso de transferencia.exe "C:\Users\user\Desktop\Aviso de transferencia.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exitJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCD5C.tmp.bat""Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Aviso de transferencia.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Aviso de transferencia.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Aviso de transferencia.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: CYFA.pdb source: Aviso de transferencia.exe, windowsBook.exe.8.dr
          Source: Binary string: CYFA.pdbSHA256~ source: Aviso de transferencia.exe, windowsBook.exe.8.dr

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: 0.2.Aviso de transferencia.exe.391e790.2.raw.unpack, at4ONG9F0NYCELN5Tj.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
          Source: 0.2.Aviso de transferencia.exe.9470000.5.raw.unpack, at4ONG9F0NYCELN5Tj.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
          .NET source code contains potential unpacker
          Source: Aviso de transferencia.exe, FormLogin.cs.Net Code: InitializeComponent
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, QovWQ95hEMVPSioj6l.cs.Net Code: ySjEDkqN7o System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, QovWQ95hEMVPSioj6l.cs.Net Code: ySjEDkqN7o System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, QovWQ95hEMVPSioj6l.cs.Net Code: ySjEDkqN7o System.Reflection.Assembly.Load(byte[])
          Source: windowsBook.exe.8.dr, FormLogin.cs.Net Code: InitializeComponent
          Source: 8.2.Aviso de transferencia.exe.45e8408.1.raw.unpack, FormLogin.cs.Net Code: InitializeComponent
          Source: Aviso de transferencia.exeStatic PE information: 0xC5CCFDE4 [Thu Feb 28 02:18:12 2075 UTC]
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_02CEE9A2 pushfd ; retf 17_2_02CEE9A9
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 17_2_02CEF4BA push eax; iretd 17_2_02CEF4C1
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_00FCE9A3 pushfd ; retf 18_2_00FCE9A9
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_00FCF4BB push eax; iretd 18_2_00FCF4C1
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 18_2_09850D41 push es; iretd 18_2_09850D67
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeCode function: 22_2_02CD3AE0 push ebx; retf 7064h22_2_02CD3BDA
          Source: Aviso de transferencia.exeStatic PE information: section name: .text entropy: 7.9062155732125765
          Source: windowsBook.exe.8.drStatic PE information: section name: .text entropy: 7.9062155732125765
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, FWPZvPGG2NGeDrUUHY.csHigh entropy of concatenated method names: 'm28b1BvpWT', 'PkdbClNA1u', 'MxCbSVfhTl', 'TlXbigjs3R', 'J2kblqUKTq', 'XkjbMRBPH5', 'aA9hCeLsMUP0pfIPyX', 'sBAofHbUJntJD6js4E', 'VfdbbvK3rs', 'cvcbPeSaMZ'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, WA6GRlsXjrrb6h4V29.csHigh entropy of concatenated method names: 'k0RrScAQM5', 'rR3riCRHVK', 'ToString', 'j9Yra0sFdG', 'NI6r5fHQDA', 'CJQrx2BYUx', 'yaFrqU3QvM', 'W6rr7LuyqE', 'IMBr1fQd5J', 'EhSrC8fMF5'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, ToMYSNwPJjwfUjKiDX.csHigh entropy of concatenated method names: 'onYxGrDCoh', 'Hfjx6Roi9c', 'Ku1xTIoIib', 'Q3uxfLC9Ee', 'jPExlpDb2Y', 'V4IxM7v6Jq', 'su8xrjkWvk', 'lNgxelG0MM', 'tsCxg4CEYj', 'q7Oxp20r1k'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, rbKcFf1hn3nuDKVnef.csHigh entropy of concatenated method names: 'eMp8TvZM26', 'JA58fi4pbd', 'qbN8Oqp5KY', 'Awx8UeZtub', 'zrU8kc5L4m', 'A3c8W8qRqt', 'f6x8N37mlL', 'rZh8uinnh5', 'AXH8Ass1tZ', 'sZM8c4LPBY'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, IVMLjFLnhdQ1HlELP2.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VInnZeGVGj', 'GoqnsmG2d3', 'MT4nzap8Xq', 'kiYP4l5e2T', 'kVjPbr23g0', 'Lp8Pn7ogif', 'H5tPPfG8Ws', 'R6srAt2RtMAlS7vMLJ2'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, Y5OXvHoCJOO5s0nEDnc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i0bp9yXiWb', 'WmCpBmQ666', 'iAJpQgqp9m', 'xSgpmM2l3I', 'tKLpFOtwb5', 'qG4pwX0vO7', 'D6uphhFc3e'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, gqJfJAx8xBdgZ9jvfn.csHigh entropy of concatenated method names: 'UBplApSBG0', 'CSylV26SfF', 'PPXl99RIst', 'DCHlBpUpJ1', 'x4RlU9hkZ1', 'nFal3npcEO', 'MtxlkWJeWv', 'KBZlWlFFl8', 'Qf7l2pnuJo', 'YS9lNQRdvj'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, kbHWljzWNZfp9m7kBG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pmRg8udPNO', 'hRagl4U3f3', 'bDSgMbvsO6', 'DPxgrA4G68', 'P3BgetaRGA', 'zvdggm3qqi', 'FAxgpeeRgZ'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, ugghWu4CxStT66wXqh.csHigh entropy of concatenated method names: 'oy5DBNSUB', 'FGFGipMaw', 'NpI6NSSBs', 'KHvd32E5I', 'l5pfQN5wn', 'CD3tHNiOK', 'R4Qwi5VchBnkqXqx0k', 'Brkb7a6Re3Y2LIGnqQ', 'uY2e6ToS0', 'tlDpOx4Jl'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, Eu76Pinjur1WC8R1bI.csHigh entropy of concatenated method names: 'Dispose', 'XXlbZKWtps', 'rcVnUDyCKH', 'UNJvv2nZY6', 'oFlbs6nrh1', 'HTWbzT2ik8', 'ProcessDialogKey', 'rHxn4IfIVc', 'm6mnbUClj6', 'IGSnn2IDgo'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, PghQQxhulwqEmG4nhN.csHigh entropy of concatenated method names: 'SCr1a9OA82', 'bMS1xGUGrS', 'Qh3179NGO0', 'gKB7slngI4', 'SIg7zjLt29', 'VS814RNfnH', 'qjn1bipyvD', 'UVB1nYnQtR', 'Jy61PMj7Ai', 'Rmt1ESlngJ'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, QovWQ95hEMVPSioj6l.csHigh entropy of concatenated method names: 'mVjPJpTBaf', 'yBgPahd80b', 'SrlP5xemuc', 'OTsPxZLh2m', 'EQgPq902QU', 'sFnP7j2EoW', 'AndP1SF0hq', 'xX8PCd9YZT', 'NPVPjyZ5eg', 'yahPSPoE6Z'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, UorxSMiASt35xqJabR.csHigh entropy of concatenated method names: 'F92eavAvut', 'RDke5HsUXA', 'qvHexZ7Ryu', 'HGteq7LvPp', 'zCRe7XE3kQ', 'J9Ue1PMApv', 'FVheCVorxq', 'uC5ejcUd0U', 'QygeSHS9ko', 'RG3eiyueKu'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, hfqTgZkGrRl1qdRosh.csHigh entropy of concatenated method names: 'DLH59i3syv', 'qp45Bi55eO', 'kqH5QfaYjQ', 'gth5m5JPoK', 'DgW5FCMtgE', 'Jug5wJGx0M', 'suS5hgIk3M', 'uUJ5Kjhe7M', 'QwK5ZcXGO7', 'lBM5sfq6Iy'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, LBxSyvu289TtN9ADpD.csHigh entropy of concatenated method names: 'xM11YHknnY', 'vwo1LIrit8', 'gyv1DDMjry', 'A0B1GC1MAY', 'kUj1XYuFDu', 'xos16TtISL', 'IVw1dR3m76', 'bs41TroFMX', 'ASp1fB9gLm', 'mmm1tvNFnw'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, KXg8lGUCjkZ60m9tpN.csHigh entropy of concatenated method names: 'EA5rKlDqU4', 'HOErsfeoEr', 'D07e4gVjQU', 'pWHebWct9Z', 'DBcrcUX82O', 'lJKrVNhY6K', 'vJ3rRxqXvp', 'sGir9gQbpN', 'a4GrBGBuV1', 'R95rQ6LPo6'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, aACaaqoo25a3Cr8Gy0a.csHigh entropy of concatenated method names: 'ToString', 'Oh2pPJJC19', 'JoFpEpi6up', 'KXqpJ7Qo1O', 'oHXpaOOCvm', 'lb7p58Oc0k', 'd19pxFfWAY', 'UB1pqLnBYf', 'KTw3IaRTu20IjZQQoeG', 'yg27sHRUj5LtwlJPalP'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, BgDWOvXaAOTDj6q3GW.csHigh entropy of concatenated method names: 'HZvgbgIImc', 'xUQgPAN7eB', 'NZAgEVKTDj', 'uJkgaK0axf', 'OBig5oNmJX', 'dRIgqkpY2C', 'IIQg7u4mUL', 'pQFeh2Fy4N', 'Xk4eKtvsUT', 'FJVeZc68mn'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, OZlkGMeTjLUBpXpOD9.csHigh entropy of concatenated method names: 'wZ77Jv6Iuq', 'IFx75n7Ip2', 'F6g7qorkPh', 'DXT718eleb', 'HHj7CVXHMl', 'bKqqFoutdP', 'v8VqwnP71j', 'h82qhvlqK7', 'i78qK9xx31', 'hJgqZdsHQx'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, QLh9wcFTubJ9cQf2No.csHigh entropy of concatenated method names: 'viUqXRFK3v', 'Wawqd6db67', 'qnGx39xHt3', 'tSuxk8REXG', 'lHcxWoTqwr', 'roQx2yGmwK', 'wAvxNiYDTM', 'pQTxuwdy6M', 'La2x0belxC', 'ymcxADg50r'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, YLXyXgPv3TfBp95E08.csHigh entropy of concatenated method names: 'MdWeOojQeb', 'kLUeU0bRne', 'KIOe3o0f2T', 'HYjekZcpqs', 'CJSe9krxNO', 'tL2eWxu3Jo', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Aviso de transferencia.exe.3ac6c10.3.raw.unpack, zYKgdvolWu7dOybkTTi.csHigh entropy of concatenated method names: 'UWugYQUGug', 'mCjgLIdtlV', 'WQugDCEq3L', 'h7lgGyxNkd', 'rWMgX7D4J2', 'TjUg6u7XcN', 'T0tgd6vUnh', 'Fs7gTFivJU', 'E3rgfpQ4bZ', 'fQ2gtuXeAO'
          Source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, WTlNonEqlrS.csHigh entropy of concatenated method names: 'RWIUTDDJGmvVUeD', 'DHwRZvzGtdyaOf', 'NVxhYPkjFbHe', 'QkrTDbktNZMNeeJWG', 'ullDtQBniM', 'uYnSlYOLGcD', 'hTHxBxeTyyhQFG', 'GPwCvvvaQvBVarLM', 'YirdoSqTbqrnwm', 'SPWfuVwfHoJf'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, FWPZvPGG2NGeDrUUHY.csHigh entropy of concatenated method names: 'm28b1BvpWT', 'PkdbClNA1u', 'MxCbSVfhTl', 'TlXbigjs3R', 'J2kblqUKTq', 'XkjbMRBPH5', 'aA9hCeLsMUP0pfIPyX', 'sBAofHbUJntJD6js4E', 'VfdbbvK3rs', 'cvcbPeSaMZ'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, WA6GRlsXjrrb6h4V29.csHigh entropy of concatenated method names: 'k0RrScAQM5', 'rR3riCRHVK', 'ToString', 'j9Yra0sFdG', 'NI6r5fHQDA', 'CJQrx2BYUx', 'yaFrqU3QvM', 'W6rr7LuyqE', 'IMBr1fQd5J', 'EhSrC8fMF5'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, ToMYSNwPJjwfUjKiDX.csHigh entropy of concatenated method names: 'onYxGrDCoh', 'Hfjx6Roi9c', 'Ku1xTIoIib', 'Q3uxfLC9Ee', 'jPExlpDb2Y', 'V4IxM7v6Jq', 'su8xrjkWvk', 'lNgxelG0MM', 'tsCxg4CEYj', 'q7Oxp20r1k'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, rbKcFf1hn3nuDKVnef.csHigh entropy of concatenated method names: 'eMp8TvZM26', 'JA58fi4pbd', 'qbN8Oqp5KY', 'Awx8UeZtub', 'zrU8kc5L4m', 'A3c8W8qRqt', 'f6x8N37mlL', 'rZh8uinnh5', 'AXH8Ass1tZ', 'sZM8c4LPBY'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, IVMLjFLnhdQ1HlELP2.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VInnZeGVGj', 'GoqnsmG2d3', 'MT4nzap8Xq', 'kiYP4l5e2T', 'kVjPbr23g0', 'Lp8Pn7ogif', 'H5tPPfG8Ws', 'R6srAt2RtMAlS7vMLJ2'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, Y5OXvHoCJOO5s0nEDnc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i0bp9yXiWb', 'WmCpBmQ666', 'iAJpQgqp9m', 'xSgpmM2l3I', 'tKLpFOtwb5', 'qG4pwX0vO7', 'D6uphhFc3e'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, gqJfJAx8xBdgZ9jvfn.csHigh entropy of concatenated method names: 'UBplApSBG0', 'CSylV26SfF', 'PPXl99RIst', 'DCHlBpUpJ1', 'x4RlU9hkZ1', 'nFal3npcEO', 'MtxlkWJeWv', 'KBZlWlFFl8', 'Qf7l2pnuJo', 'YS9lNQRdvj'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, kbHWljzWNZfp9m7kBG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pmRg8udPNO', 'hRagl4U3f3', 'bDSgMbvsO6', 'DPxgrA4G68', 'P3BgetaRGA', 'zvdggm3qqi', 'FAxgpeeRgZ'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, ugghWu4CxStT66wXqh.csHigh entropy of concatenated method names: 'oy5DBNSUB', 'FGFGipMaw', 'NpI6NSSBs', 'KHvd32E5I', 'l5pfQN5wn', 'CD3tHNiOK', 'R4Qwi5VchBnkqXqx0k', 'Brkb7a6Re3Y2LIGnqQ', 'uY2e6ToS0', 'tlDpOx4Jl'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, Eu76Pinjur1WC8R1bI.csHigh entropy of concatenated method names: 'Dispose', 'XXlbZKWtps', 'rcVnUDyCKH', 'UNJvv2nZY6', 'oFlbs6nrh1', 'HTWbzT2ik8', 'ProcessDialogKey', 'rHxn4IfIVc', 'm6mnbUClj6', 'IGSnn2IDgo'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, PghQQxhulwqEmG4nhN.csHigh entropy of concatenated method names: 'SCr1a9OA82', 'bMS1xGUGrS', 'Qh3179NGO0', 'gKB7slngI4', 'SIg7zjLt29', 'VS814RNfnH', 'qjn1bipyvD', 'UVB1nYnQtR', 'Jy61PMj7Ai', 'Rmt1ESlngJ'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, QovWQ95hEMVPSioj6l.csHigh entropy of concatenated method names: 'mVjPJpTBaf', 'yBgPahd80b', 'SrlP5xemuc', 'OTsPxZLh2m', 'EQgPq902QU', 'sFnP7j2EoW', 'AndP1SF0hq', 'xX8PCd9YZT', 'NPVPjyZ5eg', 'yahPSPoE6Z'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, UorxSMiASt35xqJabR.csHigh entropy of concatenated method names: 'F92eavAvut', 'RDke5HsUXA', 'qvHexZ7Ryu', 'HGteq7LvPp', 'zCRe7XE3kQ', 'J9Ue1PMApv', 'FVheCVorxq', 'uC5ejcUd0U', 'QygeSHS9ko', 'RG3eiyueKu'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, hfqTgZkGrRl1qdRosh.csHigh entropy of concatenated method names: 'DLH59i3syv', 'qp45Bi55eO', 'kqH5QfaYjQ', 'gth5m5JPoK', 'DgW5FCMtgE', 'Jug5wJGx0M', 'suS5hgIk3M', 'uUJ5Kjhe7M', 'QwK5ZcXGO7', 'lBM5sfq6Iy'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, LBxSyvu289TtN9ADpD.csHigh entropy of concatenated method names: 'xM11YHknnY', 'vwo1LIrit8', 'gyv1DDMjry', 'A0B1GC1MAY', 'kUj1XYuFDu', 'xos16TtISL', 'IVw1dR3m76', 'bs41TroFMX', 'ASp1fB9gLm', 'mmm1tvNFnw'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, KXg8lGUCjkZ60m9tpN.csHigh entropy of concatenated method names: 'EA5rKlDqU4', 'HOErsfeoEr', 'D07e4gVjQU', 'pWHebWct9Z', 'DBcrcUX82O', 'lJKrVNhY6K', 'vJ3rRxqXvp', 'sGir9gQbpN', 'a4GrBGBuV1', 'R95rQ6LPo6'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, aACaaqoo25a3Cr8Gy0a.csHigh entropy of concatenated method names: 'ToString', 'Oh2pPJJC19', 'JoFpEpi6up', 'KXqpJ7Qo1O', 'oHXpaOOCvm', 'lb7p58Oc0k', 'd19pxFfWAY', 'UB1pqLnBYf', 'KTw3IaRTu20IjZQQoeG', 'yg27sHRUj5LtwlJPalP'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, BgDWOvXaAOTDj6q3GW.csHigh entropy of concatenated method names: 'HZvgbgIImc', 'xUQgPAN7eB', 'NZAgEVKTDj', 'uJkgaK0axf', 'OBig5oNmJX', 'dRIgqkpY2C', 'IIQg7u4mUL', 'pQFeh2Fy4N', 'Xk4eKtvsUT', 'FJVeZc68mn'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, OZlkGMeTjLUBpXpOD9.csHigh entropy of concatenated method names: 'wZ77Jv6Iuq', 'IFx75n7Ip2', 'F6g7qorkPh', 'DXT718eleb', 'HHj7CVXHMl', 'bKqqFoutdP', 'v8VqwnP71j', 'h82qhvlqK7', 'i78qK9xx31', 'hJgqZdsHQx'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, QLh9wcFTubJ9cQf2No.csHigh entropy of concatenated method names: 'viUqXRFK3v', 'Wawqd6db67', 'qnGx39xHt3', 'tSuxk8REXG', 'lHcxWoTqwr', 'roQx2yGmwK', 'wAvxNiYDTM', 'pQTxuwdy6M', 'La2x0belxC', 'ymcxADg50r'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, YLXyXgPv3TfBp95E08.csHigh entropy of concatenated method names: 'MdWeOojQeb', 'kLUeU0bRne', 'KIOe3o0f2T', 'HYjekZcpqs', 'CJSe9krxNO', 'tL2eWxu3Jo', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Aviso de transferencia.exe.96e0000.6.raw.unpack, zYKgdvolWu7dOybkTTi.csHigh entropy of concatenated method names: 'UWugYQUGug', 'mCjgLIdtlV', 'WQugDCEq3L', 'h7lgGyxNkd', 'rWMgX7D4J2', 'TjUg6u7XcN', 'T0tgd6vUnh', 'Fs7gTFivJU', 'E3rgfpQ4bZ', 'fQ2gtuXeAO'
          Source: 0.2.Aviso de transferencia.exe.391e790.2.raw.unpack, MainForm.csHigh entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
          Source: 0.2.Aviso de transferencia.exe.391e790.2.raw.unpack, at4ONG9F0NYCELN5Tj.csHigh entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
          Source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, WTlNonEqlrS.csHigh entropy of concatenated method names: 'RWIUTDDJGmvVUeD', 'DHwRZvzGtdyaOf', 'NVxhYPkjFbHe', 'QkrTDbktNZMNeeJWG', 'ullDtQBniM', 'uYnSlYOLGcD', 'hTHxBxeTyyhQFG', 'GPwCvvvaQvBVarLM', 'YirdoSqTbqrnwm', 'SPWfuVwfHoJf'
          Source: 0.2.Aviso de transferencia.exe.9470000.5.raw.unpack, MainForm.csHigh entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
          Source: 0.2.Aviso de transferencia.exe.9470000.5.raw.unpack, at4ONG9F0NYCELN5Tj.csHigh entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, FWPZvPGG2NGeDrUUHY.csHigh entropy of concatenated method names: 'm28b1BvpWT', 'PkdbClNA1u', 'MxCbSVfhTl', 'TlXbigjs3R', 'J2kblqUKTq', 'XkjbMRBPH5', 'aA9hCeLsMUP0pfIPyX', 'sBAofHbUJntJD6js4E', 'VfdbbvK3rs', 'cvcbPeSaMZ'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, WA6GRlsXjrrb6h4V29.csHigh entropy of concatenated method names: 'k0RrScAQM5', 'rR3riCRHVK', 'ToString', 'j9Yra0sFdG', 'NI6r5fHQDA', 'CJQrx2BYUx', 'yaFrqU3QvM', 'W6rr7LuyqE', 'IMBr1fQd5J', 'EhSrC8fMF5'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, ToMYSNwPJjwfUjKiDX.csHigh entropy of concatenated method names: 'onYxGrDCoh', 'Hfjx6Roi9c', 'Ku1xTIoIib', 'Q3uxfLC9Ee', 'jPExlpDb2Y', 'V4IxM7v6Jq', 'su8xrjkWvk', 'lNgxelG0MM', 'tsCxg4CEYj', 'q7Oxp20r1k'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, rbKcFf1hn3nuDKVnef.csHigh entropy of concatenated method names: 'eMp8TvZM26', 'JA58fi4pbd', 'qbN8Oqp5KY', 'Awx8UeZtub', 'zrU8kc5L4m', 'A3c8W8qRqt', 'f6x8N37mlL', 'rZh8uinnh5', 'AXH8Ass1tZ', 'sZM8c4LPBY'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, IVMLjFLnhdQ1HlELP2.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VInnZeGVGj', 'GoqnsmG2d3', 'MT4nzap8Xq', 'kiYP4l5e2T', 'kVjPbr23g0', 'Lp8Pn7ogif', 'H5tPPfG8Ws', 'R6srAt2RtMAlS7vMLJ2'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, Y5OXvHoCJOO5s0nEDnc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i0bp9yXiWb', 'WmCpBmQ666', 'iAJpQgqp9m', 'xSgpmM2l3I', 'tKLpFOtwb5', 'qG4pwX0vO7', 'D6uphhFc3e'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, gqJfJAx8xBdgZ9jvfn.csHigh entropy of concatenated method names: 'UBplApSBG0', 'CSylV26SfF', 'PPXl99RIst', 'DCHlBpUpJ1', 'x4RlU9hkZ1', 'nFal3npcEO', 'MtxlkWJeWv', 'KBZlWlFFl8', 'Qf7l2pnuJo', 'YS9lNQRdvj'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, kbHWljzWNZfp9m7kBG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pmRg8udPNO', 'hRagl4U3f3', 'bDSgMbvsO6', 'DPxgrA4G68', 'P3BgetaRGA', 'zvdggm3qqi', 'FAxgpeeRgZ'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, ugghWu4CxStT66wXqh.csHigh entropy of concatenated method names: 'oy5DBNSUB', 'FGFGipMaw', 'NpI6NSSBs', 'KHvd32E5I', 'l5pfQN5wn', 'CD3tHNiOK', 'R4Qwi5VchBnkqXqx0k', 'Brkb7a6Re3Y2LIGnqQ', 'uY2e6ToS0', 'tlDpOx4Jl'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, Eu76Pinjur1WC8R1bI.csHigh entropy of concatenated method names: 'Dispose', 'XXlbZKWtps', 'rcVnUDyCKH', 'UNJvv2nZY6', 'oFlbs6nrh1', 'HTWbzT2ik8', 'ProcessDialogKey', 'rHxn4IfIVc', 'm6mnbUClj6', 'IGSnn2IDgo'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, PghQQxhulwqEmG4nhN.csHigh entropy of concatenated method names: 'SCr1a9OA82', 'bMS1xGUGrS', 'Qh3179NGO0', 'gKB7slngI4', 'SIg7zjLt29', 'VS814RNfnH', 'qjn1bipyvD', 'UVB1nYnQtR', 'Jy61PMj7Ai', 'Rmt1ESlngJ'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, QovWQ95hEMVPSioj6l.csHigh entropy of concatenated method names: 'mVjPJpTBaf', 'yBgPahd80b', 'SrlP5xemuc', 'OTsPxZLh2m', 'EQgPq902QU', 'sFnP7j2EoW', 'AndP1SF0hq', 'xX8PCd9YZT', 'NPVPjyZ5eg', 'yahPSPoE6Z'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, UorxSMiASt35xqJabR.csHigh entropy of concatenated method names: 'F92eavAvut', 'RDke5HsUXA', 'qvHexZ7Ryu', 'HGteq7LvPp', 'zCRe7XE3kQ', 'J9Ue1PMApv', 'FVheCVorxq', 'uC5ejcUd0U', 'QygeSHS9ko', 'RG3eiyueKu'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, hfqTgZkGrRl1qdRosh.csHigh entropy of concatenated method names: 'DLH59i3syv', 'qp45Bi55eO', 'kqH5QfaYjQ', 'gth5m5JPoK', 'DgW5FCMtgE', 'Jug5wJGx0M', 'suS5hgIk3M', 'uUJ5Kjhe7M', 'QwK5ZcXGO7', 'lBM5sfq6Iy'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, LBxSyvu289TtN9ADpD.csHigh entropy of concatenated method names: 'xM11YHknnY', 'vwo1LIrit8', 'gyv1DDMjry', 'A0B1GC1MAY', 'kUj1XYuFDu', 'xos16TtISL', 'IVw1dR3m76', 'bs41TroFMX', 'ASp1fB9gLm', 'mmm1tvNFnw'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, KXg8lGUCjkZ60m9tpN.csHigh entropy of concatenated method names: 'EA5rKlDqU4', 'HOErsfeoEr', 'D07e4gVjQU', 'pWHebWct9Z', 'DBcrcUX82O', 'lJKrVNhY6K', 'vJ3rRxqXvp', 'sGir9gQbpN', 'a4GrBGBuV1', 'R95rQ6LPo6'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, aACaaqoo25a3Cr8Gy0a.csHigh entropy of concatenated method names: 'ToString', 'Oh2pPJJC19', 'JoFpEpi6up', 'KXqpJ7Qo1O', 'oHXpaOOCvm', 'lb7p58Oc0k', 'd19pxFfWAY', 'UB1pqLnBYf', 'KTw3IaRTu20IjZQQoeG', 'yg27sHRUj5LtwlJPalP'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, BgDWOvXaAOTDj6q3GW.csHigh entropy of concatenated method names: 'HZvgbgIImc', 'xUQgPAN7eB', 'NZAgEVKTDj', 'uJkgaK0axf', 'OBig5oNmJX', 'dRIgqkpY2C', 'IIQg7u4mUL', 'pQFeh2Fy4N', 'Xk4eKtvsUT', 'FJVeZc68mn'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, OZlkGMeTjLUBpXpOD9.csHigh entropy of concatenated method names: 'wZ77Jv6Iuq', 'IFx75n7Ip2', 'F6g7qorkPh', 'DXT718eleb', 'HHj7CVXHMl', 'bKqqFoutdP', 'v8VqwnP71j', 'h82qhvlqK7', 'i78qK9xx31', 'hJgqZdsHQx'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, QLh9wcFTubJ9cQf2No.csHigh entropy of concatenated method names: 'viUqXRFK3v', 'Wawqd6db67', 'qnGx39xHt3', 'tSuxk8REXG', 'lHcxWoTqwr', 'roQx2yGmwK', 'wAvxNiYDTM', 'pQTxuwdy6M', 'La2x0belxC', 'ymcxADg50r'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, YLXyXgPv3TfBp95E08.csHigh entropy of concatenated method names: 'MdWeOojQeb', 'kLUeU0bRne', 'KIOe3o0f2T', 'HYjekZcpqs', 'CJSe9krxNO', 'tL2eWxu3Jo', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Aviso de transferencia.exe.3a793f0.4.raw.unpack, zYKgdvolWu7dOybkTTi.csHigh entropy of concatenated method names: 'UWugYQUGug', 'mCjgLIdtlV', 'WQugDCEq3L', 'h7lgGyxNkd', 'rWMgX7D4J2', 'TjUg6u7XcN', 'T0tgd6vUnh', 'Fs7gTFivJU', 'E3rgfpQ4bZ', 'fQ2gtuXeAO'
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeFile created: C:\Users\user\AppData\Local\Temp\windowsBook.exeJump to dropped file

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.294e1e0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.295a0bc.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Aviso de transferencia.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2edae1c.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2ee6cf8.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2edae1c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2ee6cf8.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Aviso de transferencia.exe PID: 6756, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Aviso de transferencia.exe PID: 7212, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7928, type: MEMORYSTR
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"'
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: Aviso de transferencia.exe PID: 6756, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7800, type: MEMORYSTR
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.294e1e0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.295a0bc.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Aviso de transferencia.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2edae1c.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2ee6cf8.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2edae1c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2ee6cf8.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Aviso de transferencia.exe PID: 6756, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Aviso de transferencia.exe PID: 7212, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7928, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: Aviso de transferencia.exe, 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, Aviso de transferencia.exe, 00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmp, windowsBook.exe, 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: 10D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: 4900000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: 9870000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: A870000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: AAB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: BAB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: 1580000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: 3580000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: 1CB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 7790000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 8790000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 8920000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 9920000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: FC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 7370000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 8370000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 8500000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 9500000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 5040000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory allocated: 4ED0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeWindow / User API: threadDelayed 1688Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeWindow / User API: threadDelayed 8172Jump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exe TID: 3960Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exe TID: 7256Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 7784Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 7820Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 7884Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 8096Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 8116Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 8124Thread sleep count: 1688 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exe TID: 8124Thread sleep count: 8172 > 30Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: windowsBook.exe, 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: windowsBook.exe, 00000016.00000002.2492243462.000000000540D000.00000004.00000020.00020000.00000000.sdmp, windowsBook.exe, 00000016.00000002.2492185882.0000000005403000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: windowsBook.exe, 00000016.00000002.2483789589.000000000133B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhd@
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeMemory written: C:\Users\user\Desktop\Aviso de transferencia.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory written: C:\Users\user\AppData\Local\Temp\windowsBook.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeMemory written: C:\Users\user\AppData\Local\Temp\windowsBook.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Users\user\Desktop\Aviso de transferencia.exe "C:\Users\user\Desktop\Aviso de transferencia.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exitJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCD5C.tmp.bat""Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeProcess created: C:\Users\user\AppData\Local\Temp\windowsBook.exe "C:\Users\user\AppData\Local\Temp\windowsBook.exe"Jump to behavior
          Source: windowsBook.exe, 00000016.00000002.2486571211.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 00000016.00000002.2486571211.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 00000016.00000002.2486571211.0000000002F60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: windowsBook.exe, 00000016.00000002.2486571211.0000000002F3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,
          Source: windowsBook.exe, 00000016.00000002.2486571211.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 00000016.00000002.2486571211.0000000002F60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe
          Source: windowsBook.exe, 00000016.00000002.2486571211.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 00000016.00000002.2486571211.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 00000016.00000002.2486571211.0000000002F60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeQueries volume information: C:\Users\user\Desktop\Aviso de transferencia.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeQueries volume information: C:\Users\user\Desktop\Aviso de transferencia.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Users\user\AppData\Local\Temp\windowsBook.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Users\user\AppData\Local\Temp\windowsBook.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Users\user\AppData\Local\Temp\windowsBook.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Users\user\AppData\Local\Temp\windowsBook.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Aviso de transferencia.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.294e1e0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.295a0bc.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Aviso de transferencia.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.295a0bc.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2edae1c.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.294e1e0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2ee6cf8.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2edae1c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.windowsBook.exe.2ee6cf8.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Aviso de transferencia.exe PID: 6756, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: Aviso de transferencia.exe PID: 7212, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: windowsBook.exe PID: 7928, type: MEMORYSTR
          Source: windowsBook.exe, 00000016.00000002.2483789589.000000000133B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\AppData\Local\Temp\windowsBook.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected PureLog Stealer
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.9470000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.391e790.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.9470000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.391e790.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1276809734.0000000009470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1275781875.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected PureLog Stealer
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.9470000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.391e790.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.9470000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Aviso de transferencia.exe.391e790.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1276809734.0000000009470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1275781875.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		2
          Scheduled Task/Job          		112
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services11
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Scheduled Task/Job          		1
          Scripting          		2
          Scheduled Task/Job          		1
          Disable or Modify Tools          		LSASS Memory221
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          DLL Side-Loading          		1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
          Process Injection          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts131
          Obfuscated Files or Information          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
          Software Packing          		DCSync13
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Timestomp          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538536 Sample: Aviso de transferencia.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 46 quin.ydns.eu 2->46 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 12 other signatures 2->56 10 Aviso de transferencia.exe 3 2->10         started        14 windowsBook.exe 3 2->14         started        signatures3 process4 file5 44 C:\Users\...\Aviso de transferencia.exe.log, ASCII 10->44 dropped 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->60 62 Injects a PE file into a foreign processes 10->62 16 Aviso de transferencia.exe 6 10->16         started        64 Multi AV Scanner detection for dropped file 14->64 66 Machine Learning detection for dropped file 14->66 19 windowsBook.exe 2 14->19         started        21 windowsBook.exe 14->21         started        signatures6 process7 file8 42 C:\Users\user\AppData\...\windowsBook.exe, PE32 16->42 dropped 23 cmd.exe 1 16->23         started        25 cmd.exe 1 16->25         started        process9 signatures10 28 windowsBook.exe 2 23->28         started        31 conhost.exe 23->31         started        33 timeout.exe 1 23->33         started        58 Uses schtasks.exe or at.exe to add and modify task schedules 25->58 35 conhost.exe 25->35         started        37 schtasks.exe 1 25->37         started        process11 signatures12 68 Injects a PE file into a foreign processes 28->68 39 windowsBook.exe 2 28->39         started        process13 dnsIp14 48 quin.ydns.eu 185.38.142.240, 1962, 49775 NETSOLUTIONSNL Portugal 39->48

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Aviso de transferencia.exe24%ReversingLabs
          Aviso de transferencia.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\windowsBook.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\windowsBook.exe24%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          		199.232.210.172
          		truefalse
            		unknown
            quin.ydns.eu
            		185.38.142.240
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              quin.ydns.eutrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://tempuri.org/DatabaseWalletDataSet.xsdAviso de transferencia.exe, windowsBook.exe.8.drfalse
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAviso de transferencia.exe, 00000008.00000002.1322217899.00000000036A8000.00000004.00000800.00020000.00000000.sdmp, windowsBook.exe, 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.38.142.240
                  		quin.ydns.euPortugal
                  		47674NETSOLUTIONSNLtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1538536
                  Start date and time:2024-10-21 14:17:11 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 57s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:27
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Aviso de transferencia.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@23/7@1/1
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 189
                  • Number of non-executed functions: 12
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 199.232.210.172
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target Aviso de transferencia.exe, PID 7212 because it is empty
                  • Execution Graph export aborted for target windowsBook.exe, PID 7848 because it is empty
                  • Execution Graph export aborted for target windowsBook.exe, PID 7928 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: Aviso de transferencia.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  08:18:09API Interceptor1x Sleep call for process: Aviso de transferencia.exe modified
                  08:18:20API Interceptor4x Sleep call for process: windowsBook.exe modified
                  14:18:16Task SchedulerRun new task: windowsBook path: "C:\Users\user\AppData\Local\Temp\windowsBook.exe"

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.38.142.240rUAE_LPO.com.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    bg.microsoft.map.fastly.net258491645830653677.jsGet hashmaliciousUnknownBrowse
                    • 199.232.214.172
                    ekte.exeGet hashmaliciousFormBookBrowse
                    • 199.232.210.172
                    https://library.wic.ac.uk/upload/~/app/step2.php?id=37602430Get hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    https://library.wic.ac.uk/upload/~/app/step3.php?id=5384235Get hashmaliciousUnknownBrowse
                    • 199.232.214.172
                    Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbsGet hashmaliciousGuLoaderBrowse
                    • 199.232.214.172
                    Message_2530136.emlGet hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    ekte.exeGet hashmaliciousFormBookBrowse
                    • 199.232.210.172
                    https://weiderergmbh-my.sharepoint.de/:o:/g/personal/s_kreuzer_luxapark_de/En8ihQEtXF1HtuEzkWTEmvQBXZUe8GC_guY4c0qSMi2Czg?e=5%3aJCIXIb&at=9Get hashmaliciousUnknownBrowse
                    • 199.232.214.172
                    http://evriservicescompany.com/Get hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    d600758023374f78d58acafbcaf94af66ad203b28e22a.exeGet hashmaliciousQuasarBrowse
                    • 199.232.214.172
                    quin.ydns.eurUAE_LPO.com.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                    • 185.38.142.240

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    NETSOLUTIONSNLrUAE_LPO.com.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                    • 185.38.142.240
                    A9BripDhRY.lnkGet hashmaliciousUnknownBrowse
                    • 185.38.142.128
                    93.123.85.253-bot.armv4l-2024-08-28T17_49_11.elfGet hashmaliciousUnknownBrowse
                    • 188.93.233.79
                    a591d3d035cf90395ad1078a415a46b5b44dd813496291b702fe36cfb22dee36_dump.exeGet hashmaliciousRedLineBrowse
                    • 185.38.142.10
                    b3u71vBG0u.exeGet hashmaliciousRedLineBrowse
                    • 185.38.142.10
                    2MbHBiqXH2.rtfGet hashmaliciousRedLineBrowse
                    • 185.38.142.10
                    YPSvIjQCzd.exeGet hashmaliciousRedLineBrowse
                    • 185.38.142.10
                    Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                    • 185.38.142.10
                    MSH INV 2024-0117 Secure Payment Invoice for .exeGet hashmaliciousRedLineBrowse
                    • 185.38.142.10
                    sclfmLKwR7.elfGet hashmaliciousGafgyt, MiraiBrowse
                    • 185.38.142.103

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\windowsBook.exe
                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):71954
                    Entropy (8bit):7.996617769952133
                    Encrypted:true
                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\windowsBook.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):328
                    Entropy (8bit):3.2478978672539016
                    Encrypted:false
                    SSDEEP:6:kK7zF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:zzsDImsLNkPlE99SNxAhUe/3
                    MD5:8DEF95ECFD86D7B0E263DA1F5B285BAF
                    SHA1:16A67009F0575422BDF6AA5B64068C0E18F5B9D0
                    SHA-256:BE64D3EB72F0B8F029CA5DAB4869114CAC16996CD0769C0C1C9617E5D346F9AD
                    SHA-512:F341F5EE5C3EE5D2F1BB1D9058F8A09CD173E7548280EDF40035DB546755E84CF27CD3DEC6704CB3F48859307FCEBD85EACEDAFFC87B448AE4E5C3D6D5B67275
                    Malicious:false
                    Preview:p...... ..........U.#..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Aviso de transferencia.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\Aviso de transferencia.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:true
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windowsBook.exe.log

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\windowsBook.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Temp\tmpCD5C.tmp.bat

                    Download File
                    Process:C:\Users\user\Desktop\Aviso de transferencia.exe
                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):166
                    Entropy (8bit):5.043945954580936
                    Encrypted:false
                    SSDEEP:3:mKDDCMNqTtvL5o0nacwRE2J5xAIhTsmqRD0nacwRE2J5xAInTRIMGmloL1ZPy:hWKqTtT6cNwi23fhTsmq1cNwi23fTtGa
                    MD5:114782AD96C91AECE1527EDC2FBE6363
                    SHA1:6DB150820FCCD5D5193C37E3E5EE31BDD4B0455E
                    SHA-256:748B349FAD1659FA03B0EF4F46223ED8797C42B40410B582DBDE243F45AF5148
                    SHA-512:0B15896CED567DF35A227F5E0F73D77BAAD8C91757722AE8A7B24B1B0DAC74D31A276D2EFDB7045C87B9E5A3CEF7F9907A37C78AF1686401B9A195AABF5395B2
                    Malicious:false
                    Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Local\Temp\windowsBook.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpCD5C.tmp.bat" /f /q..

                    C:\Users\user\AppData\Local\Temp\windowsBook.exe

                    Download File
                    Process:C:\Users\user\Desktop\Aviso de transferencia.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):509440
                    Entropy (8bit):7.893327073826682
                    Encrypted:false
                    SSDEEP:12288:9dSkhMOoltiJWCjRPuUW8FmGevNPJWBG9ythzO40BUhq:DSkh5oDiJhuUdyPJWBGYthzOBBJ
                    MD5:8D664129AF173ED945236EFB82D4AD67
                    SHA1:7E0F8F79786EBBEB561171032EA65FCFCD6DB437
                    SHA-256:AE26ACE2F3BCB3C94A3A8AF4A6684DA129AA08D73C18A5311D7491D006B20042
                    SHA-512:A0217BF3C09B55B56A2B1D2E520406C920EBE9397E0B8054810244BE5C01674695615F90C180AE17B3797886A0829744A576B98ADDE24B8523B681B8B4BCC1BA
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 24%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@.................................d...O.......<...........................<...p............................................ ............... ..H............text........ ...................... ..`.rsrc...<...........................@..@.reloc..............................@..B........................H...........XY......y.......0............................................0............}......}......}......}......}......}.....r...p}.....r...p}.....(....}.....( ...}............}............}......}.....(!......(+....*..0..)........{.........("...t......|......(...+...3.*....0..)........{.........($...t......|......(...+...3.*....0..)........{.........("...t......|......(...+...3.*....0..)........{.........($...t......|......(...+...3.*&...}....*..0............{.....+..*.0..

                    \Device\Null

                    Download File
                    Process:C:\Windows\SysWOW64\timeout.exe
                    File Type:ASCII text, with CRLF line terminators, with overstriking
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.41440934524794
                    Encrypted:false
                    SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                    MD5:3DD7DD37C304E70A7316FE43B69F421F
                    SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                    SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                    SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                    Malicious:false
                    Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.893327073826682
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:Aviso de transferencia.exe
                    File size:509'440 bytes
                    MD5:8d664129af173ed945236efb82d4ad67
                    SHA1:7e0f8f79786ebbeb561171032ea65fcfcd6db437
                    SHA256:ae26ace2f3bcb3c94a3a8af4a6684da129aa08d73c18a5311d7491d006b20042
                    SHA512:a0217bf3c09b55b56a2b1d2e520406c920ebe9397e0b8054810244be5c01674695615f90c180ae17b3797886a0829744a576b98adde24b8523b681b8b4bcc1ba
                    SSDEEP:12288:9dSkhMOoltiJWCjRPuUW8FmGevNPJWBG9ythzO40BUhq:DSkh5oDiJhuUdyPJWBGYthzOBBJ
                    TLSH:E8B4014033FC4F1BEA3A6BFA50F4506117F6998AA961F71D5CC721EB4522F428A60F1B
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x47d9b6
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0xC5CCFDE4 [Thu Feb 28 02:18:12 2075 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x7d9640x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x63c.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x800000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x7b23c0x70.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x7b9bc0x7ba008da60fb641d9d5c90d9bf999944594efFalse0.9201805801314459OpenPGP Public Key Version 77.9062155732125765IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x7e0000x63c0x8000d66329dc362e874be0e7e71eb9d3e5fFalse0.34375data3.522781974943758IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x800000xc0x200856e85440c0ca15d572b9b781d2eefe3False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0x7e0900x3acdata0.42446808510638295
                    RT_MANIFEST0x7e44c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-10-21T14:18:28.281688+02002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1185.38.142.2401962192.168.2.749775TCP
                    2024-10-21T14:18:28.281688+02002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1185.38.142.2401962192.168.2.749775TCP
                    2024-10-21T14:18:28.281688+02002035595ET MALWARE Generic AsyncRAT Style SSL Cert1185.38.142.2401962192.168.2.749775TCP
                    2024-10-21T14:18:28.281688+02002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1185.38.142.2401962192.168.2.749775TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 21, 2024 14:18:27.428352118 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:27.433665991 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:27.433747053 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:27.444564104 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:27.449923038 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:28.266586065 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:28.266606092 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:28.266689062 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:28.276408911 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:28.281687975 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:28.517374039 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:28.574573994 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:29.659198999 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:29.666515112 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:29.666572094 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:29.672401905 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:40.748640060 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:40.793495893 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:40.864810944 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:40.918557882 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:44.310321093 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:44.315778017 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:44.315881968 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:44.321177006 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:44.555716038 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:44.605891943 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:44.672353983 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:44.674150944 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:44.680293083 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:44.680380106 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:44.685868025 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:58.966114998 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:58.971426964 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:58.971502066 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:58.977067947 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:59.211204052 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:59.262171030 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:59.327712059 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:59.329469919 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:59.335589886 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:18:59.335676908 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:18:59.341049910 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:10.748553991 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:10.793561935 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:10.864550114 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:10.918591976 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:13.622239113 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:13.627655983 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:13.627727032 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:13.633040905 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:13.867919922 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:13.918557882 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:13.983944893 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:13.985897064 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:13.991338015 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:13.991465092 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:13.997334957 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:28.278130054 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:28.283444881 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:28.283515930 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:28.288866043 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:28.523392916 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:28.574718952 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:28.639596939 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:28.641052961 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:28.646409988 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:28.646495104 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:28.651787043 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:40.749310970 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:40.793714046 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:40.865466118 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:40.918579102 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:42.934695959 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:42.940592051 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:42.940738916 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:42.947382927 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:43.183751106 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:43.231007099 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:43.299782991 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:43.301278114 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:43.306703091 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:43.306787968 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:43.312243938 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:57.592406988 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:57.597701073 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:57.597769976 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:57.603091955 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:57.837631941 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:57.887381077 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:57.953531981 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:57.955519915 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:57.960978031 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:19:57.961064100 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:19:57.967112064 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:20:10.749448061 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:20:10.793569088 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:20:10.865566015 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:20:10.918535948 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:20:13.028273106 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:20:13.033833981 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:20:13.036900043 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:20:13.042279005 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:20:13.276534081 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:20:13.324791908 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:20:13.392775059 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:20:13.393474102 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:20:13.399589062 CEST196249775185.38.142.240192.168.2.7
                    Oct 21, 2024 14:20:13.399857998 CEST497751962192.168.2.7185.38.142.240
                    Oct 21, 2024 14:20:13.405679941 CEST196249775185.38.142.240192.168.2.7

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 21, 2024 14:18:27.411679983 CEST6099853192.168.2.71.1.1.1
                    Oct 21, 2024 14:18:27.425823927 CEST53609981.1.1.1192.168.2.7

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Oct 21, 2024 14:18:27.411679983 CEST192.168.2.71.1.1.10xf432Standard query (0)quin.ydns.euA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Oct 21, 2024 14:18:23.891134024 CEST1.1.1.1192.168.2.70xf932No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                    Oct 21, 2024 14:18:23.891134024 CEST1.1.1.1192.168.2.70xf932No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                    Oct 21, 2024 14:18:27.425823927 CEST1.1.1.1192.168.2.70xf432No error (0)quin.ydns.eu185.38.142.240A (IP address)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:08:18:04
                    Start date:21/10/2024
                    Path:C:\Users\user\Desktop\Aviso de transferencia.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Aviso de transferencia.exe"
                    Imagebase:0x550000
                    File size:509'440 bytes
                    MD5 hash:8D664129AF173ED945236EFB82D4AD67
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1276809734.0000000009470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1275545686.0000000002948000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1275781875.0000000003909000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:8
                    Start time:08:18:09
                    Start date:21/10/2024
                    Path:C:\Users\user\Desktop\Aviso de transferencia.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Aviso de transferencia.exe"
                    Imagebase:0xde0000
                    File size:509'440 bytes
                    MD5 hash:8D664129AF173ED945236EFB82D4AD67
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.1321474542.0000000001F88000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000002.1320113027.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000002.1322217899.0000000003581000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.1322217899.0000000003581000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:11
                    Start time:08:18:14
                    Start date:21/10/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"' & exit
                    Imagebase:0x410000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:12
                    Start time:08:18:14
                    Start date:21/10/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff75da10000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:13
                    Start time:08:18:14
                    Start date:21/10/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCD5C.tmp.bat""
                    Imagebase:0x410000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:14
                    Start time:08:18:14
                    Start date:21/10/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff75da10000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:15
                    Start time:08:18:14
                    Start date:21/10/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:schtasks /create /f /sc onlogon /rl highest /tn "windowsBook" /tr '"C:\Users\user\AppData\Local\Temp\windowsBook.exe"'
                    Imagebase:0xff0000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:16
                    Start time:08:18:14
                    Start date:21/10/2024
                    Path:C:\Windows\SysWOW64\timeout.exe
                    Wow64 process (32bit):true
                    Commandline:timeout 3
                    Imagebase:0x4d0000
                    File size:25'088 bytes
                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:17
                    Start time:08:18:16
                    Start date:21/10/2024
                    Path:C:\Users\user\AppData\Local\Temp\windowsBook.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\windowsBook.exe
                    Imagebase:0xb20000
                    File size:509'440 bytes
                    MD5 hash:8D664129AF173ED945236EFB82D4AD67
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000011.00000002.1390252194.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 24%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:18
                    Start time:08:18:17
                    Start date:21/10/2024
                    Path:C:\Users\user\AppData\Local\Temp\windowsBook.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\windowsBook.exe"
                    Imagebase:0x810000
                    File size:509'440 bytes
                    MD5 hash:8D664129AF173ED945236EFB82D4AD67
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:19
                    Start time:08:18:20
                    Start date:21/10/2024
                    Path:C:\Users\user\AppData\Local\Temp\windowsBook.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\AppData\Local\Temp\windowsBook.exe"
                    Imagebase:0x280000
                    File size:509'440 bytes
                    MD5 hash:8D664129AF173ED945236EFB82D4AD67
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:20
                    Start time:08:18:20
                    Start date:21/10/2024
                    Path:C:\Users\user\AppData\Local\Temp\windowsBook.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\windowsBook.exe"
                    Imagebase:0xce0000
                    File size:509'440 bytes
                    MD5 hash:8D664129AF173ED945236EFB82D4AD67
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000014.00000002.1444950747.0000000005630000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000014.00000002.1440972671.000000000304C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:22
                    Start time:08:18:21
                    Start date:21/10/2024
                    Path:C:\Users\user\AppData\Local\Temp\windowsBook.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\windowsBook.exe"
                    Imagebase:0xb50000
                    File size:509'440 bytes
                    MD5 hash:8D664129AF173ED945236EFB82D4AD67
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.2483789589.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.2483789589.000000000133B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.2486571211.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:9.5%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:110
                      Total number of Limit Nodes:7
                      execution_graph 28542 111ac70 28546 111ad57 28542->28546 28551 111ad68 28542->28551 28543 111ac7f 28547 111ad5c 28546->28547 28548 111ad9c 28547->28548 28549 111afa0 GetModuleHandleW 28547->28549 28548->28543 28550 111afcd 28549->28550 28550->28543 28552 111ad6a 28551->28552 28553 111ad9c 28552->28553 28554 111afa0 GetModuleHandleW 28552->28554 28553->28543 28555 111afcd 28554->28555 28555->28543 28495 bf60674 28499 94df1a8 28495->28499 28503 94df1a2 28495->28503 28496 bf60698 28500 94df1f0 WriteProcessMemory 28499->28500 28502 94df247 28500->28502 28502->28496 28504 94df1f0 WriteProcessMemory 28503->28504 28506 94df247 28504->28506 28506->28496 28556 bf60713 28560 94df0e8 28556->28560 28564 94df0e0 28556->28564 28557 bf60734 28561 94df128 VirtualAllocEx 28560->28561 28563 94df165 28561->28563 28563->28557 28565 94df128 VirtualAllocEx 28564->28565 28567 94df165 28565->28567 28567->28557 28507 bf60131 28508 bf60147 28507->28508 28516 94df424 28508->28516 28520 94df430 28508->28520 28509 bf6022f 28510 bf601eb 28510->28509 28514 94df1a8 WriteProcessMemory 28510->28514 28515 94df1a2 WriteProcessMemory 28510->28515 28511 bf602c1 28514->28511 28515->28511 28517 94df4b9 CreateProcessA 28516->28517 28519 94df67b 28517->28519 28519->28519 28521 94df4b9 CreateProcessA 28520->28521 28523 94df67b 28521->28523 28523->28523 28524 bf6023e 28528 94df298 28524->28528 28532 94df290 28524->28532 28525 bf6026a 28529 94df2e3 ReadProcessMemory 28528->28529 28531 94df327 28529->28531 28531->28525 28533 94df2e3 ReadProcessMemory 28532->28533 28535 94df327 28533->28535 28535->28525 28568 111d3f8 28569 111d43e GetCurrentProcess 28568->28569 28571 111d490 GetCurrentThread 28569->28571 28572 111d489 28569->28572 28573 111d4c6 28571->28573 28574 111d4cd GetCurrentProcess 28571->28574 28572->28571 28573->28574 28575 111d503 28574->28575 28576 111d52b GetCurrentThreadId 28575->28576 28577 111d55c 28576->28577 28578 bf6065a 28579 bf60570 28578->28579 28580 bf60585 28579->28580 28582 94def60 28579->28582 28583 94defa0 ResumeThread 28582->28583 28585 94defd1 28583->28585 28585->28580 28536 bf63c38 CloseHandle 28537 bf63c9f 28536->28537 28586 bf60858 28587 bf6085c 28586->28587 28591 94df008 28587->28591 28595 94df010 28587->28595 28588 bf60877 28592 94df00d Wow64SetThreadContext 28591->28592 28594 94df09d 28592->28594 28594->28588 28596 94df055 Wow64SetThreadContext 28595->28596 28598 94df09d 28596->28598 28598->28588 28538 111d701 28539 111d6c4 DuplicateHandle 28538->28539 28541 111d70a 28538->28541 28540 111d6d6 28539->28540 28599 bf60384 28600 bf60393 28599->28600 28602 94df008 Wow64SetThreadContext 28600->28602 28603 94df010 Wow64SetThreadContext 28600->28603 28601 bf603ae 28602->28601 28603->28601 28604 bf60e40 28605 bf60fcb 28604->28605 28606 bf60e66 28604->28606 28606->28605 28609 bf610b9 PostMessageW 28606->28609 28611 bf610c0 PostMessageW 28606->28611 28610 bf6112c 28609->28610 28610->28606 28612 bf6112c 28611->28612 28612->28606 28613 1114668 28614 111467a 28613->28614 28615 1114686 28614->28615 28617 1114779 28614->28617 28618 111477c 28617->28618 28622 1114878 28618->28622 28626 1114888 28618->28626 28624 111487c 28622->28624 28623 111498c 28623->28623 28624->28623 28630 11144e0 28624->28630 28628 111488a 28626->28628 28627 111498c 28627->28627 28628->28627 28629 11144e0 CreateActCtxA 28628->28629 28629->28627 28631 1115918 CreateActCtxA 28630->28631 28633 11159db 28631->28633 28634 bf6040d 28636 94df1a8 WriteProcessMemory 28634->28636 28637 94df1a2 WriteProcessMemory 28634->28637 28635 bf6043b 28636->28635 28637->28635

                      Executed Functions

                      Function 094D0040 Relevance: 7.3, Strings: 5, Instructions: 1001COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 294 94d0040-94d0061 295 94d0068-94d0154 294->295 296 94d0063 294->296 298 94d0979-94d09a1 295->298 299 94d015a-94d02a5 295->299 296->295 302 94d1070-94d1079 298->302 343 94d02ab-94d0306 299->343 344 94d0946-94d0976 299->344 303 94d09af-94d09b8 302->303 304 94d107f-94d1096 302->304 307 94d09bf-94d0a96 303->307 308 94d09ba 303->308 465 94d0a9c call 94d1448 307->465 466 94d0a9c call 94d1438 307->466 308->307 324 94d0aa2-94d0aaf 325 94d0ad9 324->325 326 94d0ab1-94d0abd 324->326 328 94d0adf-94d0aff 325->328 329 94d0abf-94d0ac5 326->329 330 94d0ac7-94d0acd 326->330 335 94d0b5d-94d0bd5 328->335 336 94d0b01-94d0b58 328->336 331 94d0ad7 329->331 330->331 331->328 354 94d0c2a-94d0c6d 335->354 355 94d0bd7-94d0c28 335->355 348 94d106d 336->348 351 94d0308 343->351 352 94d030b-94d0316 343->352 344->298 348->302 351->352 356 94d085a-94d0860 352->356 380 94d0c78-94d0c7e 354->380 355->380 358 94d031b-94d0339 356->358 359 94d0866-94d08e3 356->359 361 94d033b-94d033f 358->361 362 94d0390-94d03a5 358->362 398 94d0930-94d0936 359->398 361->362 367 94d0341-94d034c 361->367 364 94d03ac-94d03c2 362->364 365 94d03a7 362->365 369 94d03c9-94d03e0 364->369 370 94d03c4 364->370 365->364 371 94d0382-94d0388 367->371 375 94d03e7-94d03fd 369->375 376 94d03e2 369->376 370->369 373 94d034e-94d0352 371->373 374 94d038a-94d038b 371->374 383 94d0358-94d0370 373->383 384 94d0354 373->384 381 94d040e-94d047f 374->381 378 94d03ff 375->378 379 94d0404-94d040b 375->379 376->375 378->379 379->381 385 94d0cd3-94d0cdf 380->385 388 94d0495-94d060d 381->388 389 94d0481 381->389 386 94d0377-94d037f 383->386 387 94d0372 383->387 384->383 392 94d0ce1-94d0d67 385->392 393 94d0c80-94d0ca2 385->393 386->371 387->386 399 94d060f 388->399 400 94d0623-94d075e 388->400 389->388 391 94d0483-94d048f 389->391 391->388 420 94d0ee6-94d0eef 392->420 395 94d0ca9-94d0cd0 393->395 396 94d0ca4 393->396 395->385 396->395 403 94d0938-94d093e 398->403 404 94d08e5-94d092d 398->404 399->400 405 94d0611-94d061d 399->405 412 94d0760-94d0764 400->412 413 94d07c2-94d07d7 400->413 403->344 404->398 405->400 412->413 415 94d0766-94d0775 412->415 417 94d07de-94d07ff 413->417 418 94d07d9 413->418 419 94d07b4-94d07ba 415->419 422 94d0806-94d0825 417->422 423 94d0801 417->423 418->417 428 94d07bc-94d07bd 419->428 429 94d0777-94d077b 419->429 424 94d0d6c-94d0d81 420->424 425 94d0ef5-94d0f50 420->425 426 94d082c-94d084c 422->426 427 94d0827 422->427 423->422 432 94d0d8a-94d0ed4 424->432 433 94d0d83 424->433 451 94d0f87-94d0fb1 425->451 452 94d0f52-94d0f85 425->452 434 94d084e 426->434 435 94d0853 426->435 427->426 436 94d0857 428->436 430 94d077d-94d0781 429->430 431 94d0785-94d07a6 429->431 430->431 438 94d07ad-94d07b1 431->438 439 94d07a8 431->439 456 94d0ee0 432->456 433->432 440 94d0e18-94d0e56 433->440 441 94d0e5b-94d0e9b 433->441 442 94d0d90-94d0dce 433->442 443 94d0dd3-94d0e13 433->443 434->435 435->436 436->356 438->419 439->438 440->456 441->456 442->456 443->456 460 94d0fba-94d1061 451->460 452->460 456->420 460->348 465->324 466->324
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$TJq$Teq$pq$xbq
                      • API String ID: 0-4142780942
                      • Opcode ID: 8334ea13ec533fa4c24bb9758a067b889224c7a93b2529501c7f39575cc97cc6
                      • Instruction ID: a3b581cb8a98814f341bef4f198cab1062bef8f4784a03560ee83a18d6b42a1f
                      • Opcode Fuzzy Hash: 8334ea13ec533fa4c24bb9758a067b889224c7a93b2529501c7f39575cc97cc6
                      • Instruction Fuzzy Hash: FAB2B474E01228DFDB64CF69C984AD9BBB2FF89304F1581E9D509AB265DB319E81CF40
                      Function 0111D3E8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 467 111d3e8-111d3ea 468 111d3ec 467->468 469 111d3ee-111d487 GetCurrentProcess 467->469 468->469 473 111d490-111d4c4 GetCurrentThread 469->473 474 111d489-111d48f 469->474 475 111d4c6-111d4cc 473->475 476 111d4cd-111d501 GetCurrentProcess 473->476 474->473 475->476 478 111d503-111d509 476->478 479 111d50a-111d525 call 111d5c9 476->479 478->479 482 111d52b-111d55a GetCurrentThreadId 479->482 483 111d563-111d5c5 482->483 484 111d55c-111d562 482->484 484->483
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0111D476
                      • GetCurrentThread.KERNEL32 ref: 0111D4B3
                      • GetCurrentProcess.KERNEL32 ref: 0111D4F0
                      • GetCurrentThreadId.KERNEL32 ref: 0111D549
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 923a5486c9ac5bf648d31b8b0a7df0e015c18542db572099f854530b86274d3a
                      • Instruction ID: ee25b2ff33b72e0ad974760138ba84313422143fde7e964ba0929f6dc14ca295
                      • Opcode Fuzzy Hash: 923a5486c9ac5bf648d31b8b0a7df0e015c18542db572099f854530b86274d3a
                      • Instruction Fuzzy Hash: 935178B0D013098FDB18DFAAD548B9EBBF1AF48304F20C469D519A72A0D7346945CF26
                      Function 0111D3F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 491 111d3f8-111d487 GetCurrentProcess 495 111d490-111d4c4 GetCurrentThread 491->495 496 111d489-111d48f 491->496 497 111d4c6-111d4cc 495->497 498 111d4cd-111d501 GetCurrentProcess 495->498 496->495 497->498 500 111d503-111d509 498->500 501 111d50a-111d525 call 111d5c9 498->501 500->501 504 111d52b-111d55a GetCurrentThreadId 501->504 505 111d563-111d5c5 504->505 506 111d55c-111d562 504->506 506->505
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0111D476
                      • GetCurrentThread.KERNEL32 ref: 0111D4B3
                      • GetCurrentProcess.KERNEL32 ref: 0111D4F0
                      • GetCurrentThreadId.KERNEL32 ref: 0111D549
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: f1c55e693d553e68486f93f5c1610677b82f60e7296aad179bd217f646127bda
                      • Instruction ID: 2a95ca05e4e9297eda5d6761153916f7e16e732c94267f462c791a494f2cac78
                      • Opcode Fuzzy Hash: f1c55e693d553e68486f93f5c1610677b82f60e7296aad179bd217f646127bda
                      • Instruction Fuzzy Hash: C55147B0D013098FDB18DFAAD548B9EBBF1EF88314F20C469E519A7250D7346945CF66
                      Function 094DF424 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 539 94df424-94df4c5 541 94df4fe-94df51e 539->541 542 94df4c7-94df4d1 539->542 549 94df557-94df586 541->549 550 94df520-94df52a 541->550 542->541 543 94df4d3-94df4d5 542->543 544 94df4f8-94df4fb 543->544 545 94df4d7-94df4e1 543->545 544->541 547 94df4e5-94df4f4 545->547 548 94df4e3 545->548 547->547 551 94df4f6 547->551 548->547 556 94df5bf-94df679 CreateProcessA 549->556 557 94df588-94df592 549->557 550->549 552 94df52c-94df52e 550->552 551->544 554 94df551-94df554 552->554 555 94df530-94df53a 552->555 554->549 558 94df53c 555->558 559 94df53e-94df54d 555->559 570 94df67b-94df681 556->570 571 94df682-94df708 556->571 557->556 560 94df594-94df596 557->560 558->559 559->559 561 94df54f 559->561 562 94df5b9-94df5bc 560->562 563 94df598-94df5a2 560->563 561->554 562->556 565 94df5a4 563->565 566 94df5a6-94df5b5 563->566 565->566 566->566 567 94df5b7 566->567 567->562 570->571 581 94df718-94df71c 571->581 582 94df70a-94df70e 571->582 584 94df72c-94df730 581->584 585 94df71e-94df722 581->585 582->581 583 94df710 582->583 583->581 587 94df740-94df744 584->587 588 94df732-94df736 584->588 585->584 586 94df724 585->586 586->584 590 94df756-94df75d 587->590 591 94df746-94df74c 587->591 588->587 589 94df738 588->589 589->587 592 94df75f-94df76e 590->592 593 94df774 590->593 591->590 592->593 595 94df775 593->595 595->595
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 094DF666
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 353777a6fc4f8b836a3a418c81582bd241bf5f1970622d7589e9da6f8acf8179
                      • Instruction ID: 43ef5a666aab29d93f1319719af956524681c64228f0edcf57fc67850cb73eee
                      • Opcode Fuzzy Hash: 353777a6fc4f8b836a3a418c81582bd241bf5f1970622d7589e9da6f8acf8179
                      • Instruction Fuzzy Hash: BCA15D75D117198FDB24CF68C851BEEBBF2BF44310F1482AAE809A7240DB759985CFA1
                      Function 094DF430 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 596 94df430-94df4c5 598 94df4fe-94df51e 596->598 599 94df4c7-94df4d1 596->599 606 94df557-94df586 598->606 607 94df520-94df52a 598->607 599->598 600 94df4d3-94df4d5 599->600 601 94df4f8-94df4fb 600->601 602 94df4d7-94df4e1 600->602 601->598 604 94df4e5-94df4f4 602->604 605 94df4e3 602->605 604->604 608 94df4f6 604->608 605->604 613 94df5bf-94df679 CreateProcessA 606->613 614 94df588-94df592 606->614 607->606 609 94df52c-94df52e 607->609 608->601 611 94df551-94df554 609->611 612 94df530-94df53a 609->612 611->606 615 94df53c 612->615 616 94df53e-94df54d 612->616 627 94df67b-94df681 613->627 628 94df682-94df708 613->628 614->613 617 94df594-94df596 614->617 615->616 616->616 618 94df54f 616->618 619 94df5b9-94df5bc 617->619 620 94df598-94df5a2 617->620 618->611 619->613 622 94df5a4 620->622 623 94df5a6-94df5b5 620->623 622->623 623->623 624 94df5b7 623->624 624->619 627->628 638 94df718-94df71c 628->638 639 94df70a-94df70e 628->639 641 94df72c-94df730 638->641 642 94df71e-94df722 638->642 639->638 640 94df710 639->640 640->638 644 94df740-94df744 641->644 645 94df732-94df736 641->645 642->641 643 94df724 642->643 643->641 647 94df756-94df75d 644->647 648 94df746-94df74c 644->648 645->644 646 94df738 645->646 646->644 649 94df75f-94df76e 647->649 650 94df774 647->650 648->647 649->650 652 94df775 650->652 652->652
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 094DF666
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 3e871dcbc3c81db7c71c467c7501a7bdbd6cb38efcb67f1578316c5deddd41fc
                      • Instruction ID: c1e2a0593dbe028ff568c9409d12bed46b7066c0beeab58bb1b8bdc0c3a70ace
                      • Opcode Fuzzy Hash: 3e871dcbc3c81db7c71c467c7501a7bdbd6cb38efcb67f1578316c5deddd41fc
                      • Instruction Fuzzy Hash: FE915D75D117198FDB24CF68C851BEEBBF2BF48310F1481AAE809A7240DB759985CFA1
                      Function 0111AD68 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 653 111ad68-111ad77 655 111ada3-111ada7 653->655 656 111ad79-111ad86 call 111a0c0 653->656 658 111ada9-111adb3 655->658 659 111adbb-111adfc 655->659 662 111ad88 656->662 663 111ad9c 656->663 658->659 665 111ae09-111ae17 659->665 666 111adfe-111ae06 659->666 712 111ad8e call 111aff0 662->712 713 111ad8e call 111b000 662->713 663->655 667 111ae19-111ae1e 665->667 668 111ae3b-111ae3d 665->668 666->665 670 111ae20-111ae27 call 111a0cc 667->670 671 111ae29 667->671 672 111ae40-111ae47 668->672 669 111ad94-111ad96 669->663 673 111aed8-111af52 669->673 674 111ae2b-111ae39 670->674 671->674 676 111ae54-111ae5b 672->676 677 111ae49-111ae51 672->677 704 111af54 673->704 705 111af56-111af7e 673->705 674->672 680 111ae68-111ae6a call 111a0dc 676->680 681 111ae5d-111ae65 676->681 677->676 684 111ae6f-111ae71 680->684 681->680 685 111ae73-111ae7b 684->685 686 111ae7e-111ae83 684->686 685->686 687 111aea1-111aeae 686->687 688 111ae85-111ae8c 686->688 695 111aed1-111aed7 687->695 696 111aeb0-111aece 687->696 688->687 690 111ae8e-111ae9e call 111a0ec call 111a0fc 688->690 690->687 696->695 704->705 706 111af80-111af98 704->706 705->706 707 111afa0-111afcb GetModuleHandleW 706->707 708 111af9a-111af9d 706->708 709 111afd4-111afe8 707->709 710 111afcd-111afd3 707->710 708->707 710->709 712->669 713->669
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0111AFBE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: eb217b7b90cc5292aa89a0f39ebfbe4b29f8d5e1e602ffb5d056a348ec91c834
                      • Instruction ID: c31299b0f9451af427d54e91014dc045e2517f62b118985e950f2f7f5f0a3e4a
                      • Opcode Fuzzy Hash: eb217b7b90cc5292aa89a0f39ebfbe4b29f8d5e1e602ffb5d056a348ec91c834
                      • Instruction Fuzzy Hash: 37815670A02B458FEB28DF29E04579AFBF1BF88304F00892DD58AD7A54D735E846CB91
                      Function 0111590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 822 111590c-111590e 823 1115910 822->823 824 1115912 822->824 823->824 825 1115914 824->825 826 1115916 824->826 825->826 827 1115918-11159d9 CreateActCtxA 826->827 829 11159e2-1115a3c 827->829 830 11159db-11159e1 827->830 837 1115a4b-1115a4f 829->837 838 1115a3e-1115a41 829->838 830->829 839 1115a51-1115a5d 837->839 840 1115a60 837->840 838->837 839->840 842 1115a61 840->842 842->842
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 011159C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: d6e2bfa5e6a0fb08be039b6d3b730ef463c430a5c4b604797096f96669fc96b4
                      • Instruction ID: 84fed31b56e9e5880e789f81ee276572465e3680e044d985c5adfc643ab661aa
                      • Opcode Fuzzy Hash: d6e2bfa5e6a0fb08be039b6d3b730ef463c430a5c4b604797096f96669fc96b4
                      • Instruction Fuzzy Hash: 4B41F4B1C0071DCBEB28CFA9C88479DFBB6BF89314F20806AD508AB255DB755946CF50
                      Function 011144E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 843 11144e0-11159d9 CreateActCtxA 846 11159e2-1115a3c 843->846 847 11159db-11159e1 843->847 854 1115a4b-1115a4f 846->854 855 1115a3e-1115a41 846->855 847->846 856 1115a51-1115a5d 854->856 857 1115a60 854->857 855->854 856->857 859 1115a61 857->859 859->859
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 011159C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 52ba2722f613ed2ef79ca6bde1742fc82cb0c242079383ac7ca000f408be7938
                      • Instruction ID: e31a39023070ef2e4e3f135db5c0d3f54f9d3f6f284f3babe644bdea175f5283
                      • Opcode Fuzzy Hash: 52ba2722f613ed2ef79ca6bde1742fc82cb0c242079383ac7ca000f408be7938
                      • Instruction Fuzzy Hash: 0941D4B1C0071DCBEB28DFA9C84479DFBB6BF49314F208169D408AB255DB755946CF90
                      Function 0111D701 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 860 111d701-111d708 861 111d6c4-111d6d4 DuplicateHandle 860->861 862 111d70a 860->862 863 111d6d6-111d6dc 861->863 864 111d6dd-111d6fa 861->864 865 111d70c-111d70d 862->865 866 111d70e-111d82e 862->866 863->864 865->866
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111D6C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 970e99816e8fb77c5c88a9155d09f3a930330c3a0a36e05c0a234759fe01bd9b
                      • Instruction ID: 80664a9192caa9aad9f295cfa2f177492c1ca2c94c9c84ebe7ca0fbd2a1a37a6
                      • Opcode Fuzzy Hash: 970e99816e8fb77c5c88a9155d09f3a930330c3a0a36e05c0a234759fe01bd9b
                      • Instruction Fuzzy Hash: 6131A134E803808FE704EFA1F4587693BA5F785718F118929E9518F3D9CAB84956CB11
                      Function 094DF1A2 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 881 94df1a2-94df1f6 883 94df1f8-94df204 881->883 884 94df206-94df245 WriteProcessMemory 881->884 883->884 886 94df24e-94df27e 884->886 887 94df247-94df24d 884->887 887->886
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 094DF238
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 36f20c5151dcef1c7b46d185e6842014e0b3bbb4499bf83dd121891201c8b52e
                      • Instruction ID: bb3abdedec15fe3fa0f102e1a3811bace902dccaa8a08a58ee4cc018ea18cd20
                      • Opcode Fuzzy Hash: 36f20c5151dcef1c7b46d185e6842014e0b3bbb4499bf83dd121891201c8b52e
                      • Instruction Fuzzy Hash: EB2104759103099FDB20DFA9C885BEEBBF1FF48310F50852AE919A7240C7799945CBA4
                      Function 094DF1A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 891 94df1a8-94df1f6 893 94df1f8-94df204 891->893 894 94df206-94df245 WriteProcessMemory 891->894 893->894 896 94df24e-94df27e 894->896 897 94df247-94df24d 894->897 897->896
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 094DF238
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 7b179ca4eaab96b716029fe14d395a2c3b65387fb79783eee1a67489f0b0077e
                      • Instruction ID: 24cc3df44513c84596dc8dab78b36797706c2af016e5e5bc2847ba7161512d96
                      • Opcode Fuzzy Hash: 7b179ca4eaab96b716029fe14d395a2c3b65387fb79783eee1a67489f0b0077e
                      • Instruction Fuzzy Hash: 1D212575D003099FDB20DFAAC885BEEBBF5FF48310F50842AE919A7240D7799945CBA4
                      Function 094DF008 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 901 94df008-94df05b 904 94df05d-94df069 901->904 905 94df06b-94df09b Wow64SetThreadContext 901->905 904->905 907 94df09d-94df0a3 905->907 908 94df0a4-94df0d4 905->908 907->908
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 094DF08E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 9fc0656d7a28aa1802b5d8c60c3878f76c91fe15f5e08eec28021d9d0b77d2d2
                      • Instruction ID: 54984a78cd97c7c6ff4b8208697b2f20b8c3957a394d48383d3b1834d58dbd74
                      • Opcode Fuzzy Hash: 9fc0656d7a28aa1802b5d8c60c3878f76c91fe15f5e08eec28021d9d0b77d2d2
                      • Instruction Fuzzy Hash: D1212875D103098FDB20DFAAC4857EEBBF4AF48314F14842AD559A7240DB789945CFA0
                      Function 094DF290 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 094DF318
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 67dca6083272e2da80dd990bcec6eab9fd46c0b7cbf0c45289f4abcfc8550724
                      • Instruction ID: c3d5711b62bcd98f9536e6d1f8628acd1f47ae290c1e6f7be3b9ec8b3db5aec4
                      • Opcode Fuzzy Hash: 67dca6083272e2da80dd990bcec6eab9fd46c0b7cbf0c45289f4abcfc8550724
                      • Instruction Fuzzy Hash: FF210575D103499FDB20DFA9D881BEEBBF5FF48310F50842AE919A7240C7399945CB64
                      Function 094DF010 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 094DF08E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: abd36593d17b0f383ff8cab78b28f3513918973422a8a9ebc1ee084d604e2bad
                      • Instruction ID: a92c2dbb55b4b0ef40ddab4fee004f6270a303603697a635d5d7cd2066fdb491
                      • Opcode Fuzzy Hash: abd36593d17b0f383ff8cab78b28f3513918973422a8a9ebc1ee084d604e2bad
                      • Instruction Fuzzy Hash: 00213575D003098FDB20DFAAC485BAEBBF4EF48324F54842AD559A7240DB789945CFA4
                      Function 094DF298 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 094DF318
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: dfd681bdc33db16956341cf414935a1aa0ecc66eebcec88ed79932d556fc41bd
                      • Instruction ID: a9bf63a552f6c067b58c007801abeecc270c534f211356a2bedd047475bdc4bb
                      • Opcode Fuzzy Hash: dfd681bdc33db16956341cf414935a1aa0ecc66eebcec88ed79932d556fc41bd
                      • Instruction Fuzzy Hash: 80212875C003499FDB20DFAAC841BEEBBF5FF48310F50842AE919A7240C7399945CBA4
                      Function 0111D640 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111D6C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 687d3bd4dbda95cbece45c47e2ae3821982fa1316bcbd75cd7b2c8b39a4cafb0
                      • Instruction ID: eca2fbe6db9f7863f2c52318769691561121f8d89716cbd395d97e8eb77fb023
                      • Opcode Fuzzy Hash: 687d3bd4dbda95cbece45c47e2ae3821982fa1316bcbd75cd7b2c8b39a4cafb0
                      • Instruction Fuzzy Hash: 3421E4B5D003089FDB10CF9AD984ADEFBF4EB48310F14842AE958A3350D374A940CF64
                      Function 0111D638 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111D6C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 6de527a25b1083cdc958a87d0b4e08915104b04d3b65c52d7ff1fa36bd322a11
                      • Instruction ID: 727d2644ae2adde6df602dbb5a85b7950cda604bd11ab83e2090681443a6c91f
                      • Opcode Fuzzy Hash: 6de527a25b1083cdc958a87d0b4e08915104b04d3b65c52d7ff1fa36bd322a11
                      • Instruction Fuzzy Hash: F221E3B5D00209DFDB10CFAAD585ADEFBF5FB48310F14842AE958A3250D774A941CF64
                      Function 094DF0E0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 094DF156
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: fb83d4db39905c59dd309e2bbce0172f781212f407b393a53fd21e28a3c9246d
                      • Instruction ID: cfd5c50c592b0c459f69a5bfa8cfa62386633f748b9448b48f0205e1d419f28f
                      • Opcode Fuzzy Hash: fb83d4db39905c59dd309e2bbce0172f781212f407b393a53fd21e28a3c9246d
                      • Instruction Fuzzy Hash: 83114776C003498FDB20DFA9C845BDEBBF1EF48320F20841AE519A7250CB359945CFA0
                      Function 094DF0E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 094DF156
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: c6e6bb550b4616f541d5b173f288439b189b021dd1e534090551977ed99bdd9c
                      • Instruction ID: 6b890faa6481ae1abc451e3a441573aa52b15efbafcafc738e7598c21466ae0e
                      • Opcode Fuzzy Hash: c6e6bb550b4616f541d5b173f288439b189b021dd1e534090551977ed99bdd9c
                      • Instruction Fuzzy Hash: 04112675D003499FDB20DFAAC845BEFBBF5EB48320F14841AE529A7250CB75A945CFA0
                      Function 094DEF60 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      • ResumeThread.KERNELBASE(?), ref: 094DEFC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: cae030684fd82d277bda2344ca7f69509ac085dc3ceb7a692140b9e0d26c88fd
                      • Instruction ID: cc153ab46a24fac92ca2391d513a336c4b1029b3b2632b7e24478fbddccd6e63
                      • Opcode Fuzzy Hash: cae030684fd82d277bda2344ca7f69509ac085dc3ceb7a692140b9e0d26c88fd
                      • Instruction Fuzzy Hash: AD112875D003498FDB20DFAAC4457AFFBF5EB48220F24882ED519A7640CB75A941CBA4
                      Function 0BF610B9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 0BF6111D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1277388593.000000000BF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bf60000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: a72e8838e1417191a271242bcff2a7e3cb2bfa2d4b4ce601fe343ece71a7480e
                      • Instruction ID: 7ae13ec070baf91086a6219ba0e993b36a5f858259983850c22d84a39aa918de
                      • Opcode Fuzzy Hash: a72e8838e1417191a271242bcff2a7e3cb2bfa2d4b4ce601fe343ece71a7480e
                      • Instruction Fuzzy Hash: 0311F5B58003499FDB20DF9AD885BDEFBF4EB48310F108419D519A7210C375A544CFA1
                      Function 0111AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0111AFBE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: b2e2061970f75ad5dbb356bfbd677f78d6e5e91fdeb681685d25e781dd73881b
                      • Instruction ID: 60201ddfec18eaba284c00fd453f4a0228d9355eff1df1f90ebf9aa8ef80e491
                      • Opcode Fuzzy Hash: b2e2061970f75ad5dbb356bfbd677f78d6e5e91fdeb681685d25e781dd73881b
                      • Instruction Fuzzy Hash: 32110FB5C003498FDB24CF9AD444ADEFBF4EF88224F10842AD528A7644C379A545CFA1
                      Function 0BF610C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 0BF6111D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1277388593.000000000BF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bf60000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: d8087f8f203494b7212c1f11993137d8c948aa51254df7c8bd4b172cb2b7e9c5
                      • Instruction ID: bc86526926fa894a6e46b4b7e6aa01963242b42fa059776ec9c08bdb686d8d9f
                      • Opcode Fuzzy Hash: d8087f8f203494b7212c1f11993137d8c948aa51254df7c8bd4b172cb2b7e9c5
                      • Instruction Fuzzy Hash: 5711E5B58003499FDB20DF9AD845BDEFBF8EB48320F108419D958A7240C375A944CFA5
                      Function 0BF63C30 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?), ref: 0BF63C90
                      Memory Dump Source
                      • Source File: 00000000.00000002.1277388593.000000000BF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bf60000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 4de85f3b5691c262235f3af1e357f2403bb5e700202d41149801282ceb65dcc7
                      • Instruction ID: f4053d17ca22f0a78b3771a15a94f01c6d5d698aead7f3ba675f4c21b9fbcb38
                      • Opcode Fuzzy Hash: 4de85f3b5691c262235f3af1e357f2403bb5e700202d41149801282ceb65dcc7
                      • Instruction Fuzzy Hash: 82113AB5C003498FDB20DF9AD545BEEBBF4EF48320F108419D958A7241D738A545CFA5
                      Function 0BF63C38 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?), ref: 0BF63C90
                      Memory Dump Source
                      • Source File: 00000000.00000002.1277388593.000000000BF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bf60000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 89ccb7ca9fcc84b5b317a3a37b8272af165f66c9b284cfea60b2d29f90f8d061
                      • Instruction ID: 71d40cda39fcfdb64a0aef75b7a4bb3fe72e72d942dd4e3652b589e5ca65a975
                      • Opcode Fuzzy Hash: 89ccb7ca9fcc84b5b317a3a37b8272af165f66c9b284cfea60b2d29f90f8d061
                      • Instruction Fuzzy Hash: 201148B5C003498FCB20DF9AC445BDEBBF4EB48320F108419D958A7340D738A544CFA5
                      Function 00C9D3D8 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1274900848.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c9d000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ffd7e13e7df5a88aef6196b97e82d1b4250d3dd1b3e27187bda7171435597d37
                      • Instruction ID: 23453c7874c8efd89f2a653672ac79761aaca1ccfa3649dc90b33b79adcc3139
                      • Opcode Fuzzy Hash: ffd7e13e7df5a88aef6196b97e82d1b4250d3dd1b3e27187bda7171435597d37
                      • Instruction Fuzzy Hash: 1D212571604304DFDF14DF14D9C8B26BB65FB98324F20C1A9E90A1F256C336E856CBA2
                      Function 00CAD01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1274948402.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_cad000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 414d0fd553eb95f6df9d753b6b9041fc83d637ef67399d43033ab3aa7678d375
                      • Instruction ID: a8f44c94ebc9e33208486046667070d3222e7ed135238a00c81dfed589108d40
                      • Opcode Fuzzy Hash: 414d0fd553eb95f6df9d753b6b9041fc83d637ef67399d43033ab3aa7678d375
                      • Instruction Fuzzy Hash: 38212271604301DFDB14DF20D9C4B16BB61EB89318F20C5ADE84B4B686C336D807CA62
                      Function 00CAD1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1274948402.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_cad000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 884dc1c775e0d63ad06bfb1d6d746907d70cd0974ef267a6e4a244eb181655ac
                      • Instruction ID: 9d264c1b30ecb98e625c764c2db62846bfca1089fa2263a4835a8e93eb6bbf60
                      • Opcode Fuzzy Hash: 884dc1c775e0d63ad06bfb1d6d746907d70cd0974ef267a6e4a244eb181655ac
                      • Instruction Fuzzy Hash: 6E210475A04305EFDB15DF10D9C4B26BBA5FB85318F20C6ADE84B4B692C336DC46CA61
                      Function 00CAD005 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1274948402.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_cad000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 27f2667af42f49e2fb287e3aca2efba7af632b184bc57d00686b68ca330b846b
                      • Instruction ID: 7077a3ef508c3321d1ce169278e14fb536aa7d176ab3fc85eec8e928211748a0
                      • Opcode Fuzzy Hash: 27f2667af42f49e2fb287e3aca2efba7af632b184bc57d00686b68ca330b846b
                      • Instruction Fuzzy Hash: 3A2165755093C08FCB16CF24D594715BF71EB46314F28C5DAD84A8F6A7C33A990ACB62
                      Function 00C9D3D3 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1274900848.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c9d000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction ID: 3b77cf89e72c6d7167099bacaec92b0a664f53a212a1488ab8d186332d52dceb
                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction Fuzzy Hash: CD110376504240CFCF05CF00D5C4B16BF72FB94324F24C2A9D80A1B256C33AE956CBA1
                      Function 00CAD1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1274948402.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_cad000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                      • Instruction ID: 4552db2639f76489b5e73456e393b3beb0ef704058b196a164f9d50216a44871
                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                      • Instruction Fuzzy Hash: 0D11DD75504284DFCB05CF10C5C4B15FBB2FB85328F24C6ADD84A4B6A6C33AD84ACB61
                      Function 00C9D759 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1274900848.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c9d000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 024559a7e6761edb55a5b41a6ef3f68ac662d2640c7f94b67aff7a66b2f48321
                      • Instruction ID: 16e8afddfc0a9ff393e2ce6260a2c6f4b2450aa8e6785e4e5d1ea877a5c4dced
                      • Opcode Fuzzy Hash: 024559a7e6761edb55a5b41a6ef3f68ac662d2640c7f94b67aff7a66b2f48321
                      • Instruction Fuzzy Hash: 23012B311083049EEF204E62DCC8B26FF98DF41721F18C45AED1A1A28AC7389C40CAB1
                      Function 00C9D758 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1274900848.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c9d000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 298811263a8d2f4945d47338cc4988e1940252fb7ed1401c44dc0aebb8acc003
                      • Instruction ID: 2846471fe65d7a7d557068566c6b8c7c605f8157846e737c0a7b5ffc2f9b18ab
                      • Opcode Fuzzy Hash: 298811263a8d2f4945d47338cc4988e1940252fb7ed1401c44dc0aebb8acc003
                      • Instruction Fuzzy Hash: 86F09671504344AEEB208E16DC88B62FFA8EF51735F18C55AED195B287C379AC44CBB1

                      Non-executed Functions

                      Function 094D0016 Relevance: 4.0, Strings: 3, Instructions: 245COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID: TJq$Teq$xbq
                      • API String ID: 0-4091408781
                      • Opcode ID: 3746bab848c34562c794a433796afece8ece7571b127802bf1e1f638a66ab341
                      • Instruction ID: 50eb4eea38fc56f25997b815a93635e97c4aa7669c0cc408ec391c30ad4cb0fd
                      • Opcode Fuzzy Hash: 3746bab848c34562c794a433796afece8ece7571b127802bf1e1f638a66ab341
                      • Instruction Fuzzy Hash: 5AC1B075E01658CFDB28CF6AD9456DDBBF2AF89300F14C0EAD809AB265DB305A85CF50
                      Function 0BF62A99 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1277388593.000000000BF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bf60000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID: ZKL
                      • API String ID: 0-3693865558
                      • Opcode ID: c516a43658e44b15cb60f47be9f3bcaf066aa535e612a433220f8907f6f71a62
                      • Instruction ID: a2b52a8cd8fbb924907e8aadd510b53afa989c8181bdb3008280b3d0754be24e
                      • Opcode Fuzzy Hash: c516a43658e44b15cb60f47be9f3bcaf066aa535e612a433220f8907f6f71a62
                      • Instruction Fuzzy Hash: 6A02DC72F016098FDB19DFB9C8507AEBBF6AF89740F10406AD84AAB390DB34D945CB51
                      Function 094DC820 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 862ca6cb7197f644e50895019b5df8b9572f79813e4b704b9a5dd35db439318d
                      • Instruction ID: 22c17aa3b3b375b6ed12908e7cccc1c567c8d4a17277116728661ca30305bf5b
                      • Opcode Fuzzy Hash: 862ca6cb7197f644e50895019b5df8b9572f79813e4b704b9a5dd35db439318d
                      • Instruction Fuzzy Hash: D9E13C74E002198FDB14DFA8C590AAEFBB2FF89305F24825AD454AB355DB31AD42CF60
                      Function 094DCC58 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4fd769f1a1aea4886d21e0e343dc9cf785e07b49d8bdbccbb2a82352984a8c85
                      • Instruction ID: 05f88eff4db61bc9d1c4f6e9aefa13915cbdc1b6dc7aa0be12827d5fb75400e3
                      • Opcode Fuzzy Hash: 4fd769f1a1aea4886d21e0e343dc9cf785e07b49d8bdbccbb2a82352984a8c85
                      • Instruction Fuzzy Hash: 84E12E74E042198FDB14DFA9C590AAEFBB2FF89305F24815AD444AB355D731AD41CF60
                      Function 094DD090 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2752ed29c2197d0aca3d4578482eefbe2b0366d0ecc6b619c5a744e16679ddbe
                      • Instruction ID: fe9e360285ef10c0ddd115c19baab0f46dbb3057c4371a2884ffb30bc32730a9
                      • Opcode Fuzzy Hash: 2752ed29c2197d0aca3d4578482eefbe2b0366d0ecc6b619c5a744e16679ddbe
                      • Instruction Fuzzy Hash: 5FE11B74E002198FDB14DFA9C590AAEFBB2FF89314F24816AD414AB755D731AD42CF60
                      Function 094DC3E8 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2a125bcc7dfb2c026bf24cf16053c31be57265f00ef6a532df9fccdce56d081
                      • Instruction ID: f23ca573d1f4738404f47d5a11aaf79a740fcb576832d8cd2bf1b3a67ac8a388
                      • Opcode Fuzzy Hash: b2a125bcc7dfb2c026bf24cf16053c31be57265f00ef6a532df9fccdce56d081
                      • Instruction Fuzzy Hash: FCE11A74E042198FDB14DFA8C590AAEFBB2FF89305F24826AD454AB355DB31AD41CF60
                      Function 094DE738 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 10cc8211e8e29e399e227806de8b81de9e62eaf0f8e29e230e600869c2737120
                      • Instruction ID: 957ef9d76f77ed3eee165e0de6469956930a9ab19a9692c9a0b87198cc261a40
                      • Opcode Fuzzy Hash: 10cc8211e8e29e399e227806de8b81de9e62eaf0f8e29e230e600869c2737120
                      • Instruction Fuzzy Hash: EEE13B74E042198FDB14DFA9C590AAEFBB2FF89304F24826AD414AB355DB31AD41CF60
                      Function 094D4B58 Relevance: .3, Instructions: 298COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 20fd5865e374d4943d000f968b8b9e5c46779a30de7629fff4793df1e5b1ddd5
                      • Instruction ID: a080c05a1a9a5cd1352ea4ef17df077c51812b71a478ff26c9dfba6f3d249722
                      • Opcode Fuzzy Hash: 20fd5865e374d4943d000f968b8b9e5c46779a30de7629fff4793df1e5b1ddd5
                      • Instruction Fuzzy Hash: 2ED10A78D09218CFDB24DFA5C89479EBBF2FF89304F00916AD409AB294DB745A86CF51
                      Function 094D3980 Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e0833bc0a804c7241578c3f3ee81bb9a628e4cc7568cfb0bc6e733fc6162180
                      • Instruction ID: 423948826b5e0adc06da8b42be9cbd5a8819d76b88ad0c353f98cf36e01a8200
                      • Opcode Fuzzy Hash: 2e0833bc0a804c7241578c3f3ee81bb9a628e4cc7568cfb0bc6e733fc6162180
                      • Instruction Fuzzy Hash: D0D13735D2475A8ACB11EFA4D894A99F7B1FFD5300F20D79AE0093B215EB706AC4CB81
                      Function 0111D324 Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1275304574.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1110000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 29ce94876dd9d39b33f9792695d5b13c1a5f024c17ffba8f2c9b94dec58e3aa4
                      • Instruction ID: 9a009a35e0ab0500aae530826067e9679762b32d0411f8a748d970665aa242bb
                      • Opcode Fuzzy Hash: 29ce94876dd9d39b33f9792695d5b13c1a5f024c17ffba8f2c9b94dec58e3aa4
                      • Instruction Fuzzy Hash: 41A15E36E00216CFCF09DFB9D44459EBBB2FF85304B15857AE905AB269DB31D91ACB40
                      Function 094DC3B4 Relevance: .2, Instructions: 150COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1276917195.00000000094D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_94d0000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 70909590697d72f8a4e62ef60cfad858253eaa737e72d0e8c53c6e1ace380565
                      • Instruction ID: ac57682b0f455c8f5b04736bace5d13ed008bc9c4cd6971e4d70e13157c7790d
                      • Opcode Fuzzy Hash: 70909590697d72f8a4e62ef60cfad858253eaa737e72d0e8c53c6e1ace380565
                      • Instruction Fuzzy Hash: EB514A74E042198FDB14CFA9C5905AEBBF2BF89305F24826AD448AB355DB359D42CFA0
                      Function 0BF60457 Relevance: .0, Instructions: 29COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1277388593.000000000BF60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF60000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bf60000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8e9a9016909b0b3e6c4dca9d3d7066a69397d38efe90c11aadddfbef554e2db3
                      • Instruction ID: 2cae188a16cee5c62a38182761d5d3795d033f9cfcab2b329ef027c2ab0cc0b5
                      • Opcode Fuzzy Hash: 8e9a9016909b0b3e6c4dca9d3d7066a69397d38efe90c11aadddfbef554e2db3
                      • Instruction Fuzzy Hash: 52E0C077959104DBC7108B64E4892F8BB79BB4F755F107151981E93252DF305994CE14

                      Executed Functions

                      Function 01580EBA Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID: (q$Teq
                      • API String ID: 0-2049869722
                      • Opcode ID: 5517c05aae8e9c546aa14a5a464d5243ce57a6ecc42a058e0ba511e59786005c
                      • Instruction ID: 0da11d82e48ae9adfc05b634517394db7a5266566cf30273833575a2f210d932
                      • Opcode Fuzzy Hash: 5517c05aae8e9c546aa14a5a464d5243ce57a6ecc42a058e0ba511e59786005c
                      • Instruction Fuzzy Hash: 8F519F30B101148FCB54DF69C494A5DBBF6FF89710F2580A9E806EF3A5CA799C068B90
                      Function 01580D20 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID: Hq$dLq
                      • API String ID: 0-4038822049
                      • Opcode ID: 7a4a544fedff69fd168ed500f13d018591e71d7726c151e1f8965026b01340c6
                      • Instruction ID: edbd7e69defc48bb0b41190e59932085afc5e1b9813bac34cfc79c59becfc481
                      • Opcode Fuzzy Hash: 7a4a544fedff69fd168ed500f13d018591e71d7726c151e1f8965026b01340c6
                      • Instruction Fuzzy Hash: 1751B031B002148FDB189F68D454A9EBBF6BF89310F1545A9E405EF3A1CA799C09CBA0
                      Function 01581339 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRq
                      • API String ID: 0-3187445251
                      • Opcode ID: 1ecdc3485ee5f1668dd3750960625717d23bac119b313fbe7f94fc5557893a57
                      • Instruction ID: 579c09557190b61c82f7fd88c7b4131f8f936d76738996281e952388e72bf171
                      • Opcode Fuzzy Hash: 1ecdc3485ee5f1668dd3750960625717d23bac119b313fbe7f94fc5557893a57
                      • Instruction Fuzzy Hash: 4F310D31F002158FCB14AB7D9890AAEBFE6FFC9210B14456EE516EB3A0DE34DD028790
                      Function 01580D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID: dLq
                      • API String ID: 0-2312315067
                      • Opcode ID: c032e4842a66e83bae0e6dc0c16ab8d21a299d313a7f6bf3c046b9da121aab64
                      • Instruction ID: 70d123b034d90e71d8b033092f7d707f403a3584a1935a947e674b0bb22ef136
                      • Opcode Fuzzy Hash: c032e4842a66e83bae0e6dc0c16ab8d21a299d313a7f6bf3c046b9da121aab64
                      • Instruction Fuzzy Hash: 62319275A002049FDB14DF68C454BAEBBF5FF88300F148569E505AF3A1CB75AD09CB90
                      Function 01580E3F Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID: Hq
                      • API String ID: 0-1594803414
                      • Opcode ID: 3b7a1d9e0915df1a660b4d94c9f9cb8cd1ccfcd6e9ebf0de9baea42619077046
                      • Instruction ID: d53502aad2b7590a5fc15f02bf6d0ec6f55a93b218ee87c828916958b75edbcf
                      • Opcode Fuzzy Hash: 3b7a1d9e0915df1a660b4d94c9f9cb8cd1ccfcd6e9ebf0de9baea42619077046
                      • Instruction Fuzzy Hash: 1101F9317043504FC749973C945596E3BE6EFC626031548BEE409CF3A2DD2C8C0A8765
                      Function 01581CA4 Relevance: .4, Instructions: 439COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f156c85de2f881dbe24961f4645f958a01047dac1e6c87dfdf28f1b254e9bcd3
                      • Instruction ID: 8ed2bc85134f3c9ed91cf6852332bc6b311f619332f3b3acb4b2b51e1ec4e17e
                      • Opcode Fuzzy Hash: f156c85de2f881dbe24961f4645f958a01047dac1e6c87dfdf28f1b254e9bcd3
                      • Instruction Fuzzy Hash: 2EC11A347006048FDB54EB68D494A6D7BF2FF88310F2544A9E906AB3A5DF35EC46CB51
                      Function 01581EAC Relevance: .2, Instructions: 169COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b47f0eed35849f5301e043db94a673f7b05735650b4062ea97d227161b8972e9
                      • Instruction ID: da8429194266e7036d96973b38d8729a7822b00df07163ccd7010ef2904c22c7
                      • Opcode Fuzzy Hash: b47f0eed35849f5301e043db94a673f7b05735650b4062ea97d227161b8972e9
                      • Instruction Fuzzy Hash: 836109387002048FDB58EB68D4A4A6D7BF2FF88710F254499E906AB3A5CF75EC42DB51
                      Function 01580AA0 Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 932c21a4cfa70cf57b3d953ace15958d7235537d5d2ea0b60cf36ebe4e92e165
                      • Instruction ID: f608e5daf889713dcf70c6ce47df7ce3eed0a599c6b9c4f4c77fd8b9f98c9f2f
                      • Opcode Fuzzy Hash: 932c21a4cfa70cf57b3d953ace15958d7235537d5d2ea0b60cf36ebe4e92e165
                      • Instruction Fuzzy Hash: BB51D435610211CFC725DF24E49495977A2FF84605750AA6DDC02EB368EF3AAD0EEF80
                      Function 015811D0 Relevance: .1, Instructions: 114COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5caaab5f722d6ce46d310ca8ec3cac2740ee6ae23004745bd4b7473fdd7c37eb
                      • Instruction ID: f668d7660e77bba7abc779e562175370e40cdb34cdb91eade6cdfae09e89485b
                      • Opcode Fuzzy Hash: 5caaab5f722d6ce46d310ca8ec3cac2740ee6ae23004745bd4b7473fdd7c37eb
                      • Instruction Fuzzy Hash: 2E419171F00219AFCB44EBB9C44466EBBFAFFC9300F248569D44ADB345DA34AD428B91
                      Function 01580998 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bebc917338bc40d1ebe23657f7f737ef15c135a03cd785110c17b9831d1fb45b
                      • Instruction ID: 80b66991d3243e8b57154780f53cd26ecaa57105cab7e4d71f747a9398a3b472
                      • Opcode Fuzzy Hash: bebc917338bc40d1ebe23657f7f737ef15c135a03cd785110c17b9831d1fb45b
                      • Instruction Fuzzy Hash: C32151306542029FEB68BB78D84466EBBA4BF04701705562DB816EE281EB64894C9B61
                      Function 0152D4A0 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320555627.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_152d000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3c339bfd1eece56ae672fe44bb8d57ca9b2674605f01f69d26eaaf57e5961602
                      • Instruction ID: f547f1b5ae35113ff8bddc8cf2c68c3c24d29f4354dd50f42d5edb6e3e4a4077
                      • Opcode Fuzzy Hash: 3c339bfd1eece56ae672fe44bb8d57ca9b2674605f01f69d26eaaf57e5961602
                      • Instruction Fuzzy Hash: 8D210672604240DFDB15DF54D9C0B2ABFB5FB84324F20C569D9090E296C376D456CBA2
                      Function 015809A8 Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 85b14cc96f997dfd96a764ac116eaa3aa897dbdd0f589d7be4562cc72acf150e
                      • Instruction ID: c3f9713634e6c7beb0b2e298bf6e6af984b09405b5bbb6b262f837b26b6583c3
                      • Opcode Fuzzy Hash: 85b14cc96f997dfd96a764ac116eaa3aa897dbdd0f589d7be4562cc72acf150e
                      • Instruction Fuzzy Hash: 9A2130307112028FEB68BB7DD51462EBBE5BF04601705593DB912EA2C5EFA0D94C9751
                      Function 01581431 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5b42beeb6a02bf1e20202d8ce2de51fb9d649670b35d6469eefa4bb17e8491d1
                      • Instruction ID: 1d2c2f68ab437d99f3c77a1173f53a8d526b7fa62fff23a278bbd594b6e46977
                      • Opcode Fuzzy Hash: 5b42beeb6a02bf1e20202d8ce2de51fb9d649670b35d6469eefa4bb17e8491d1
                      • Instruction Fuzzy Hash: 74118C70A002019FCB54EBB8D5449AA7BFAFF88620715047DE805DB224EB359C06DB90
                      Function 0152D49B Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320555627.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_152d000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction ID: 3d559abf8628a4567d530933b0b44676d2f38ed0fc472d54ec121c94db05e393
                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction Fuzzy Hash: FC119D76604280CFDB16CF58D5C4B1ABF72FB84324F2485A9D9490A296C376D456CBA2
                      Function 01581440 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4d0cb6a6c89df29dafd28759c9b39861ad2d7decafc03337d329a1e118c47c26
                      • Instruction ID: a808ce982e35810fbaec353d4cb47c3cc5e63a6e016d5a10b35661689d5b8e45
                      • Opcode Fuzzy Hash: 4d0cb6a6c89df29dafd28759c9b39861ad2d7decafc03337d329a1e118c47c26
                      • Instruction Fuzzy Hash: EB118730B002049FCB54EBBDD559A6A7BE6BF88611725487CD80AEB324EE31DC02CB90
                      Function 01582200 Relevance: .0, Instructions: 31COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 96d249cdb908ddeda253f428d674673f1a2e9ad1c67cd931af7be7b3a5fe4269
                      • Instruction ID: f8079fb7e56423d895e0ddb9436907efa8192071bf334c0961fa7774aba5da90
                      • Opcode Fuzzy Hash: 96d249cdb908ddeda253f428d674673f1a2e9ad1c67cd931af7be7b3a5fe4269
                      • Instruction Fuzzy Hash: A7F065717452915FC707627C58109AD3FA9AF8721071554DAE401EF2A3D5188C0587A1
                      Function 01580E80 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: baa122cc6faa8f99d3bf2b942c7d3a12f5c9ec53c23a690a8fc11490cd52abf2
                      • Instruction ID: ab5258335aef4abe0ee74361c201b8ca94667505099d797500528cc8e0569520
                      • Opcode Fuzzy Hash: baa122cc6faa8f99d3bf2b942c7d3a12f5c9ec53c23a690a8fc11490cd52abf2
                      • Instruction Fuzzy Hash: 6DE08C323002105F8748966EA88495ABBDAEBC8260325487AE50AC7315DD71DC054790
                      Function 01582195 Relevance: .0, Instructions: 23COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 44cb893927432abd5c64344fc247da63b32cd0ed11e3b53c082fa71c81873784
                      • Instruction ID: 5279d5e69eeee961841670ce652f4fd652b376b62d7a66f5f762c94c3d4cfafb
                      • Opcode Fuzzy Hash: 44cb893927432abd5c64344fc247da63b32cd0ed11e3b53c082fa71c81873784
                      • Instruction Fuzzy Hash: 42E09B312087A54BDB35D378D01139E7FD26F81319F04096EC1865B681CBB7B90943A2
                      Function 01582210 Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000008.00000002.1320828986.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_8_2_1580000_Aviso de transferencia.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fec62f7b8f168807b04c0d78f84c9f2e6e34afb7f98ae91ea9f80e54f8a21e3f
                      • Instruction ID: ab9cea84fbdf2fcac38ee9a67a93fef3e1f43691f7e83441cc76401bb82c3c03
                      • Opcode Fuzzy Hash: fec62f7b8f168807b04c0d78f84c9f2e6e34afb7f98ae91ea9f80e54f8a21e3f
                      • Instruction Fuzzy Hash: 24D0A7327001245BC700B6FDE40559D3BD9AFCE61076444A5E105DF3A5DD25EC0107D4

                      Execution Graph

                      Execution Coverage:10.4%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:151
                      Total number of Limit Nodes:8
                      execution_graph 30043 9c70384 30044 9c70393 30043->30044 30048 73ff008 30044->30048 30052 73ff010 30044->30052 30045 9c703ae 30049 73ff00d Wow64SetThreadContext 30048->30049 30051 73ff09d 30049->30051 30051->30045 30053 73ff055 Wow64SetThreadContext 30052->30053 30055 73ff09d 30053->30055 30055->30045 30125 2ce4668 30126 2ce467a 30125->30126 30127 2ce4686 30126->30127 30131 2ce4779 30126->30131 30136 2ce4218 30127->30136 30129 2ce46a5 30132 2ce479d 30131->30132 30140 2ce4888 30132->30140 30144 2ce4878 30132->30144 30137 2ce4223 30136->30137 30152 2ce5c6c 30137->30152 30139 2ce6ffd 30139->30129 30142 2ce48af 30140->30142 30141 2ce498c 30141->30141 30142->30141 30148 2ce44e0 30142->30148 30146 2ce4882 30144->30146 30145 2ce498c 30145->30145 30146->30145 30147 2ce44e0 CreateActCtxA 30146->30147 30147->30145 30149 2ce5918 CreateActCtxA 30148->30149 30151 2ce59cf 30149->30151 30153 2ce5c77 30152->30153 30156 2ce5c8c 30153->30156 30155 2ce70a5 30155->30139 30157 2ce5c97 30156->30157 30160 2ce5cbc 30157->30160 30159 2ce7182 30159->30155 30161 2ce5cc7 30160->30161 30164 2ce5cec 30161->30164 30163 2ce7285 30163->30159 30165 2ce5cf7 30164->30165 30167 2ce858b 30165->30167 30170 2ceac38 30165->30170 30166 2ce85c9 30166->30163 30167->30166 30174 2cecd20 30167->30174 30179 2ceac60 30170->30179 30183 2ceac70 30170->30183 30171 2ceac4e 30171->30167 30175 2cecd51 30174->30175 30178 2cecd75 30175->30178 30191 2ceced0 30175->30191 30195 2cecee0 30175->30195 30178->30166 30180 2ceac70 30179->30180 30186 2cead68 30180->30186 30181 2ceac7f 30181->30171 30185 2cead68 GetModuleHandleW 30183->30185 30184 2ceac7f 30184->30171 30185->30184 30187 2cead9c 30186->30187 30188 2cead79 30186->30188 30187->30181 30188->30187 30189 2ceafa0 GetModuleHandleW 30188->30189 30190 2ceafcd 30189->30190 30190->30181 30193 2ceceed 30191->30193 30192 2cecf27 30192->30178 30193->30192 30199 2ceb740 30193->30199 30197 2ceceed 30195->30197 30196 2cecf27 30196->30178 30197->30196 30198 2ceb740 GetModuleHandleW 30197->30198 30198->30196 30200 2ceb74b 30199->30200 30202 2cedc38 30200->30202 30203 2ced044 30200->30203 30202->30202 30204 2ced04f 30203->30204 30205 2ce5cec GetModuleHandleW 30204->30205 30206 2cedca7 30205->30206 30206->30202 30056 9c73d80 CloseHandle 30057 9c73de7 30056->30057 30058 9c70f80 30059 9c7110b 30058->30059 30060 9c70fa6 30058->30060 30060->30059 30063 9c71200 PostMessageW 30060->30063 30065 9c711f8 30060->30065 30064 9c7126c 30063->30064 30064->30060 30066 9c71200 PostMessageW 30065->30066 30067 9c7126c 30066->30067 30067->30060 30068 9c703cd 30069 9c702a0 30068->30069 30071 9c7021d 30069->30071 30074 73ff1a8 30069->30074 30078 73ff1a2 30069->30078 30070 9c702c1 30075 73ff1f0 WriteProcessMemory 30074->30075 30077 73ff247 30075->30077 30077->30070 30079 73ff1a8 WriteProcessMemory 30078->30079 30081 73ff247 30079->30081 30081->30070 30082 9c7040d 30084 73ff1a8 WriteProcessMemory 30082->30084 30085 73ff1a2 WriteProcessMemory 30082->30085 30083 9c7043b 30084->30083 30085->30083 30086 9c70289 30087 9c7028f 30086->30087 30089 73ff1a8 WriteProcessMemory 30087->30089 30090 73ff1a2 WriteProcessMemory 30087->30090 30088 9c702c1 30089->30088 30090->30088 30091 2ced701 30092 2ced6c4 DuplicateHandle 30091->30092 30094 2ced70a 30091->30094 30093 2ced6d6 30092->30093 30095 9c70713 30099 73ff0e8 30095->30099 30103 73ff0e0 30095->30103 30096 9c70734 30100 73ff128 VirtualAllocEx 30099->30100 30102 73ff165 30100->30102 30102->30096 30104 73ff0e8 VirtualAllocEx 30103->30104 30106 73ff165 30104->30106 30106->30096 30211 9c70131 30212 9c70147 30211->30212 30216 73ff424 30212->30216 30220 73ff430 30212->30220 30217 73ff4b9 CreateProcessA 30216->30217 30219 73ff67b 30217->30219 30221 73ff4b9 CreateProcessA 30220->30221 30223 73ff67b 30221->30223 30223->30223 30224 2ced3f8 30225 2ced43e GetCurrentProcess 30224->30225 30227 2ced489 30225->30227 30228 2ced490 GetCurrentThread 30225->30228 30227->30228 30229 2ced4cd GetCurrentProcess 30228->30229 30230 2ced4c6 30228->30230 30231 2ced503 30229->30231 30230->30229 30232 2ced52b GetCurrentThreadId 30231->30232 30233 2ced55c 30232->30233 30234 9c7023e 30238 73ff298 30234->30238 30242 73ff290 30234->30242 30235 9c7026a 30239 73ff2e3 ReadProcessMemory 30238->30239 30241 73ff327 30239->30241 30241->30235 30243 73ff298 ReadProcessMemory 30242->30243 30245 73ff327 30243->30245 30245->30235 30107 9c7065a 30108 9c70570 30107->30108 30109 9c70585 30108->30109 30112 73fef59 30108->30112 30116 73fef60 30108->30116 30113 73fef5e ResumeThread 30112->30113 30115 73fefd1 30113->30115 30115->30109 30117 73fefa0 ResumeThread 30116->30117 30119 73fefd1 30117->30119 30119->30109 30120 9c70858 30121 9c7085c 30120->30121 30123 73ff008 Wow64SetThreadContext 30121->30123 30124 73ff010 Wow64SetThreadContext 30121->30124 30122 9c70877 30123->30122 30124->30122

                      Executed Functions

                      Function 02CED3E8 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 468 2ced3e8-2ced487 GetCurrentProcess 472 2ced489-2ced48f 468->472 473 2ced490-2ced4c4 GetCurrentThread 468->473 472->473 474 2ced4cd-2ced501 GetCurrentProcess 473->474 475 2ced4c6-2ced4cc 473->475 477 2ced50a-2ced525 call 2ced5c9 474->477 478 2ced503-2ced509 474->478 475->474 481 2ced52b-2ced55a GetCurrentThreadId 477->481 478->477 482 2ced55c-2ced562 481->482 483 2ced563-2ced5c5 481->483 482->483
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 02CED476
                      • GetCurrentThread.KERNEL32 ref: 02CED4B3
                      • GetCurrentProcess.KERNEL32 ref: 02CED4F0
                      • GetCurrentThreadId.KERNEL32 ref: 02CED549
                      Memory Dump Source
                      • Source File: 00000011.00000002.1390058911.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_2ce0000_windowsBook.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 6449129c1b9b0958328f1ee1d83f80c0adcf6a86eb6bf5e0c873118e5859cef4
                      • Instruction ID: 86c44702b1da78a1e55ee3a874bd1e2a716e41552eb44db10547685feaaea61f
                      • Opcode Fuzzy Hash: 6449129c1b9b0958328f1ee1d83f80c0adcf6a86eb6bf5e0c873118e5859cef4
                      • Instruction Fuzzy Hash: 055178B0D013098FDB24DFAAD549B9EBBF5EF88314F208459E01AA73A0DB346945CF65
                      Function 02CED3F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 490 2ced3f8-2ced487 GetCurrentProcess 494 2ced489-2ced48f 490->494 495 2ced490-2ced4c4 GetCurrentThread 490->495 494->495 496 2ced4cd-2ced501 GetCurrentProcess 495->496 497 2ced4c6-2ced4cc 495->497 499 2ced50a-2ced525 call 2ced5c9 496->499 500 2ced503-2ced509 496->500 497->496 503 2ced52b-2ced55a GetCurrentThreadId 499->503 500->499 504 2ced55c-2ced562 503->504 505 2ced563-2ced5c5 503->505 504->505
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 02CED476
                      • GetCurrentThread.KERNEL32 ref: 02CED4B3
                      • GetCurrentProcess.KERNEL32 ref: 02CED4F0
                      • GetCurrentThreadId.KERNEL32 ref: 02CED549
                      Memory Dump Source
                      • Source File: 00000011.00000002.1390058911.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_2ce0000_windowsBook.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 008fd6aeed677fd54e3ff2d90502466f7a2ee19a0512908020f91a4d3b299da1
                      • Instruction ID: 5bd7a84ee993fbf77099cc6a5464e725d60132d470c8657c9a1a3b0cb1ce33ed
                      • Opcode Fuzzy Hash: 008fd6aeed677fd54e3ff2d90502466f7a2ee19a0512908020f91a4d3b299da1
                      • Instruction Fuzzy Hash: 285176B0D013098FDB24DFAAD549B9EBBF5EF88314F208059E41AA73A0DB346944CF65
                      Function 073FF424 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 534 73ff424-73ff4c5 536 73ff4fe-73ff51e 534->536 537 73ff4c7-73ff4d1 534->537 542 73ff557-73ff586 536->542 543 73ff520-73ff52a 536->543 537->536 538 73ff4d3-73ff4d5 537->538 540 73ff4f8-73ff4fb 538->540 541 73ff4d7-73ff4e1 538->541 540->536 544 73ff4e5-73ff4f4 541->544 545 73ff4e3 541->545 553 73ff5bf-73ff679 CreateProcessA 542->553 554 73ff588-73ff592 542->554 543->542 546 73ff52c-73ff52e 543->546 544->544 547 73ff4f6 544->547 545->544 548 73ff551-73ff554 546->548 549 73ff530-73ff53a 546->549 547->540 548->542 551 73ff53e-73ff54d 549->551 552 73ff53c 549->552 551->551 555 73ff54f 551->555 552->551 565 73ff67b-73ff681 553->565 566 73ff682-73ff708 553->566 554->553 556 73ff594-73ff596 554->556 555->548 558 73ff5b9-73ff5bc 556->558 559 73ff598-73ff5a2 556->559 558->553 560 73ff5a6-73ff5b5 559->560 561 73ff5a4 559->561 560->560 562 73ff5b7 560->562 561->560 562->558 565->566 576 73ff70a-73ff70e 566->576 577 73ff718-73ff71c 566->577 576->577 580 73ff710 576->580 578 73ff71e-73ff722 577->578 579 73ff72c-73ff730 577->579 578->579 581 73ff724 578->581 582 73ff732-73ff736 579->582 583 73ff740-73ff744 579->583 580->577 581->579 582->583 584 73ff738 582->584 585 73ff756-73ff75d 583->585 586 73ff746-73ff74c 583->586 584->583 587 73ff75f-73ff76e 585->587 588 73ff774 585->588 586->585 587->588 589 73ff775 588->589 589->589
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073FF666
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 052b3d4f132cfc63b258baeda7501b40e032e3368c65d68347bac69b3ffabb9a
                      • Instruction ID: 55d6d4b34357d57f84e6d3f0043f8ff16516e85280136f4e98ba5bf92a1f4ba6
                      • Opcode Fuzzy Hash: 052b3d4f132cfc63b258baeda7501b40e032e3368c65d68347bac69b3ffabb9a
                      • Instruction Fuzzy Hash: 73A17FB1D0071ACFEB24DF68C841BEDBBB2BF44350F148169E948A7280DB759985CF91
                      Function 073FF430 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 591 73ff430-73ff4c5 593 73ff4fe-73ff51e 591->593 594 73ff4c7-73ff4d1 591->594 599 73ff557-73ff586 593->599 600 73ff520-73ff52a 593->600 594->593 595 73ff4d3-73ff4d5 594->595 597 73ff4f8-73ff4fb 595->597 598 73ff4d7-73ff4e1 595->598 597->593 601 73ff4e5-73ff4f4 598->601 602 73ff4e3 598->602 610 73ff5bf-73ff679 CreateProcessA 599->610 611 73ff588-73ff592 599->611 600->599 603 73ff52c-73ff52e 600->603 601->601 604 73ff4f6 601->604 602->601 605 73ff551-73ff554 603->605 606 73ff530-73ff53a 603->606 604->597 605->599 608 73ff53e-73ff54d 606->608 609 73ff53c 606->609 608->608 612 73ff54f 608->612 609->608 622 73ff67b-73ff681 610->622 623 73ff682-73ff708 610->623 611->610 613 73ff594-73ff596 611->613 612->605 615 73ff5b9-73ff5bc 613->615 616 73ff598-73ff5a2 613->616 615->610 617 73ff5a6-73ff5b5 616->617 618 73ff5a4 616->618 617->617 619 73ff5b7 617->619 618->617 619->615 622->623 633 73ff70a-73ff70e 623->633 634 73ff718-73ff71c 623->634 633->634 637 73ff710 633->637 635 73ff71e-73ff722 634->635 636 73ff72c-73ff730 634->636 635->636 638 73ff724 635->638 639 73ff732-73ff736 636->639 640 73ff740-73ff744 636->640 637->634 638->636 639->640 641 73ff738 639->641 642 73ff756-73ff75d 640->642 643 73ff746-73ff74c 640->643 641->640 644 73ff75f-73ff76e 642->644 645 73ff774 642->645 643->642 644->645 646 73ff775 645->646 646->646
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073FF666
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 63976a595c57d82b03599c3acc66d1332aa2732a490d42c1764c88c43aa05f33
                      • Instruction ID: 3fcdcfaaa8ca3cac6b6eb2b81e3503bc687b1209dbff88474d053adabaf7536b
                      • Opcode Fuzzy Hash: 63976a595c57d82b03599c3acc66d1332aa2732a490d42c1764c88c43aa05f33
                      • Instruction Fuzzy Hash: 61916DB1D0071ACFEB24DF68C841BEDBBB2BF48354F148169E948A7280DB759985CF91
                      Function 02CEAD68 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 648 2cead68-2cead77 649 2cead79-2cead86 call 2cea0c0 648->649 650 2ceada3-2ceada7 648->650 657 2cead9c 649->657 658 2cead88 649->658 651 2ceadbb-2ceadfc 650->651 652 2ceada9-2ceadb3 650->652 659 2ceadfe-2ceae06 651->659 660 2ceae09-2ceae17 651->660 652->651 657->650 704 2cead8e call 2ceaff0 658->704 705 2cead8e call 2ceb000 658->705 659->660 661 2ceae3b-2ceae3d 660->661 662 2ceae19-2ceae1e 660->662 665 2ceae40-2ceae47 661->665 666 2ceae29 662->666 667 2ceae20-2ceae27 call 2cea0cc 662->667 663 2cead94-2cead96 663->657 664 2ceaed8-2ceaf98 663->664 699 2ceaf9a-2ceaf9d 664->699 700 2ceafa0-2ceafcb GetModuleHandleW 664->700 669 2ceae49-2ceae51 665->669 670 2ceae54-2ceae5b 665->670 668 2ceae2b-2ceae39 666->668 667->668 668->665 669->670 672 2ceae5d-2ceae65 670->672 673 2ceae68-2ceae6a call 2cea0dc 670->673 672->673 677 2ceae6f-2ceae71 673->677 679 2ceae7e-2ceae83 677->679 680 2ceae73-2ceae7b 677->680 681 2ceae85-2ceae8c 679->681 682 2ceaea1-2ceaeae 679->682 680->679 681->682 684 2ceae8e-2ceae9e call 2cea0ec call 2cea0fc 681->684 688 2ceaeb0-2ceaece 682->688 689 2ceaed1-2ceaed7 682->689 684->682 688->689 699->700 701 2ceafcd-2ceafd3 700->701 702 2ceafd4-2ceafe8 700->702 701->702 704->663 705->663
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02CEAFBE
                      Memory Dump Source
                      • Source File: 00000011.00000002.1390058911.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_2ce0000_windowsBook.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 4c2a4f0044be2ab8666442e3c076ab59a54d5153b5eb591e2cf60bccd3379d0a
                      • Instruction ID: 740d3bf9c2e93d2cf9fe07a620fd08d8ca515eddb7377c11e09d23bd5a114f82
                      • Opcode Fuzzy Hash: 4c2a4f0044be2ab8666442e3c076ab59a54d5153b5eb591e2cf60bccd3379d0a
                      • Instruction Fuzzy Hash: 20712470A00B458FDB24DF2AD44175ABBF2FF88304F048A2DD48AD7A50DB75E956CB91
                      Function 02CE44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 814 2ce44e0-2ce59d9 CreateActCtxA 817 2ce59db-2ce59e1 814->817 818 2ce59e2-2ce5a3c 814->818 817->818 825 2ce5a3e-2ce5a41 818->825 826 2ce5a4b-2ce5a4f 818->826 825->826 827 2ce5a60-2ce5a90 826->827 828 2ce5a51-2ce5a5d 826->828 832 2ce5a42 827->832 833 2ce5a92-2ce5a97 827->833 828->827 834 2ce5a44-2ce5a4a 832->834 835 2ce5ab2-2ce5ab7 832->835 836 2ce5b09-2ce5b14 833->836 834->826 838 2ce59cf-2ce59d9 834->838 835->836 838->817 838->818
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 02CE59C9
                      Memory Dump Source
                      • Source File: 00000011.00000002.1390058911.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_2ce0000_windowsBook.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: cb2f60facadcff4d65db5e877b6509d9343c7de4a13c66c6b34112ca4a3fc067
                      • Instruction ID: f1aca9ed84d32a181b31a3de1f984707f31acceaab84a10207f3b9dd4f3d5cbd
                      • Opcode Fuzzy Hash: cb2f60facadcff4d65db5e877b6509d9343c7de4a13c66c6b34112ca4a3fc067
                      • Instruction Fuzzy Hash: 2241F2B1C0071DCBEB24DFA9C88579DBBF5BF48304F60806AD409AB251DB756946CF90
                      Function 02CE590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 839 2ce590c-2ce59d9 CreateActCtxA 841 2ce59db-2ce59e1 839->841 842 2ce59e2-2ce5a3c 839->842 841->842 849 2ce5a3e-2ce5a41 842->849 850 2ce5a4b-2ce5a4f 842->850 849->850 851 2ce5a60-2ce5a90 850->851 852 2ce5a51-2ce5a5d 850->852 856 2ce5a42 851->856 857 2ce5a92-2ce5a97 851->857 852->851 858 2ce5a44-2ce5a4a 856->858 859 2ce5ab2-2ce5ab7 856->859 860 2ce5b09-2ce5b14 857->860 858->850 862 2ce59cf-2ce59d9 858->862 859->860 862->841 862->842
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 02CE59C9
                      Memory Dump Source
                      • Source File: 00000011.00000002.1390058911.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_2ce0000_windowsBook.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: b8714edac8f9e4b28e1e4f4069647c061ccb12e51c2c83420c5d7d76eb5ab973
                      • Instruction ID: 4437bf9cae3885ae2e5ff0abfd7f8a8272e4373f433d7d8c1fd41d0d9c467c3b
                      • Opcode Fuzzy Hash: b8714edac8f9e4b28e1e4f4069647c061ccb12e51c2c83420c5d7d76eb5ab973
                      • Instruction Fuzzy Hash: 1341F1B1C0071DCBEB24CFA9C98579DBBB5BF48304F60816AD409AB254DB755946CF90
                      Function 02CED701 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 863 2ced701-2ced708 864 2ced70a-2ced82e 863->864 865 2ced6c4-2ced6d4 DuplicateHandle 863->865 866 2ced6dd-2ced6fa 865->866 867 2ced6d6-2ced6dc 865->867 867->866
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CED6C7
                      Memory Dump Source
                      • Source File: 00000011.00000002.1390058911.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_2ce0000_windowsBook.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 6b6ef95caf47f22f11a8ba4f0df2f7082315b61e43b417a7dd9a63011db3826f
                      • Instruction ID: e38c6f3ac82b18f44a35b085802c7e3e3217d12cde7ccfc37f1ae085b5f4e0df
                      • Opcode Fuzzy Hash: 6b6ef95caf47f22f11a8ba4f0df2f7082315b61e43b417a7dd9a63011db3826f
                      • Instruction Fuzzy Hash: B9318434E80341CFEB15DF61F8557293BA9F788310F108929EA118F7D4CAB49865CF51
                      Function 073FF1A2 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 882 73ff1a2-73ff1f6 885 73ff1f8-73ff204 882->885 886 73ff206-73ff245 WriteProcessMemory 882->886 885->886 888 73ff24e-73ff27e 886->888 889 73ff247-73ff24d 886->889 889->888
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073FF238
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: d2f7cb4339ac47cc7cd484ea6a5f865ee5fed237a09a6f76fd665b6989874d81
                      • Instruction ID: 6fdc3f4d4c9dc2b8ecb272c9cfb7c0431bd7156cebcdeb6ec7e3781d3ee3bece
                      • Opcode Fuzzy Hash: d2f7cb4339ac47cc7cd484ea6a5f865ee5fed237a09a6f76fd665b6989874d81
                      • Instruction Fuzzy Hash: 832137B590034D9FDB10DFA9C881BEEBBF5FF48310F50842AE958A7240C7789945CBA0
                      Function 073FF1A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 893 73ff1a8-73ff1f6 895 73ff1f8-73ff204 893->895 896 73ff206-73ff245 WriteProcessMemory 893->896 895->896 898 73ff24e-73ff27e 896->898 899 73ff247-73ff24d 896->899 899->898
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073FF238
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 7f435b60d32297525caf825d31894ce92f69344a2c3b944712c89bcc6676f284
                      • Instruction ID: 5bb6eddf186d906fa7ead0529d0fbdc2705c6a777a6d7cd8bbf90ca0d7d2ac8e
                      • Opcode Fuzzy Hash: 7f435b60d32297525caf825d31894ce92f69344a2c3b944712c89bcc6676f284
                      • Instruction Fuzzy Hash: E62115B590034D9FDB10DFA9C881BEEBBF5FB48310F50842AE918A7240C7789941CBA4
                      Function 073FF290 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 903 73ff290-73ff325 ReadProcessMemory 907 73ff32e-73ff35e 903->907 908 73ff327-73ff32d 903->908 908->907
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073FF318
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 51be9f8477caf34bb187ca64916e3ef8cca81fa8b43bdcc2b48235ed2859c3c1
                      • Instruction ID: 1d90ad785eb6caf803605793e8ad00cd7a70e88ca2e6f4ab357b9870887d8217
                      • Opcode Fuzzy Hash: 51be9f8477caf34bb187ca64916e3ef8cca81fa8b43bdcc2b48235ed2859c3c1
                      • Instruction Fuzzy Hash: E52105B5C003599FDB10DFAAC881BEEBBF5FF48310F50842AE959A7240C7399945CBA5
                      Function 073FF008 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073FF08E
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 7a6dbe105353c370d38360b5c1528e369ef3c24b60dc2dfafbf3106fceaf72b7
                      • Instruction ID: 0317151884b2abe20fcb39a45a7093c60e7cd91998875affa714276c62f60e7f
                      • Opcode Fuzzy Hash: 7a6dbe105353c370d38360b5c1528e369ef3c24b60dc2dfafbf3106fceaf72b7
                      • Instruction Fuzzy Hash: BD2148B5D0030A9FDB24DFA9C4817EEBBF0AF48310F14842AD919A7340DB789945CFA1
                      Function 073FF298 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073FF318
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: fc33ae8fc5707d3e616b1f35d10864d91194f27fd5aad237bbea64c1ffa5f241
                      • Instruction ID: e3a37cb48ad2a40737f7f0284d805ef684d636f83b4bd7183539ea2c926004e4
                      • Opcode Fuzzy Hash: fc33ae8fc5707d3e616b1f35d10864d91194f27fd5aad237bbea64c1ffa5f241
                      • Instruction Fuzzy Hash: 0621F5B5C003599FDB10DFAAC881BEEBBF5FF48310F50842AE959A7240C7799941CBA5
                      Function 073FF010 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073FF08E
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: a574b92650c31ec8d28227b3d5b1beee2b723e5779548bbd4d55cec57040b446
                      • Instruction ID: 6232527cbf659560488423dacd3851d3a406fded751744a47a6726e9f1160043
                      • Opcode Fuzzy Hash: a574b92650c31ec8d28227b3d5b1beee2b723e5779548bbd4d55cec57040b446
                      • Instruction Fuzzy Hash: 082138B5D0030A8FDB20DFAAC4857AEBBF4EF48310F54842AD959A7340CB789945CFA5
                      Function 02CED640 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CED6C7
                      Memory Dump Source
                      • Source File: 00000011.00000002.1390058911.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_2ce0000_windowsBook.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 2e72c90d40f42626278ffa90383661b68353e891e5ef6872146fa001f72cf96a
                      • Instruction ID: 260a221736cd8baecf8b5b0f08646bed1c29cd80f02db35d190d257a38ea039b
                      • Opcode Fuzzy Hash: 2e72c90d40f42626278ffa90383661b68353e891e5ef6872146fa001f72cf96a
                      • Instruction Fuzzy Hash: AF21E4B5D003489FDB10CF9AD985ADEBBF8FB48310F14841AE919A3350C378A940CF65
                      Function 02CED638 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CED6C7
                      Memory Dump Source
                      • Source File: 00000011.00000002.1390058911.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_2ce0000_windowsBook.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: e3cc3a5a92064aaa62206a6663d3dbd041cdb8c9ac15b1ed839c8abc88640654
                      • Instruction ID: d9f159212210ab1149e0b7906b622cc721c028f38270b89c511c4da2a29241b7
                      • Opcode Fuzzy Hash: e3cc3a5a92064aaa62206a6663d3dbd041cdb8c9ac15b1ed839c8abc88640654
                      • Instruction Fuzzy Hash: 4E21E4B5D002089FDB10CF9AD985AEEBBF9FB48310F14841AE959A7350D378A944CF65
                      Function 073FF0E0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073FF156
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 8d3395f94830fc5fd929835caf05f9b909cd579b8e5d78b9d2ad88d64352761b
                      • Instruction ID: a9ad6fc84420879f30c9999eff3b71b965e81b1a536c9898c30ce3404787976a
                      • Opcode Fuzzy Hash: 8d3395f94830fc5fd929835caf05f9b909cd579b8e5d78b9d2ad88d64352761b
                      • Instruction Fuzzy Hash: B92147768003499FDB20DFAAC845BEFBBF5EF48320F14841AE919A7250CB759944CFA5
                      Function 073FF0E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073FF156
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 65e15936234eb8ee900556c1b77475b9536b80a998cfee7d6027521f1856f997
                      • Instruction ID: 05632553cad0a20c33bb107eecba31ab6281fbdee8266c70460fddada0d8f66e
                      • Opcode Fuzzy Hash: 65e15936234eb8ee900556c1b77475b9536b80a998cfee7d6027521f1856f997
                      • Instruction Fuzzy Hash: 8D112675C003499FDB20DFAAC845BEFBBF5EB48320F148419E919A7250CB759940CFA4
                      Function 073FEF59 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: a170c5cea498429170f63be67393908cb33f08d5fe042bb239fe08539b608d2e
                      • Instruction ID: 702d3168a91970b257db20dde118f3de5848b7609a4bbb88f83983230e39802e
                      • Opcode Fuzzy Hash: a170c5cea498429170f63be67393908cb33f08d5fe042bb239fe08539b608d2e
                      • Instruction Fuzzy Hash: 98118BB5C003498FDB20DFAAC4457EEFBF4EB48320F60841AD519A7640CB355904CB90
                      Function 09C711F8 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 09C7125D
                      Memory Dump Source
                      • Source File: 00000011.00000002.1395335887.0000000009C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_9c70000_windowsBook.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: ae90090450c93ba7bd98a2ca0e5bad458f565f1b38d05d3b52711b3c2184e204
                      • Instruction ID: 3d36a08a27219e4db1abb243a2205b49085d6817837361b67c6a3112644a09c4
                      • Opcode Fuzzy Hash: ae90090450c93ba7bd98a2ca0e5bad458f565f1b38d05d3b52711b3c2184e204
                      • Instruction Fuzzy Hash: 6311F5B58003499FDB10DF9AD885BEEFBF8EB48324F20845AE518A7640C375A944CFA1
                      Function 073FEF60 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000011.00000002.1394733947.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_73f0000_windowsBook.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 76ded82ccb2144b602b5127ead64871b022a54a7f0d922e0dcca95721cb90487
                      • Instruction ID: 75edc3c93890ef77fa862cf85e9f708cb508001f1491e2659d06a9ed24201093
                      • Opcode Fuzzy Hash: 76ded82ccb2144b602b5127ead64871b022a54a7f0d922e0dcca95721cb90487
                      • Instruction Fuzzy Hash: A8116AB1C003498FDB20DFAAC4457AEFBF4EB88320F208419D519A7340CB396900CF94
                      Function 02CEAF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02CEAFBE
                      Memory Dump Source
                      • Source File: 00000011.00000002.1390058911.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_2ce0000_windowsBook.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 4f0a82f652c4ff2bd2a6fc00ce70de320be3af226826ead2322e94f336aaf7ec
                      • Instruction ID: 2f5930c1ca8f003e094c966af6cdcb31e3cbf1cd037bc50d65cc0026dc7b4db5
                      • Opcode Fuzzy Hash: 4f0a82f652c4ff2bd2a6fc00ce70de320be3af226826ead2322e94f336aaf7ec
                      • Instruction Fuzzy Hash: E311E3B6C003498FDB10DF9AD444BDEFBF4EB88314F11845AD419A7610C379A545CFA5
                      Function 09C71200 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 09C7125D
                      Memory Dump Source
                      • Source File: 00000011.00000002.1395335887.0000000009C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_9c70000_windowsBook.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 47000c3aff16c12cb02b4df98f256b3ff855df7573d8c6906a8f1127c7dccebb
                      • Instruction ID: 1d8b7d2ce4d336a1c85f09ff273dc14e7f9f88eff30a435383a2abf556e0cb26
                      • Opcode Fuzzy Hash: 47000c3aff16c12cb02b4df98f256b3ff855df7573d8c6906a8f1127c7dccebb
                      • Instruction Fuzzy Hash: 3B1103B5C003499FDB10DF9AD885BDEFBF8EB48320F10841AE518A7200C375A944CFA1
                      Function 09C73D7A Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?), ref: 09C73DD8
                      Memory Dump Source
                      • Source File: 00000011.00000002.1395335887.0000000009C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_9c70000_windowsBook.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 05836626dda0cd5d3d84da8133b5a5310f30dbf700af216ea3228e97628fcbad
                      • Instruction ID: bd80573a84c5a13a8a80742b52bd31a83f1404bbdd4a4f7702a7947100dbd03e
                      • Opcode Fuzzy Hash: 05836626dda0cd5d3d84da8133b5a5310f30dbf700af216ea3228e97628fcbad
                      • Instruction Fuzzy Hash: 5D1125B5C003898FDB20DF9AD445BEEBBF4EB48320F14845AE958A7340C739A945CFA1
                      Function 09C73D80 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?), ref: 09C73DD8
                      Memory Dump Source
                      • Source File: 00000011.00000002.1395335887.0000000009C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_9c70000_windowsBook.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 5b2339c4b8d1a52b806ed72413ded299c4b5887cf5718dbfa86c7ff1f2678dad
                      • Instruction ID: aac491a090ef3dd5e22e8a688bd3174318e8c3b872996b9f03cb0679c9090225
                      • Opcode Fuzzy Hash: 5b2339c4b8d1a52b806ed72413ded299c4b5887cf5718dbfa86c7ff1f2678dad
                      • Instruction Fuzzy Hash: AD11F2B5C103498FDB20DF9AD545BEEBBF4EB48320F10841AE958A7340D739A945CFA5
                      Function 0149D4C4 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1389822529.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_149d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3782382f5345001a4397f256dcbe482d7c4166e058979e52b62d3486b4545d11
                      • Instruction ID: b889847a5237d705064ab33abe611c7dad74549e750a37d95d3817bad5c323a0
                      • Opcode Fuzzy Hash: 3782382f5345001a4397f256dcbe482d7c4166e058979e52b62d3486b4545d11
                      • Instruction Fuzzy Hash: 3C21C171904240DFDF15DF54D9C0B26BF65FB88328F24C56AE9090B266C336D456CBA2
                      Function 014AD01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1389872953.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_14ad000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 432dc663d8f62c6692a6c3c91d15f62657d1719cf49e60566d24eaa1738fff62
                      • Instruction ID: 7bb3ebdc192a9d3941e85b36a798b648a9edf8f31653514c38df8a26e02dad83
                      • Opcode Fuzzy Hash: 432dc663d8f62c6692a6c3c91d15f62657d1719cf49e60566d24eaa1738fff62
                      • Instruction Fuzzy Hash: 782125B1A48300DFDB15DF54D9C4B16BB61EB94318F60C56ED84A4B7A6C336D407CA61
                      Function 014AD1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1389872953.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_14ad000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed20f741a0bc8dc1389f7240541f8990f0ddf73974df1c2e346299499cb6dbe4
                      • Instruction ID: c5f477e55c67b0d6fa55772a0cc04e9a436416cd1ac6aa63985dd113c110b973
                      • Opcode Fuzzy Hash: ed20f741a0bc8dc1389f7240541f8990f0ddf73974df1c2e346299499cb6dbe4
                      • Instruction Fuzzy Hash: 0D212572A04200DFDB05DF94D9C0B26BB61FB94324F60C56ED8094B762C336D807CA61
                      Function 014AD006 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1389872953.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_14ad000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80f56e2ec05a56a126547bb3e50665b302da4e96f81c1d3786c297f475d3a2a0
                      • Instruction ID: c9a4f098ba9a0322aa8d20be176cef49eb409c84bee46f4cd3178ac3cd9e9d8d
                      • Opcode Fuzzy Hash: 80f56e2ec05a56a126547bb3e50665b302da4e96f81c1d3786c297f475d3a2a0
                      • Instruction Fuzzy Hash: F22192755493808FCB07CF24D590716BF71EB46214F29C5DBD8498F6A7C33A980ACB62
                      Function 0149D4BF Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1389822529.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_149d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction ID: d8da1343f289fb4bcae28cecd105f4a0d5e8a29e35869aaabf21caa8aca59e61
                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction Fuzzy Hash: 8011AF76904280CFCF16CF54D9C4B16BF72FB84324F24C6AAD8494B666C336D456CBA1
                      Function 014AD1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1389872953.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_14ad000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                      • Instruction ID: 676b8090ba658df29c6a8a6fbef1539b05be9a5abd32143830599f167a518fec
                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                      • Instruction Fuzzy Hash: 2111BB76904280DFCB06CF54C5C4B16BBA2FB84324F24C6AED8494B7A6C33AD40ACB61
                      Function 0149D759 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1389822529.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_149d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 19b0e2567b6331e212de3d70050b3dbdeadb576e8cb88bfb724d7694a126b0eb
                      • Instruction ID: fe00910d5a36b29186721662241c53b1c29b154678b79f5f0dbb7170d3fd4449
                      • Opcode Fuzzy Hash: 19b0e2567b6331e212de3d70050b3dbdeadb576e8cb88bfb724d7694a126b0eb
                      • Instruction Fuzzy Hash: 0A01F7318043809EEB204A65CCC4B2BBF98DF41221F18C49BED180A396C3389845CAB1
                      Function 0149D758 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000011.00000002.1389822529.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_149d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9b1a9ddf3d67647566ff3544816ba535342fcba84431306009cad997df5371a5
                      • Instruction ID: 5b935d8dc1f4fdaf6a72304e3222c0e3ff3915d159db210f7f212f750ed7edc6
                      • Opcode Fuzzy Hash: 9b1a9ddf3d67647566ff3544816ba535342fcba84431306009cad997df5371a5
                      • Instruction Fuzzy Hash: 37F0C871404340AEEB108E15CC84B67FF98EF41634F14C49BED180A397C3795844CB71

                      Execution Graph

                      Execution Coverage:9.9%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:145
                      Total number of Limit Nodes:7
                      execution_graph 30786 9850384 30787 9850393 30786->30787 30791 6fef008 30787->30791 30795 6fef010 30787->30795 30788 98503ae 30792 6fef00d Wow64SetThreadContext 30791->30792 30794 6fef09d 30792->30794 30794->30788 30796 6fef055 Wow64SetThreadContext 30795->30796 30798 6fef09d 30796->30798 30798->30788 30799 fcd3f8 30800 fcd43e GetCurrentProcess 30799->30800 30802 fcd489 30800->30802 30803 fcd490 GetCurrentThread 30800->30803 30802->30803 30804 fcd4cd GetCurrentProcess 30803->30804 30805 fcd4c6 30803->30805 30806 fcd503 30804->30806 30805->30804 30807 fcd52b GetCurrentThreadId 30806->30807 30808 fcd55c 30807->30808 30809 9850e40 30811 9850e57 30809->30811 30810 9850fcb 30811->30810 30814 98510c0 PostMessageW 30811->30814 30816 98510b9 PostMessageW 30811->30816 30815 985112c 30814->30815 30815->30811 30817 985112c 30816->30817 30817->30811 30818 98503cd 30819 98502a0 30818->30819 30821 985021d 30819->30821 30824 6fef1a8 30819->30824 30828 6fef1a1 30819->30828 30820 98502c1 30825 6fef1f0 WriteProcessMemory 30824->30825 30827 6fef247 30825->30827 30827->30820 30829 6fef1f0 WriteProcessMemory 30828->30829 30831 6fef247 30829->30831 30831->30820 30832 985040d 30834 6fef1a8 WriteProcessMemory 30832->30834 30835 6fef1a1 WriteProcessMemory 30832->30835 30833 985043b 30834->30833 30835->30833 30836 fc4668 30837 fc467a 30836->30837 30838 fc4686 30837->30838 30842 fc4779 30837->30842 30847 fc4218 30838->30847 30840 fc46a5 30843 fc479d 30842->30843 30851 fc4888 30843->30851 30855 fc4878 30843->30855 30848 fc4223 30847->30848 30863 fc5c6c 30848->30863 30850 fc6ffd 30850->30840 30853 fc48af 30851->30853 30852 fc498c 30853->30852 30859 fc44e0 30853->30859 30857 fc4882 30855->30857 30856 fc498c 30856->30856 30857->30856 30858 fc44e0 CreateActCtxA 30857->30858 30858->30856 30860 fc5918 CreateActCtxA 30859->30860 30862 fc59db 30860->30862 30864 fc5c77 30863->30864 30867 fc5c8c 30864->30867 30866 fc70a5 30866->30850 30868 fc5c97 30867->30868 30871 fc5cbc 30868->30871 30870 fc7182 30870->30866 30872 fc5cc7 30871->30872 30875 fc5cec 30872->30875 30874 fc7285 30874->30870 30876 fc5cf7 30875->30876 30878 fc858b 30876->30878 30881 fcac38 30876->30881 30877 fc85c9 30877->30874 30878->30877 30885 fccd20 30878->30885 30890 fcac70 30881->30890 30893 fcac60 30881->30893 30882 fcac4e 30882->30878 30886 fccd51 30885->30886 30887 fccd75 30886->30887 30902 fccee0 30886->30902 30906 fcced0 30886->30906 30887->30877 30897 fcad68 30890->30897 30891 fcac7f 30891->30882 30894 fcac70 30893->30894 30896 fcad68 GetModuleHandleW 30894->30896 30895 fcac7f 30895->30882 30896->30895 30898 fcad79 30897->30898 30899 fcad9c 30897->30899 30898->30899 30900 fcafa0 GetModuleHandleW 30898->30900 30899->30891 30901 fcafcd 30900->30901 30901->30891 30904 fcceed 30902->30904 30903 fccf27 30903->30887 30904->30903 30910 fcb740 30904->30910 30907 fcceed 30906->30907 30908 fccf27 30907->30908 30909 fcb740 GetModuleHandleW 30907->30909 30908->30887 30909->30908 30911 fcb74b 30910->30911 30913 fcdc38 30911->30913 30914 fcd044 30911->30914 30913->30913 30915 fcd04f 30914->30915 30916 fc5cec GetModuleHandleW 30915->30916 30917 fcdca7 30916->30917 30917->30913 30952 9850131 30953 9850147 30952->30953 30957 6fef424 30953->30957 30961 6fef430 30953->30961 30958 6fef4b9 CreateProcessA 30957->30958 30960 6fef67b 30958->30960 30962 6fef4b9 CreateProcessA 30961->30962 30964 6fef67b 30962->30964 30918 9850713 30922 6fef0e8 30918->30922 30926 6fef0e0 30918->30926 30919 9850734 30923 6fef128 VirtualAllocEx 30922->30923 30925 6fef165 30923->30925 30925->30919 30927 6fef128 VirtualAllocEx 30926->30927 30929 6fef165 30927->30929 30929->30919 30965 985023e 30969 6fef298 30965->30969 30973 6fef290 30965->30973 30966 985026a 30970 6fef2e3 ReadProcessMemory 30969->30970 30972 6fef327 30970->30972 30972->30966 30974 6fef2e3 ReadProcessMemory 30973->30974 30976 6fef327 30974->30976 30976->30966 30930 9850858 30931 985085c 30930->30931 30933 6fef008 Wow64SetThreadContext 30931->30933 30934 6fef010 Wow64SetThreadContext 30931->30934 30932 9850877 30933->30932 30934->30932 30977 9853c38 CloseHandle 30978 9853c9f 30977->30978 30979 fcd701 30980 fcd6c4 DuplicateHandle 30979->30980 30982 fcd70a 30979->30982 30981 fcd6d6 30980->30981 30935 985065a 30936 9850570 30935->30936 30937 9850585 30936->30937 30940 6feef59 30936->30940 30944 6feef60 30936->30944 30941 6feef5e ResumeThread 30940->30941 30943 6feefd1 30941->30943 30943->30937 30945 6feefa0 ResumeThread 30944->30945 30947 6feefd1 30945->30947 30947->30937

                      Executed Functions

                      Function 00FCD3E8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 467 fcd3e8-fcd487 GetCurrentProcess 471 fcd489-fcd48f 467->471 472 fcd490-fcd4c4 GetCurrentThread 467->472 471->472 473 fcd4cd-fcd501 GetCurrentProcess 472->473 474 fcd4c6-fcd4cc 472->474 475 fcd50a-fcd525 call fcd5c9 473->475 476 fcd503-fcd509 473->476 474->473 480 fcd52b-fcd55a GetCurrentThreadId 475->480 476->475 481 fcd55c-fcd562 480->481 482 fcd563-fcd5c5 480->482 481->482
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 00FCD476
                      • GetCurrentThread.KERNEL32 ref: 00FCD4B3
                      • GetCurrentProcess.KERNEL32 ref: 00FCD4F0
                      • GetCurrentThreadId.KERNEL32 ref: 00FCD549
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398883352.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_fc0000_windowsBook.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 6e89102927869d770d74ed72fc09ded1100124be1805b11995b61177e1922348
                      • Instruction ID: 8313d3fdb27685eb0dc676d0b3a199cf85b1f9c8832414528df5dd7fba4fd329
                      • Opcode Fuzzy Hash: 6e89102927869d770d74ed72fc09ded1100124be1805b11995b61177e1922348
                      • Instruction Fuzzy Hash: FC5175B0D007098FDB14DFAAD549B9EBBF1EF88314F24842DE009A7360DB746945CB25
                      Function 00FCD3F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 489 fcd3f8-fcd487 GetCurrentProcess 493 fcd489-fcd48f 489->493 494 fcd490-fcd4c4 GetCurrentThread 489->494 493->494 495 fcd4cd-fcd501 GetCurrentProcess 494->495 496 fcd4c6-fcd4cc 494->496 497 fcd50a-fcd525 call fcd5c9 495->497 498 fcd503-fcd509 495->498 496->495 502 fcd52b-fcd55a GetCurrentThreadId 497->502 498->497 503 fcd55c-fcd562 502->503 504 fcd563-fcd5c5 502->504 503->504
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 00FCD476
                      • GetCurrentThread.KERNEL32 ref: 00FCD4B3
                      • GetCurrentProcess.KERNEL32 ref: 00FCD4F0
                      • GetCurrentThreadId.KERNEL32 ref: 00FCD549
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398883352.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_fc0000_windowsBook.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: c2e6d1563237749d463eb944ff53b736e349c725f623d02248e2c35eddb7a57a
                      • Instruction ID: da147d4059150349cff6fd763cce36ce390f8ee09d998a1ea359cb91276c6116
                      • Opcode Fuzzy Hash: c2e6d1563237749d463eb944ff53b736e349c725f623d02248e2c35eddb7a57a
                      • Instruction Fuzzy Hash: 705185B0D0070A8FDB14DFAAD549B9EBBF1EF88314F20842DE408A73A0DB746945CB61
                      Function 06FEF424 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 533 6fef424-6fef4c5 535 6fef4fe-6fef51e 533->535 536 6fef4c7-6fef4d1 533->536 543 6fef557-6fef586 535->543 544 6fef520-6fef52a 535->544 536->535 537 6fef4d3-6fef4d5 536->537 538 6fef4f8-6fef4fb 537->538 539 6fef4d7-6fef4e1 537->539 538->535 541 6fef4e5-6fef4f4 539->541 542 6fef4e3 539->542 541->541 546 6fef4f6 541->546 542->541 552 6fef5bf-6fef679 CreateProcessA 543->552 553 6fef588-6fef592 543->553 544->543 545 6fef52c-6fef52e 544->545 547 6fef530-6fef53a 545->547 548 6fef551-6fef554 545->548 546->538 550 6fef53e-6fef54d 547->550 551 6fef53c 547->551 548->543 550->550 554 6fef54f 550->554 551->550 564 6fef67b-6fef681 552->564 565 6fef682-6fef708 552->565 553->552 555 6fef594-6fef596 553->555 554->548 557 6fef598-6fef5a2 555->557 558 6fef5b9-6fef5bc 555->558 559 6fef5a6-6fef5b5 557->559 560 6fef5a4 557->560 558->552 559->559 562 6fef5b7 559->562 560->559 562->558 564->565 575 6fef70a-6fef70e 565->575 576 6fef718-6fef71c 565->576 575->576 577 6fef710 575->577 578 6fef71e-6fef722 576->578 579 6fef72c-6fef730 576->579 577->576 578->579 580 6fef724 578->580 581 6fef732-6fef736 579->581 582 6fef740-6fef744 579->582 580->579 581->582 585 6fef738 581->585 583 6fef756-6fef75d 582->583 584 6fef746-6fef74c 582->584 586 6fef75f-6fef76e 583->586 587 6fef774 583->587 584->583 585->582 586->587 589 6fef775 587->589 589->589
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FEF666
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 8288069500f9ed2d143b6f180c81504b8ae9da11811366e8d9420b9d2e122f0c
                      • Instruction ID: 80ab9c5de7173da98dc0601f37ef0e28b9f99a4648b2e5cf8b72d2e84c372f43
                      • Opcode Fuzzy Hash: 8288069500f9ed2d143b6f180c81504b8ae9da11811366e8d9420b9d2e122f0c
                      • Instruction Fuzzy Hash: 66914C71D017198FEB64DF68C841BEDBBB2BF48310F1485AAE809A7280DB759985CF91
                      Function 06FEF430 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 590 6fef430-6fef4c5 592 6fef4fe-6fef51e 590->592 593 6fef4c7-6fef4d1 590->593 600 6fef557-6fef586 592->600 601 6fef520-6fef52a 592->601 593->592 594 6fef4d3-6fef4d5 593->594 595 6fef4f8-6fef4fb 594->595 596 6fef4d7-6fef4e1 594->596 595->592 598 6fef4e5-6fef4f4 596->598 599 6fef4e3 596->599 598->598 603 6fef4f6 598->603 599->598 609 6fef5bf-6fef679 CreateProcessA 600->609 610 6fef588-6fef592 600->610 601->600 602 6fef52c-6fef52e 601->602 604 6fef530-6fef53a 602->604 605 6fef551-6fef554 602->605 603->595 607 6fef53e-6fef54d 604->607 608 6fef53c 604->608 605->600 607->607 611 6fef54f 607->611 608->607 621 6fef67b-6fef681 609->621 622 6fef682-6fef708 609->622 610->609 612 6fef594-6fef596 610->612 611->605 614 6fef598-6fef5a2 612->614 615 6fef5b9-6fef5bc 612->615 616 6fef5a6-6fef5b5 614->616 617 6fef5a4 614->617 615->609 616->616 619 6fef5b7 616->619 617->616 619->615 621->622 632 6fef70a-6fef70e 622->632 633 6fef718-6fef71c 622->633 632->633 634 6fef710 632->634 635 6fef71e-6fef722 633->635 636 6fef72c-6fef730 633->636 634->633 635->636 637 6fef724 635->637 638 6fef732-6fef736 636->638 639 6fef740-6fef744 636->639 637->636 638->639 642 6fef738 638->642 640 6fef756-6fef75d 639->640 641 6fef746-6fef74c 639->641 643 6fef75f-6fef76e 640->643 644 6fef774 640->644 641->640 642->639 643->644 646 6fef775 644->646 646->646
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FEF666
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: b8f3065aea7c42b8ffb7cd9b405273dcb27d11395c62d06ef9268c46999e159b
                      • Instruction ID: 79f40db19222f0009b25458fc71137c98021927ca6c1c5a45e8e1b22bd4ff59d
                      • Opcode Fuzzy Hash: b8f3065aea7c42b8ffb7cd9b405273dcb27d11395c62d06ef9268c46999e159b
                      • Instruction Fuzzy Hash: A3914D71D017198FEB64DF68CC41BEDBBB2BF48310F1485AAE809A7280DB759985CF91
                      Function 00FCAD68 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 647 fcad68-fcad77 648 fcad79-fcad86 call fca0c0 647->648 649 fcada3-fcada7 647->649 656 fcad9c 648->656 657 fcad88 648->657 650 fcada9-fcadb3 649->650 651 fcadbb-fcadfc 649->651 650->651 658 fcadfe-fcae06 651->658 659 fcae09-fcae17 651->659 656->649 703 fcad8e call fcaff0 657->703 704 fcad8e call fcb000 657->704 658->659 661 fcae19-fcae1e 659->661 662 fcae3b-fcae3d 659->662 660 fcad94-fcad96 660->656 663 fcaed8-fcaf98 660->663 665 fcae29 661->665 666 fcae20-fcae27 call fca0cc 661->666 664 fcae40-fcae47 662->664 698 fcaf9a-fcaf9d 663->698 699 fcafa0-fcafcb GetModuleHandleW 663->699 668 fcae49-fcae51 664->668 669 fcae54-fcae5b 664->669 667 fcae2b-fcae39 665->667 666->667 667->664 668->669 671 fcae5d-fcae65 669->671 672 fcae68-fcae6a call fca0dc 669->672 671->672 676 fcae6f-fcae71 672->676 678 fcae7e-fcae83 676->678 679 fcae73-fcae7b 676->679 680 fcae85-fcae8c 678->680 681 fcaea1-fcaeae 678->681 679->678 680->681 683 fcae8e-fcae9e call fca0ec call fca0fc 680->683 687 fcaeb0-fcaece 681->687 688 fcaed1-fcaed7 681->688 683->681 687->688 698->699 700 fcafcd-fcafd3 699->700 701 fcafd4-fcafe8 699->701 700->701 703->660 704->660
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00FCAFBE
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398883352.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_fc0000_windowsBook.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 3077d193abb22d32d2cd7aa11d307488078e81733ad7d00b86ec4aab4740b4ce
                      • Instruction ID: c9ee592731a0fdba4109d300df871e2d921bc9a885161a9b49c2329cc7f6d0dd
                      • Opcode Fuzzy Hash: 3077d193abb22d32d2cd7aa11d307488078e81733ad7d00b86ec4aab4740b4ce
                      • Instruction Fuzzy Hash: 45713470A00B0A8FD724DF2AD542B5ABBF1BF88318F00892DD486D7A50DB35F845DB91
                      Function 00FC44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 813 fc44e0-fc59d9 CreateActCtxA 816 fc59db-fc59e1 813->816 817 fc59e2-fc5a3c 813->817 816->817 824 fc5a3e-fc5a41 817->824 825 fc5a4b-fc5a4f 817->825 824->825 826 fc5a60 825->826 827 fc5a51-fc5a5d 825->827 829 fc5a61 826->829 827->826 829->829
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 00FC59C9
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398883352.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_fc0000_windowsBook.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 0a0ed7dd2092310e416edb7604b9f37921f1de3989d9dc75c6681078f54cb3fa
                      • Instruction ID: 15465de6bcf3f4f30fe588772edce3f9d1d48b9461b500ab80c14cfeb9b16afe
                      • Opcode Fuzzy Hash: 0a0ed7dd2092310e416edb7604b9f37921f1de3989d9dc75c6681078f54cb3fa
                      • Instruction Fuzzy Hash: 8D41F3B1C0071DCBDB24DFAAC985B8DBBF5BF48714F20816AD408AB251DB756946CF90
                      Function 00FC590C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 830 fc590c-fc59d9 CreateActCtxA 832 fc59db-fc59e1 830->832 833 fc59e2-fc5a3c 830->833 832->833 840 fc5a3e-fc5a41 833->840 841 fc5a4b-fc5a4f 833->841 840->841 842 fc5a60 841->842 843 fc5a51-fc5a5d 841->843 845 fc5a61 842->845 843->842 845->845
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 00FC59C9
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398883352.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_fc0000_windowsBook.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: b46432b863353f1af8011bdea0b34122bf9e9ab6a29086ef6f65881da5fff2f4
                      • Instruction ID: 64dd24145710b8c6763fd5c5637083d1e2c257f93a5fa4a400398e7cc8ac4dde
                      • Opcode Fuzzy Hash: b46432b863353f1af8011bdea0b34122bf9e9ab6a29086ef6f65881da5fff2f4
                      • Instruction Fuzzy Hash: 8741E3B1C0071DCFDB24DFAAC985B8DBBB1BF48714F24816AD408AB251DB756946CF50
                      Function 00FCD701 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 846 fcd701-fcd708 847 fcd70a-fcd82e 846->847 848 fcd6c4-fcd6d4 DuplicateHandle 846->848 850 fcd6dd-fcd6fa 848->850 851 fcd6d6-fcd6dc 848->851 851->850
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FCD6C7
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398883352.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_fc0000_windowsBook.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 2c2b6a01846f1e41dab87450c3d055ac229f1b17edffd514ef725ef805a5834f
                      • Instruction ID: e9fbd961f3e342c151abc1a7effcbf4991e0cf08e614a697a3e02fc8a89de0c8
                      • Opcode Fuzzy Hash: 2c2b6a01846f1e41dab87450c3d055ac229f1b17edffd514ef725ef805a5834f
                      • Instruction Fuzzy Hash: 74316D34A913408FEB149F60E9457793BA2E7C8320F918129FD918B7D8CEFE5946CB20
                      Function 06FEF1A1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 865 6fef1a1-6fef1f6 867 6fef1f8-6fef204 865->867 868 6fef206-6fef245 WriteProcessMemory 865->868 867->868 870 6fef24e-6fef27e 868->870 871 6fef247-6fef24d 868->871 871->870
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FEF238
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 542764a997a2741fb878666626ebed5ff063c87a4a9fe1da625b1269f3403652
                      • Instruction ID: 56055214fef79efb75c53bb1314a0758933f96a28ba8838e7dfc7b98a8fa6cb2
                      • Opcode Fuzzy Hash: 542764a997a2741fb878666626ebed5ff063c87a4a9fe1da625b1269f3403652
                      • Instruction Fuzzy Hash: 6F212275D013499FDB10DFAAC881BEEBBF5FF48310F54842AE918A7240C7799941CBA0
                      Function 06FEF1A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 875 6fef1a8-6fef1f6 877 6fef1f8-6fef204 875->877 878 6fef206-6fef245 WriteProcessMemory 875->878 877->878 880 6fef24e-6fef27e 878->880 881 6fef247-6fef24d 878->881 881->880
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FEF238
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: f3b5a915cf0c46c901e1d426ed425d9fdd5ce87afbcdf54795e37d0bb0456817
                      • Instruction ID: 98442e08dba7e52bfea88b2ca7de640d90ef2f64a11ac5ae62ac148919e3b455
                      • Opcode Fuzzy Hash: f3b5a915cf0c46c901e1d426ed425d9fdd5ce87afbcdf54795e37d0bb0456817
                      • Instruction Fuzzy Hash: 32212475D013499FDB10DFAAC881BDEBBF5FF48310F50842AE918A7240D7789941CBA4
                      Function 06FEF290 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 885 6fef290-6fef325 ReadProcessMemory 888 6fef32e-6fef35e 885->888 889 6fef327-6fef32d 885->889 889->888
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FEF318
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: ee88241d6f740c8fbb2588af5711899dd015a5be851d985f300d62ed00bbc627
                      • Instruction ID: 62481663d10c1b5c3ca0729839e1a214d2a05a3867a4a11492f2eed55bb979fc
                      • Opcode Fuzzy Hash: ee88241d6f740c8fbb2588af5711899dd015a5be851d985f300d62ed00bbc627
                      • Instruction Fuzzy Hash: B2211671C013499FDB10DFAAC881BDEBBF5FF48310F54842AE958A7240C7799945CBA1
                      Function 06FEF298 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FEF318
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: e16dd7e95e0b62a79bce6ca990476b4cd280fabc79e2af2120e80933c66379e8
                      • Instruction ID: ca49e6a532540714e6e18fa7d0178c661adc9c3495dbb1f05749be5d5fe0f5ba
                      • Opcode Fuzzy Hash: e16dd7e95e0b62a79bce6ca990476b4cd280fabc79e2af2120e80933c66379e8
                      • Instruction Fuzzy Hash: 6221F571C013499FDB10DFAAC881BEEBBF5FF48310F54842AE919A7240D7799941CBA5
                      Function 06FEF010 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FEF08E
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: a7c0387b4ce61a1229da8f91ad08551026c41adf9b08c51e934baddc6451465f
                      • Instruction ID: bb08aba2382325592ff2a2e2c74bebe3d5f71a50e34e2737673838b0631982a9
                      • Opcode Fuzzy Hash: a7c0387b4ce61a1229da8f91ad08551026c41adf9b08c51e934baddc6451465f
                      • Instruction Fuzzy Hash: B9214771D003098FDB20DFAAC485BEEBBF4EF88320F54842AD519A7240DB789945CFA4
                      Function 06FEF008 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FEF08E
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: bc9a35ad3a576a62ee363580f9e4fe3f2418e8930052af42476f1e0dc18edc6b
                      • Instruction ID: 54c1eff87ce76efec09a91a4f80392d86f2d79a008be36c47e8a03a4cca9d672
                      • Opcode Fuzzy Hash: bc9a35ad3a576a62ee363580f9e4fe3f2418e8930052af42476f1e0dc18edc6b
                      • Instruction Fuzzy Hash: 5A2137B1D003098FDB54DFAAC485BAEBBF0EF48320F14842AD559A7640DB789945CFA0
                      Function 00FCD638 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FCD6C7
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398883352.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_fc0000_windowsBook.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: ef1f5c8d52d417de9b0fe535097e90667c31b50f9b9b89fb589c92352fc39d64
                      • Instruction ID: 42c6aa4b3ebe65cead77df0cdcfefdbe65600179e5f0a36a9d6e26e744ea3cc2
                      • Opcode Fuzzy Hash: ef1f5c8d52d417de9b0fe535097e90667c31b50f9b9b89fb589c92352fc39d64
                      • Instruction Fuzzy Hash: 4F21E2B5D002099FDB10CFAAD985ADEBBF5FB48320F14842AE918A7350D378A944DF61
                      Function 00FCD640 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FCD6C7
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398883352.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_fc0000_windowsBook.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 170bbfcdbd016b1cba3ff6c19804b3d4ade12f89d1db368f54ef0829cd584d7d
                      • Instruction ID: fbb56fcc20126d7ce3a0f159e46c75a3672346de4e89860f3d310e05e85aad67
                      • Opcode Fuzzy Hash: 170bbfcdbd016b1cba3ff6c19804b3d4ade12f89d1db368f54ef0829cd584d7d
                      • Instruction Fuzzy Hash: 4E21E4B5D003099FDB10CF9AD985ADEBBF4FB48320F14842AE918A3350D374A940DF65
                      Function 06FEF0E0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FEF156
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 98814f3115263b2c443b3ab556bf111977f503e7b99cae2d098f3ea7e145f3ee
                      • Instruction ID: 57ce5f42f769b7d9a93cf560a90ec482d29ad29093de5ac198f40b3bf2adc9c4
                      • Opcode Fuzzy Hash: 98814f3115263b2c443b3ab556bf111977f503e7b99cae2d098f3ea7e145f3ee
                      • Instruction Fuzzy Hash: C2213871C003499FDB21DFA9C845BDFBFF5AB49320F148419E559A7250CB759540CFA1
                      Function 06FEF0E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FEF156
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: aa903478afa1f0f3fb2a37ad16fc1b3cacf5db685a7907c71aaea372ca6cc8a5
                      • Instruction ID: 45bed3aab0e135d02506ac36a63b1b31770fa07e3e72aa1b68c19db8a9931476
                      • Opcode Fuzzy Hash: aa903478afa1f0f3fb2a37ad16fc1b3cacf5db685a7907c71aaea372ca6cc8a5
                      • Instruction Fuzzy Hash: 64111471C0034D9FDB20DFAAC845BDEBBF5EB48320F148419E519A7250CB799940CBA0
                      Function 06FEEF59 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 9699394a61d1c8abd659055604f8343482159f207e3ce81604c62fbf81d79bb9
                      • Instruction ID: dff22d52e7772099ce306eea28e5ae9c8098872dd4bbeeb7450874769d822434
                      • Opcode Fuzzy Hash: 9699394a61d1c8abd659055604f8343482159f207e3ce81604c62fbf81d79bb9
                      • Instruction Fuzzy Hash: 8D114671C003898FDB20DFAAD8457DEBFF5EB88320F24841AD419AB640CB79A901CB95
                      Function 06FEEF60 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000012.00000002.1406959136.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_6fe0000_windowsBook.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: ab1ecdb97b62fe8051079d3b089f844836c825d39c9ee2b37dfe5d0b76ef4908
                      • Instruction ID: 2060816e5cfebe4df23bbd3aed18cba36ab0ea1ed575bbbea7e7c87033add8cd
                      • Opcode Fuzzy Hash: ab1ecdb97b62fe8051079d3b089f844836c825d39c9ee2b37dfe5d0b76ef4908
                      • Instruction Fuzzy Hash: 59116671C003488FDB20DFAAD8457DEFBF4EB88320F24842AD419A7240CB79A900CFA5
                      Function 098510B9 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 0985111D
                      Memory Dump Source
                      • Source File: 00000012.00000002.1410166866.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_9850000_windowsBook.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: a099bee9ee040726aa39b80b25bd53b1b5530afab8c42cc7d027c3942574f9eb
                      • Instruction ID: 4228f1660854e73a63f65a1af7a64e1f57955db01e86c08ed87493333db73db0
                      • Opcode Fuzzy Hash: a099bee9ee040726aa39b80b25bd53b1b5530afab8c42cc7d027c3942574f9eb
                      • Instruction Fuzzy Hash: 9711F5B58003499FDB10DF9AD845BDEFFF8EB48320F108459E959A7250C375A944CFA1
                      Function 00FCAF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00FCAFBE
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398883352.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_fc0000_windowsBook.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 04c033820acfaa970040ae7c8d6b93d927f48c1871ac59d2d0f7599408a222d8
                      • Instruction ID: fa02fa035d8de8cdc3348608740d9710543fd13ab1ce4f0025f6d23d43ec5a8a
                      • Opcode Fuzzy Hash: 04c033820acfaa970040ae7c8d6b93d927f48c1871ac59d2d0f7599408a222d8
                      • Instruction Fuzzy Hash: 27110FB5C002498FCB20CF9AD545BDEFBF4EB88328F10842ED428A7600D379A945CFA1
                      Function 098510C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 0985111D
                      Memory Dump Source
                      • Source File: 00000012.00000002.1410166866.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_9850000_windowsBook.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 446b8b549f89a3db6c5b46494f566fd6b09fb82e2510716b1f01ee1966498e4c
                      • Instruction ID: 233b6e227c7366780c4fa839875eab6afe3148321fdd21c8ec92ce7893eee8f6
                      • Opcode Fuzzy Hash: 446b8b549f89a3db6c5b46494f566fd6b09fb82e2510716b1f01ee1966498e4c
                      • Instruction Fuzzy Hash: D811D3B58003499FDB10DF9AD985BDEFBF8EB58320F10845AE919A7340C375A944CFA5
                      Function 09853C30 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?), ref: 09853C90
                      Memory Dump Source
                      • Source File: 00000012.00000002.1410166866.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_9850000_windowsBook.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 402c378b91826afd511805761d3173241d59bec35e9fbfc64ca65fc335ef1abe
                      • Instruction ID: 4d4997d101e144619e1202d648c1029944dbb1b14015c4159b131a8004967436
                      • Opcode Fuzzy Hash: 402c378b91826afd511805761d3173241d59bec35e9fbfc64ca65fc335ef1abe
                      • Instruction Fuzzy Hash: 571143B5C003498FCB20DF9AC545BDEBBF4EB48320F14841AD968A7341D739A944CFA1
                      Function 09853C38 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?), ref: 09853C90
                      Memory Dump Source
                      • Source File: 00000012.00000002.1410166866.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_9850000_windowsBook.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 5113f05906762baa64b65f5ebc950fc570d372fa73bcc315e056764f095dd8ca
                      • Instruction ID: 9d06661bb2d9dab0c17d5ce3d5447d5f02a76b1271f779009c6cb7a3bb8b9e26
                      • Opcode Fuzzy Hash: 5113f05906762baa64b65f5ebc950fc570d372fa73bcc315e056764f095dd8ca
                      • Instruction Fuzzy Hash: 5F1110B58002498FCB20DF9AC545BDEBBF4EB48320F10841AD959A7340D738A944CFA5
                      Function 00E5D4C4 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1397916209.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_e5d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 061e42cc4abdbb12d6523322b7302f671ff00cffbe6dc5b59a2b11bbcc011ad1
                      • Instruction ID: 92576e66012ce14541e12f090d48105a6afdd72cbc4c6f35855687ec468a6d8d
                      • Opcode Fuzzy Hash: 061e42cc4abdbb12d6523322b7302f671ff00cffbe6dc5b59a2b11bbcc011ad1
                      • Instruction Fuzzy Hash: A2210371508240DFDB25DF14DDC0B26BF65FB98329F20C969EC091B256D336D85ACAA2
                      Function 00E5D3D8 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1397916209.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_e5d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c605f159b1816ded107fbd096fc9cd2efadea2b5bca1a5abe51a41837892216b
                      • Instruction ID: 9a59674df63228bb9090cd9e213efb954e51d4df02bd9cf171b45ab19bfa8329
                      • Opcode Fuzzy Hash: c605f159b1816ded107fbd096fc9cd2efadea2b5bca1a5abe51a41837892216b
                      • Instruction Fuzzy Hash: 64210671508204DFDB24DF10DDC0B16BB65FB94325F20C969DC095F256C336E85ACAA2
                      Function 00F6D1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398653330.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_f6d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 88521fcf595318f859f63f0e23a66a53e6d2ea3d96c5b2a57405dcc547764fa8
                      • Instruction ID: 6bd0e26eefb6bf08218e00153431f2329e5e1d9e5fa81aed66d7df6feba4f8ef
                      • Opcode Fuzzy Hash: 88521fcf595318f859f63f0e23a66a53e6d2ea3d96c5b2a57405dcc547764fa8
                      • Instruction Fuzzy Hash: B6210771F04304DFDB15DF10D9D0B25BB65FB84324F24C56DD8494B292C336D846DA61
                      Function 00F6D01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398653330.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_f6d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bbbf134b2dca36ac630a172d609f2fd62df74ac035c270524ea46b74a62b20a7
                      • Instruction ID: 1e97a4adbf307a9b20c33a486de657acc17581ae704ceb456ec94078920aae4f
                      • Opcode Fuzzy Hash: bbbf134b2dca36ac630a172d609f2fd62df74ac035c270524ea46b74a62b20a7
                      • Instruction Fuzzy Hash: 1A21D375A04240EFDB14DF14D984B16BB65EB84324F24C569D84A4B28AC336D847DA62
                      Function 00F6D005 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398653330.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_f6d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: db315feab1fd1a67f535e0b16af95d816cdc040630129cd07fa0074ba6edcdec
                      • Instruction ID: 9ce974275455e3f7fb0e0648ecd0824211a8f148325c564e83b5123645d3cdf7
                      • Opcode Fuzzy Hash: db315feab1fd1a67f535e0b16af95d816cdc040630129cd07fa0074ba6edcdec
                      • Instruction Fuzzy Hash: EF2165759093C09FC716CF24D594715BF71EB46324F28C5EAD8498F6A7C33A980ACB62
                      Function 00E5D4BF Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1397916209.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_e5d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction ID: 97b8fb33a3b28f16bfaf6ce296df58a428611f287df0ed966dd367048e0efa09
                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction Fuzzy Hash: 1111E676504280CFCB15CF14D9C4B16BF72FB94328F24C6A9DC494B656C336D85ACBA1
                      Function 00E5D3D3 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1397916209.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_e5d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction ID: e918e4fec5ed091c438fff124a4a24a1a57d15f8d96ec304f4a7daf4e566702c
                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction Fuzzy Hash: 50110376504240CFCB15CF00D9C0B16BF72FB94324F24C6A9DC490B256C33AE85ACBA1
                      Function 00F6D1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1398653330.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_f6d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                      • Instruction ID: b8a72a34bdd94e10a1d3db9b82406a2793dfbf07a1022aaad0477399f4898a2e
                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                      • Instruction Fuzzy Hash: AB11DD75A04280DFCB15CF10C9D0B15FBB2FB84324F28C6ADD8494B296C33AD84ACB61
                      Function 00E5D759 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1397916209.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_e5d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 22642287001b20adf2b768e5f395ac36fdc961590326538ab20dbb0fdfdd8396
                      • Instruction ID: 9a2669bf015ecac846f03821a0a75d874dc3ea4822fb50a4befaf34f0e33574f
                      • Opcode Fuzzy Hash: 22642287001b20adf2b768e5f395ac36fdc961590326538ab20dbb0fdfdd8396
                      • Instruction Fuzzy Hash: 0701A73150C3449FE7305A15DCC4B66BB98DF49726F18C95BED192A286C2799848CAB2
                      Function 00E5D758 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000012.00000002.1397916209.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_18_2_e5d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 803b53f89bd10d2d87967b783a2e0d8e5f38409542a80a5720312b344e3964a2
                      • Instruction ID: ceb85c32ac46e74538a936fcc0ed758322b06cc5d584322339c000634c295fea
                      • Opcode Fuzzy Hash: 803b53f89bd10d2d87967b783a2e0d8e5f38409542a80a5720312b344e3964a2
                      • Instruction Fuzzy Hash: 9CF06D71408344AEE7208A16DC84B62FFA8EF55739F18C95BED085A296C279AC44CAB1

                      Executed Functions

                      Function 02EA0EBA Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: (q$Teq
                      • API String ID: 0-2049869722
                      • Opcode ID: f92ba375016fa22124fb5e310227dc349e5f1a540d35f283700ebb322e005501
                      • Instruction ID: d274a62c8aa5802257cb930809478e31ad62ea8d652e14d0fab4ed263131ae90
                      • Opcode Fuzzy Hash: f92ba375016fa22124fb5e310227dc349e5f1a540d35f283700ebb322e005501
                      • Instruction Fuzzy Hash: 5E517E30B502149FC754DF69C464A9EBBF6FF89710F2581AAE806EF3A5CA759C01CB90
                      Function 02EA0D20 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Hq$dLq
                      • API String ID: 0-4038822049
                      • Opcode ID: 80688ef2b11f960f72a40a9ed48cf9432c869e16a47f4ca0cdca1ada88f19054
                      • Instruction ID: 5396966f8ac6caf36923fe611b6b0b50f0f50977e2f8c38536b60c6e5fe09bc0
                      • Opcode Fuzzy Hash: 80688ef2b11f960f72a40a9ed48cf9432c869e16a47f4ca0cdca1ada88f19054
                      • Instruction Fuzzy Hash: 4B51BD31A003148FDB18DF68D4A4B9EBBF6BF89314F1485AAE405EB361CB75AC05CB91
                      Function 02EA1339 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRq
                      • API String ID: 0-3187445251
                      • Opcode ID: a8b1dfa35e10366a8cb98008f7f0777b93b9a60764070fbed65d0a01d91d0df2
                      • Instruction ID: 6531d5d5bdac26725aa4c032d6d5722a4504f74b1c7dd0bad847a135bf20bcc4
                      • Opcode Fuzzy Hash: a8b1dfa35e10366a8cb98008f7f0777b93b9a60764070fbed65d0a01d91d0df2
                      • Instruction Fuzzy Hash: 93318D70F012158FCB44EB7DC861A6EBBF6BFC9304B15406AE509DB364EA35DD018791
                      Function 02EA0D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: dLq
                      • API String ID: 0-2312315067
                      • Opcode ID: 24e58a134657e3949fba3037bf715e88bae88997e3126e316f75d683af715bc4
                      • Instruction ID: 3bfa34c3bf9fa99f5d3ab8368b8968841d22cd4360d06550ed07100a22f3b8ea
                      • Opcode Fuzzy Hash: 24e58a134657e3949fba3037bf715e88bae88997e3126e316f75d683af715bc4
                      • Instruction Fuzzy Hash: 00319E75A002049FDB14DF68C498BAEBBF2BF89304F189569E406AF361CB75AD04CB91
                      Function 02EA0E3F Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Hq
                      • API String ID: 0-1594803414
                      • Opcode ID: 45a990f8c106bd99ca24793a68e1a206e30acfa4429e2acc07cdf60b29c54aba
                      • Instruction ID: a322ffb9cff1f3032fb0ddf6fba14306dfd9966a2a57432557663b7963f19abb
                      • Opcode Fuzzy Hash: 45a990f8c106bd99ca24793a68e1a206e30acfa4429e2acc07cdf60b29c54aba
                      • Instruction Fuzzy Hash: 0F01F9307043505FC389973C94659AF7BE6AFC626431544BEE049CF372DE288C0683A5
                      Function 02EA0AA0 Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f49aa33c0ecb52606ebf83f6bbf46af957d0b3f819d1f3440fd81fbbbe0aa02d
                      • Instruction ID: 676a01262c7173c183cb7e1dedebce082bc153a1c8419faece5531bef66e8387
                      • Opcode Fuzzy Hash: f49aa33c0ecb52606ebf83f6bbf46af957d0b3f819d1f3440fd81fbbbe0aa02d
                      • Instruction Fuzzy Hash: 8A51D3B8611211CFC725FF28E6489597772FFC4245750A679D801EB268EB3DAC0ADF80
                      Function 02EA11D0 Relevance: .1, Instructions: 114COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 810682e933d1d9dd565ebb0deadc78f1d9cb8ecb0ae85dfc28013f83decc5a4a
                      • Instruction ID: 6ad4f13bfe04d44bd93a3f6e886b5363e58554e703070bdce1ba0ee9af12e249
                      • Opcode Fuzzy Hash: 810682e933d1d9dd565ebb0deadc78f1d9cb8ecb0ae85dfc28013f83decc5a4a
                      • Instruction Fuzzy Hash: 1F416F70E00209AFCB44DBB9C45466EBBFAFFC8340F24856AD44ADB345DA34AD428B91
                      Function 02EA0998 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 485c1fc94a468afb5ea23929d0e2001450696ea3757b6ff456f45b9819ff232f
                      • Instruction ID: 9ca308f68f46e2aab6313a932edd91f17f3d5986564a5f9948eeac7788b2b40e
                      • Opcode Fuzzy Hash: 485c1fc94a468afb5ea23929d0e2001450696ea3757b6ff456f45b9819ff232f
                      • Instruction Fuzzy Hash: 4021BD307902029FDF68AF38D9687AE7BA4AF44348B05E43DE817DA150FB34E904DB91
                      Function 0155D4A0 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440566703.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_155d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 01963a493a25aa09d0066611082a1899bc3634f75d30ba62491ac70334eecef0
                      • Instruction ID: d708cf7d75b1e206ada85eb7bd226a59d2132e3aa017c4de5761834cc856572c
                      • Opcode Fuzzy Hash: 01963a493a25aa09d0066611082a1899bc3634f75d30ba62491ac70334eecef0
                      • Instruction Fuzzy Hash: 81210372504200DFDB55DF94D9D0B2ABFB5FB88328F20C56AED090E256C336D456CBA2
                      Function 02EA09A8 Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 992acf3b97e04f17c168a023a75d43bb1d72f79cb6e5020d03b01532619e8793
                      • Instruction ID: f88dd23e3a7ff38a20ff09a8dd365f1774a69c6fdf84fb3f7412d42f607a155a
                      • Opcode Fuzzy Hash: 992acf3b97e04f17c168a023a75d43bb1d72f79cb6e5020d03b01532619e8793
                      • Instruction Fuzzy Hash: 74219F347902028FDF68AF78D92876E7AA4AF44348B05A439D813DE154FF34F904DB92
                      Function 02EA1431 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fbf68e490f9dddfb3dee09a290f867934ec332b48d0ea72a8a3845bd54cfb3a1
                      • Instruction ID: af1e4f722d61a5906463111b46edad414a0f1684350959784dbe3659b8eb38ae
                      • Opcode Fuzzy Hash: fbf68e490f9dddfb3dee09a290f867934ec332b48d0ea72a8a3845bd54cfb3a1
                      • Instruction Fuzzy Hash: F6118570B00211DFCB54EBBCC654AAA7BFAEF89215B154579E409DB228EB35AC11CB90
                      Function 0155D49B Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440566703.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_155d000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction ID: 6b8adc8c6639e318d76304be54f369e141b785db3a0089b71dd26122c9a67e63
                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                      • Instruction Fuzzy Hash: E611AF76504240CFDB16CF58D5C4B1ABF72FB84328F2485AADD094B257C336D45ACBA2
                      Function 02EA1440 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4e472050f84ed68a3458dde31f784a07053929a0cc40b0afd0317459e883e2eb
                      • Instruction ID: f601dddcff49884f96de3bf849811e0cbe156789101b7edefafff10ab2d9cfb3
                      • Opcode Fuzzy Hash: 4e472050f84ed68a3458dde31f784a07053929a0cc40b0afd0317459e883e2eb
                      • Instruction Fuzzy Hash: 7911AD70B00204DFCB54EBBDC614A6A7BF6EFC8215B254478D80ADB324EA35EC01CB90
                      Function 02EA0E80 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1440813600.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_2ea0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fef4705c54a3423c809cfefba7a35bec685cd7a259cc2ab04996f6776fac1f2f
                      • Instruction ID: f20df4316ed6fb969dc5043f769f4ac7b1313297329869db102b29af7aeda146
                      • Opcode Fuzzy Hash: fef4705c54a3423c809cfefba7a35bec685cd7a259cc2ab04996f6776fac1f2f
                      • Instruction Fuzzy Hash: 7DE08C323002105F8748966EA88895ABBDAEBC8260325447AE509C7325DE71CC014790

                      Executed Functions

                      Function 02CD63D8 Relevance: .3, Instructions: 281COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 677f4f93a6b1e5a3fee7e39edd2348fea79b51bb273cc0e6458aa54f4ed0b780
                      • Instruction ID: 8e25e2b5d1198d3f6e1b43e4cb3aca09dbf49c8e887d62e9b8b9b84980e84e92
                      • Opcode Fuzzy Hash: 677f4f93a6b1e5a3fee7e39edd2348fea79b51bb273cc0e6458aa54f4ed0b780
                      • Instruction Fuzzy Hash: 95B15F70E00219CFDB24CFA9D8857DDBBF6AF88314F248129D915A7298EB749946CF81
                      Function 02CD6CA8 Relevance: .3, Instructions: 266COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d52eb6c3dd2eb444dca7c96071dae9916533bab482cf549609e72e3d496ceecc
                      • Instruction ID: e8de07169893d4847e49d4a4b3b22c0a1e338ed02045b011773c06c0107725d2
                      • Opcode Fuzzy Hash: d52eb6c3dd2eb444dca7c96071dae9916533bab482cf549609e72e3d496ceecc
                      • Instruction Fuzzy Hash: 8AB19E70E006098FDF20CFA9E8817DDBBF6AF88314F248529D915EB294EB35D945CB81
                      Function 02CD236F Relevance: 5.4, Strings: 4, Instructions: 448COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: aq$ aq$,$xq
                      • API String ID: 0-2948420561
                      • Opcode ID: f8e22c9e7ea7d15fe62d01f750cb3069c26d6480977ebcf9a5c9f679189aab7d
                      • Instruction ID: 4adf3fe9b40a77f418bd69dbfabe6b37ee2170e02a62f784c550e68f936b2790
                      • Opcode Fuzzy Hash: f8e22c9e7ea7d15fe62d01f750cb3069c26d6480977ebcf9a5c9f679189aab7d
                      • Instruction Fuzzy Hash: 9E02DD34B002008FDB25EF65E850B2E7BE2BF84310F248669D9159F3A5DF71AC46CB82
                      Function 02CD25AA Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: aq$ aq$xq
                      • API String ID: 0-4256304875
                      • Opcode ID: 2c5dfa3a1ffc5c782a24e9646077ebdd8e9da9e63645fc509d2b02b9cb15b208
                      • Instruction ID: 82cd675331f8b35a87cccd9360e86a4c406e47a47ac79c65ebb8e7c812efa6b4
                      • Opcode Fuzzy Hash: 2c5dfa3a1ffc5c782a24e9646077ebdd8e9da9e63645fc509d2b02b9cb15b208
                      • Instruction Fuzzy Hash: 9661BD74B403008FE724EF69E850B5E7BE3BB84314F188669D5059F3A1DBB1AC46CB82
                      Function 02CD0EB8 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: (q$Teq
                      • API String ID: 0-2049869722
                      • Opcode ID: 687f74f925626f876de35d854c5ee03e630803755030c09c3c68cb4c08e8ba95
                      • Instruction ID: 3144b97b79abaaa653d4c6f40843fcddfbc010c8e207af5d608b2dafbe7a73f2
                      • Opcode Fuzzy Hash: 687f74f925626f876de35d854c5ee03e630803755030c09c3c68cb4c08e8ba95
                      • Instruction Fuzzy Hash: BD518F30B101148FD758DF69D458A6EBBF2EF88710F2581A9E906EB3A5CB75DD02CB90
                      Function 02CD0D20 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Hq$dLq
                      • API String ID: 0-4038822049
                      • Opcode ID: 858b3d4101b3870909998fd7e23b7d7fc71e2b7ca3a18290b4de0009df8fbc09
                      • Instruction ID: fe1b4c65bf924e4859bf5d3b31ff869aaa9ff84ffed4baee095cf7fe111aeb1b
                      • Opcode Fuzzy Hash: 858b3d4101b3870909998fd7e23b7d7fc71e2b7ca3a18290b4de0009df8fbc09
                      • Instruction Fuzzy Hash: E841F031B002048FDB19DF69D454BAEBBF6AF88300F1484AAE506DB3A1CB75DC05CB91
                      Function 02CD9958 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: $q$$q
                      • API String ID: 0-3126353813
                      • Opcode ID: 7c01199fe093eb0e154b16bf81fb4167c018f78b91f4fb7893ac461b034bbcd1
                      • Instruction ID: 3cc0ecfdbb0d0e6903f81cda099e032b7e36555a26f93f2d8085de1fb466971b
                      • Opcode Fuzzy Hash: 7c01199fe093eb0e154b16bf81fb4167c018f78b91f4fb7893ac461b034bbcd1
                      • Instruction Fuzzy Hash: D341BC39B08502DBC728AB1AA409629BB77FFC470133C9A48F60A8B354CB35DC53CB85
                      Function 02CD63CE Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: l
                      • API String ID: 0-2517025534
                      • Opcode ID: ce6cddba4ba24d8b4fd0ce07015eb485d988b71e253036412943f5a5447e8aae
                      • Instruction ID: d3177b7a8544cafb0c5ac342fa693dd4ee961c6d850b17344305c7f518d2ccc2
                      • Opcode Fuzzy Hash: ce6cddba4ba24d8b4fd0ce07015eb485d988b71e253036412943f5a5447e8aae
                      • Instruction Fuzzy Hash: F3B15F70E00219CFDB20CFA9E885BDDBBF5BF88304F248129D915A7298EB749945CF91
                      Function 02CDA0E8 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: xq
                      • API String ID: 0-3670251435
                      • Opcode ID: 41596eebe7ed0faacd7fcbe0724580ef234062d1d5d0130bf6ad98ceb7d81ce8
                      • Instruction ID: 1d83679adcf48e6da6a1603e533811c525ba47a3ef660df8ac9b2e4ec0e0db6f
                      • Opcode Fuzzy Hash: 41596eebe7ed0faacd7fcbe0724580ef234062d1d5d0130bf6ad98ceb7d81ce8
                      • Instruction Fuzzy Hash: 68917974D41212CFDB28DF29E80871937E2B785318F14DB2AC9148B680E771AA65CFD2
                      Function 02CD9E90 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Teq
                      • API String ID: 0-1098410595
                      • Opcode ID: 9f52138d49ad1c67e86f8e5da2d2cf4d5c82c44bfaea2321c77ac9e389fcc3e8
                      • Instruction ID: 984d72bf17e9b0d834104c390b64abf3bc948854c435b5f906dac59a51701bbc
                      • Opcode Fuzzy Hash: 9f52138d49ad1c67e86f8e5da2d2cf4d5c82c44bfaea2321c77ac9e389fcc3e8
                      • Instruction Fuzzy Hash: 1B518F34640204DFE714DF66D854F69BBF2BF48714F1442A9E6129B3E1CBB2AC41CB80
                      Function 02CD9941 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: $q
                      • API String ID: 0-1301096350
                      • Opcode ID: 51acaba21eb7dc79881e6a4e6a389f28fb052f1154eb330ad9629b697ef2fa89
                      • Instruction ID: 5daa22fb75e11d8ef03bdd6179ba8e4b98215e6932c0b4f66be3caf15c8d67e5
                      • Opcode Fuzzy Hash: 51acaba21eb7dc79881e6a4e6a389f28fb052f1154eb330ad9629b697ef2fa89
                      • Instruction Fuzzy Hash: 8C41C239708502DFC7299B5AA418539BB33BFC070533C9A99F20A9B355CB359D53CB85
                      Function 02CD1339 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRq
                      • API String ID: 0-3187445251
                      • Opcode ID: 88a8087eb91283e40b0d770632b9664715807a6316185886e23a8706b3ea8d3a
                      • Instruction ID: 23abfcf1dc9a3db62796e4e4a89bab444ffea911f4b0f7b9f2775d37fa163875
                      • Opcode Fuzzy Hash: 88a8087eb91283e40b0d770632b9664715807a6316185886e23a8706b3ea8d3a
                      • Instruction Fuzzy Hash: 61317A70F012158FDB44EB799461A7EBBF2BFC9300B284569E509DB3A4EB70DD018B90
                      Function 02CD0D10 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: dLq
                      • API String ID: 0-2312315067
                      • Opcode ID: 38c8516289e86405e9bd8dce51812750d9296d290efc078309666d75e82289b0
                      • Instruction ID: 707898b0d125a6f37fe7ba7337aba37dcd174c5653ad9dbbbc0301761ae49270
                      • Opcode Fuzzy Hash: 38c8516289e86405e9bd8dce51812750d9296d290efc078309666d75e82289b0
                      • Instruction Fuzzy Hash: 8F31A175A002048FDB14DF69D458BAEBBF2BF88300F1485AAE502EB361CB75ED45CB91
                      Function 02CD35E0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: p @
                      • API String ID: 0-1223218288
                      • Opcode ID: 681bb68aa7a728e0da323ac9b5bbcd51b42733df5b62edd530078f877d15fb98
                      • Instruction ID: 2ec559e292560dbc3ff14dde6161ad7566f781fed4e5d0be9773063982fca0ea
                      • Opcode Fuzzy Hash: 681bb68aa7a728e0da323ac9b5bbcd51b42733df5b62edd530078f877d15fb98
                      • Instruction Fuzzy Hash: 5F21F370A013548FDB02DB20E81479ABF72EB81321F24C6AAC5058F296D7358A17CBD1
                      Function 02CD9860 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Teq
                      • API String ID: 0-1098410595
                      • Opcode ID: 5461e63a52e7463e49c7accd5a3d2d5f451b2492ff3c834c35f13a7cc77a149d
                      • Instruction ID: d91b1b386b1f70765c11fd61469b9d0da71d99546d618226b5f309fca29a6899
                      • Opcode Fuzzy Hash: 5461e63a52e7463e49c7accd5a3d2d5f451b2492ff3c834c35f13a7cc77a149d
                      • Instruction Fuzzy Hash: 2C219D34B501548FDB14DB68D818BAEBBF2BF88B10F24419AE506EB3A1CF718D01CB91
                      Function 02CD9870 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Teq
                      • API String ID: 0-1098410595
                      • Opcode ID: 347195a10cf58ba7e44fb5b464c31d0a268789d8f52787e03ac401d1cb324183
                      • Instruction ID: 98792afcabe39d8e8934c5e9af1673a0d4fca81f38e945a9d8e9335eaf7669bd
                      • Opcode Fuzzy Hash: 347195a10cf58ba7e44fb5b464c31d0a268789d8f52787e03ac401d1cb324183
                      • Instruction Fuzzy Hash: 7E216D34B502148FDB149B79D818B6E77F6BF88B10F24416AE606EB3A1CF719D01CB91
                      Function 02CD3A08 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: |
                      • API String ID: 0-2343686810
                      • Opcode ID: 150b6fe190dbbea796e09e0615ad1e3de4f1a071573ee52a023a71c207b4b33f
                      • Instruction ID: 48759816efa29a18fe79549922e961fddf5ee04aca09bf4475206b50557d0375
                      • Opcode Fuzzy Hash: 150b6fe190dbbea796e09e0615ad1e3de4f1a071573ee52a023a71c207b4b33f
                      • Instruction Fuzzy Hash: A2210674B402149FDB54EF799904B6EBBF1AF48604F1188A9EA4AE73A0DB759900CB81
                      Function 02CD9D77 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Teq
                      • API String ID: 0-1098410595
                      • Opcode ID: e083f3b560a3dfc52885bba60a45298d1bae788ab4f5e96613b211f39c828f98
                      • Instruction ID: bfea656d14a1da733cec081545fd14feec2ed20e3ec79d0efcc5d84736a43508
                      • Opcode Fuzzy Hash: e083f3b560a3dfc52885bba60a45298d1bae788ab4f5e96613b211f39c828f98
                      • Instruction Fuzzy Hash: 12117F34B50140DFDB149F69C498BAEBBE2AF88710F244469FA01EB3E5CB719C01CB90
                      Function 02CD9D88 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Teq
                      • API String ID: 0-1098410595
                      • Opcode ID: 5c2deedb276a5f3e310dbec39091b85b3c2e1b8f05297b7ec8bba36d0ea87987
                      • Instruction ID: 5dbaf8fbc4d07e692ecde6ab007a761f81d647afdd8ac40093d1ac352ae1907b
                      • Opcode Fuzzy Hash: 5c2deedb276a5f3e310dbec39091b85b3c2e1b8f05297b7ec8bba36d0ea87987
                      • Instruction Fuzzy Hash: CB114F34B50204DFDB149B69C498BAEBBB6AF88710F145059FA02AB3A5CFB19C01CB90
                      Function 02CDACB0 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Teq
                      • API String ID: 0-1098410595
                      • Opcode ID: f2bbb3af22a54ebd2e50900fdb6f964d2d1b5df477ee87528d3280f7d788068d
                      • Instruction ID: 072d1f40342e8ca99ab21d001b83c65ea75f4e4ba702e895ee3b570bf2bf1cbc
                      • Opcode Fuzzy Hash: f2bbb3af22a54ebd2e50900fdb6f964d2d1b5df477ee87528d3280f7d788068d
                      • Instruction Fuzzy Hash: 011182717401149FDB199F68D858BAE7BF2AF8C701F214469E506EB3A0CFB19D05CB91
                      Function 02CD93A8 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRq
                      • API String ID: 0-3187445251
                      • Opcode ID: 87aeb4ae08d03a7a9970b0aaada13ff132145c7c303e52b11a76fe902a7057d6
                      • Instruction ID: 4390e30d91845dd506aebdfedb147b7174af30e89c16dc21109ef87cc77f0b15
                      • Opcode Fuzzy Hash: 87aeb4ae08d03a7a9970b0aaada13ff132145c7c303e52b11a76fe902a7057d6
                      • Instruction Fuzzy Hash: 61016270F001159FCB54EB7998527AF7BF1BF45700F10415DE646DB295E7709A02DB82
                      Function 02CD93B8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: LRq
                      • API String ID: 0-3187445251
                      • Opcode ID: bea9cab9caf15d2e382e5ecbb0adcfd516115c362b583b0e4454febfa359e6f5
                      • Instruction ID: 9966c50d5b66a98619e913dbeba59974c9c2be1d01484f409f5b17a4c6e9c58d
                      • Opcode Fuzzy Hash: bea9cab9caf15d2e382e5ecbb0adcfd516115c362b583b0e4454febfa359e6f5
                      • Instruction Fuzzy Hash: 16016275F401159FCB44EB69E9017AE77B5FF88700F1042A9E609DB294EB70AE11CBC1
                      Function 02CD0E3F Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID: Hq
                      • API String ID: 0-1594803414
                      • Opcode ID: 496197a89e420d61fe5c5282c9ba71c099ac052da78519636e1a9e665f4ea359
                      • Instruction ID: 814c32d328b742f98be0bda3fe02932addc442f4e71056d609098413609bdae8
                      • Opcode Fuzzy Hash: 496197a89e420d61fe5c5282c9ba71c099ac052da78519636e1a9e665f4ea359
                      • Instruction Fuzzy Hash: 2AF0F6317082500FD35DA77DA82456F3FD79FC925436988BAE149CB366CE25CC068795
                      Function 02CD3AE0 Relevance: .4, Instructions: 390COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3d29c23a37e8bb1f4d4fef365c70cf15807a61454cca495b62eca68a44a9123e
                      • Instruction ID: 5258bc2f95bd436ea7247a8e472fa18a2bbfcdca2754b0689cfb4831de9b5498
                      • Opcode Fuzzy Hash: 3d29c23a37e8bb1f4d4fef365c70cf15807a61454cca495b62eca68a44a9123e
                      • Instruction Fuzzy Hash: 68C1211191E3D02FEB276B7858B02EA7FB18E8755571A04CBD1D0CF0A3D908894ED7AB
                      Function 02CD1DC0 Relevance: .3, Instructions: 295COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c170c6b1c3dfc773a3f98473d090dc8ec10027266f387a92da1850f1f4f9d2ed
                      • Instruction ID: 8482b34876fa7fbef87d902083a479022de0ca907c319b9c6aded246322108c5
                      • Opcode Fuzzy Hash: c170c6b1c3dfc773a3f98473d090dc8ec10027266f387a92da1850f1f4f9d2ed
                      • Instruction Fuzzy Hash: 17C12B34B002148FDB18EF79D454A6DBBF2BF88310B258569E906EB3A5CB71EC42CB51
                      Function 02CD6C9C Relevance: .3, Instructions: 263COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ab619e1f9ac5bf3c48d03fb5162642fd5dc4a8b3b7b2790db2135870b4125262
                      • Instruction ID: 669e25bbb0525ab43d04a90e4eac4a16a0b87da2fb35ceba4a8bd02b8a10ec95
                      • Opcode Fuzzy Hash: ab619e1f9ac5bf3c48d03fb5162642fd5dc4a8b3b7b2790db2135870b4125262
                      • Instruction Fuzzy Hash: A9B19E70E006098FDF20CFA9E8817DDBBF5AF88314F248529E914E7294EB759945CF81
                      Function 02CDA8E8 Relevance: .3, Instructions: 251COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 988c6f553e78cf236d41bc2eba29bbbca673b381c6a32a037c6ee7f81bc30b96
                      • Instruction ID: ea56ab75ca3658b683faa9b78ad2b2310dd168e062c3a69981db1c98db4f7faa
                      • Opcode Fuzzy Hash: 988c6f553e78cf236d41bc2eba29bbbca673b381c6a32a037c6ee7f81bc30b96
                      • Instruction Fuzzy Hash: 32A18B74B017509FCB19EF35E85066D7BE2AFC8310B148A69DA029B359EF35AD068F81
                      Function 02CD3269 Relevance: .2, Instructions: 230COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 36a719b6cffbee0ff691ea48ea839ad97f020b59f85bb90b92fdde6b995864b0
                      • Instruction ID: 825cc9332bd3189f2a77d102a9f0fb994890f9de13cb2e7ac3c2d08aa848d140
                      • Opcode Fuzzy Hash: 36a719b6cffbee0ff691ea48ea839ad97f020b59f85bb90b92fdde6b995864b0
                      • Instruction Fuzzy Hash: F4A18E74A013518FDB05EF34E844A6D7BB2BF84350B20CB69D5028B359DB34A96ACFD1
                      Function 02CD3278 Relevance: .2, Instructions: 227COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6898973251c77790e6638d2c432264148d3ea7d0e4964a2bdb7d055f8f0cc34a
                      • Instruction ID: c551519b23c1da2b3987f721623f0c04556b775d099eb4a6ad2b4fcfc88c9a8a
                      • Opcode Fuzzy Hash: 6898973251c77790e6638d2c432264148d3ea7d0e4964a2bdb7d055f8f0cc34a
                      • Instruction Fuzzy Hash: F5A18D74A013118FDB05EF35E844A6E7BB2BB84350B20CB69D5028B359DB34AD6ACFD1
                      Function 02CD9B08 Relevance: .2, Instructions: 166COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bb9effeac3d06389e2b1acc3ce5f71d4fd5bba056d7217de77e6f43cd3fa7dae
                      • Instruction ID: f96e2f1082e89c3e6678de6144bad1b0c3f0ea7db48335b09fa6f5d2c04b2dc0
                      • Opcode Fuzzy Hash: bb9effeac3d06389e2b1acc3ce5f71d4fd5bba056d7217de77e6f43cd3fa7dae
                      • Instruction Fuzzy Hash: 61518C78601245DFCB15DF68D884A6ABBF2FF85310F1684A5E545AF3A6C730EC01CB91
                      Function 02CD0AA0 Relevance: .1, Instructions: 117COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3dd06b20dea1a0ee8fb97aaaf6ebc830e0091a4acc2a755c2b6443c772a4e4b2
                      • Instruction ID: 60b2f71876a0e37e4b3e12aef50b416feae3b2820f477e7682f270d9c07cbe14
                      • Opcode Fuzzy Hash: 3dd06b20dea1a0ee8fb97aaaf6ebc830e0091a4acc2a755c2b6443c772a4e4b2
                      • Instruction Fuzzy Hash: 1651C838902221CFCB16FB65F8445597B63FF842457908B68D4018B66CEB71AD66DF82
                      Function 02CD11D0 Relevance: .1, Instructions: 113COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bd00f977e9dad3f8971f299f32d9411ad535bf35604157e868b7ef2ab940046c
                      • Instruction ID: d4e4c68cfc0fc2a9df2bb44ca9e17aed59686eb38e59ad12ba6ec402ea324e2a
                      • Opcode Fuzzy Hash: bd00f977e9dad3f8971f299f32d9411ad535bf35604157e868b7ef2ab940046c
                      • Instruction Fuzzy Hash: 9F419F70F04208AFCB44EBB9845476EBFF6EFC8310F248569D54AD7345DA349D429B91
                      Function 02CD48EC Relevance: .1, Instructions: 96COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6524c6f75911404c6e43daffb6a3282c229a872e9d584080ecd69c8601666987
                      • Instruction ID: a0c4f9ffe3b371120e156e693570520a99018bede26dcfaf1a4094a29bc6ecda
                      • Opcode Fuzzy Hash: 6524c6f75911404c6e43daffb6a3282c229a872e9d584080ecd69c8601666987
                      • Instruction Fuzzy Hash: 834112B0D0034C9FDB24DFA9C484ADEBBF5FF48304F248029E519AB250DB75A946CB90
                      Function 02CD96D0 Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f8caa10cdd46147e4e42bcf4c4e2fd5fe7625abe824395867bb01782cc9edf15
                      • Instruction ID: cf2f472cba78e89cbca63053e588eb86f691f72c6efaaea8df83985eb0b2d13d
                      • Opcode Fuzzy Hash: f8caa10cdd46147e4e42bcf4c4e2fd5fe7625abe824395867bb01782cc9edf15
                      • Instruction Fuzzy Hash: 4C21A138A052148FDB18EF78D5546BE7BB2AF89314F154928C602AB358CF359D42CB94
                      Function 02CDA8DA Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 25317fb104f8fa6a0714be6a5ec0ccaa9a17fa7ceda73c3e6470d226bf7816f4
                      • Instruction ID: 7299198153ba451fc6f22b293ae57f7c14efd5d6acefa2e171a1ac9dd3a6d762
                      • Opcode Fuzzy Hash: 25317fb104f8fa6a0714be6a5ec0ccaa9a17fa7ceda73c3e6470d226bf7816f4
                      • Instruction Fuzzy Hash: 06210534B012549FCB15EB75E8506AEBBE6EFC82547104AADCD4587348EB31AA06CBD2
                      Function 02CD48F8 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80aa91c02fdd8b0a75def84c06801375034ed6bc630baaf2e0327a31751452e1
                      • Instruction ID: 971d96c84730868bbe876bf5f7fbf040cce72a4ae5dc2af9e418a8e92769168c
                      • Opcode Fuzzy Hash: 80aa91c02fdd8b0a75def84c06801375034ed6bc630baaf2e0327a31751452e1
                      • Instruction Fuzzy Hash: CB41EFB0D003499FDB24DFA9C484ADEBBF5FF48314F608029E919AB250DB75A945CB94
                      Function 02CDBC91 Relevance: .1, Instructions: 82COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e2db2b8fafdda8a3c6b2b05eb3fac154387c801006c82a1d8f422d762a6447c4
                      • Instruction ID: ee4f480cacddda936dac7b6e66fbe979844771855f06c7f81eca834850b8ddcf
                      • Opcode Fuzzy Hash: e2db2b8fafdda8a3c6b2b05eb3fac154387c801006c82a1d8f422d762a6447c4
                      • Instruction Fuzzy Hash: 06318234A002559FCB55EF79E880A9DBBF2EF85314B204AADD105CB295DB71AD0ACFC1
                      Function 02CD0998 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b16c532b5ab387e7c250eacc9fad3e5987787963aca5f45f3f3662dba0b5ead2
                      • Instruction ID: f14235f5287a1ef8d4368f0bb37640519932bf592fa1ca23a319f58813054868
                      • Opcode Fuzzy Hash: b16c532b5ab387e7c250eacc9fad3e5987787963aca5f45f3f3662dba0b5ead2
                      • Instruction Fuzzy Hash: 4C218734B852128FDB68AB7DEC4473E3FA4AB84345F559A3DD60BD5140DB70C650CB52
                      Function 02CD09A8 Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d1a046c849bd55418d8906f21835237438021e2439702cd5024028405492c919
                      • Instruction ID: dad84dbc5790033b2937c7cb17c1b93d581f2454f6bd9c3614c1c522d445b1f5
                      • Opcode Fuzzy Hash: d1a046c849bd55418d8906f21835237438021e2439702cd5024028405492c919
                      • Instruction Fuzzy Hash: 28219334B812138FDF58AB7EE81872E7AA4AF80345F458A3DD60BC5144EF70D650CB52
                      Function 02CDA143 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5412460131c051f54627820b42eff755fa514b85cadcd16a2575e59c9ef5e6f4
                      • Instruction ID: 4ccaa17be680d502abd206b733abff2e407b653980c3aa6d72dbc9a8d58ea2ea
                      • Opcode Fuzzy Hash: 5412460131c051f54627820b42eff755fa514b85cadcd16a2575e59c9ef5e6f4
                      • Instruction Fuzzy Hash: 75216435D80202CFE729CB2AFC447183BE2B784218F14DB5AD90087645E3B29B61CF82
                      Function 02CD1431 Relevance: .1, Instructions: 54COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34148ce6bfc5c6d11470a87b7643498bf51461cdf0af660ceac04d085b53e979
                      • Instruction ID: a1785efb4d8de886e7f35725ff2c45d952787e9115d1c208dc4468160156840d
                      • Opcode Fuzzy Hash: 34148ce6bfc5c6d11470a87b7643498bf51461cdf0af660ceac04d085b53e979
                      • Instruction Fuzzy Hash: 8D110474A01210CFCB45EBB9D91467E7BF6AF882107540578C009CB328DB30DD51CB80
                      Function 02CD1440 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b011f13fbecd9b73b64eea0c8e6a2eceaac5c50e90f877c80cd3a7c3377b1de
                      • Instruction ID: c49a9eb74b0309181d5e15adadae8e24024d5e94d703477a2b2b083ecafec60b
                      • Opcode Fuzzy Hash: 7b011f13fbecd9b73b64eea0c8e6a2eceaac5c50e90f877c80cd3a7c3377b1de
                      • Instruction Fuzzy Hash: C511C030B01215DFCB54EBBAD504A6ABBF6AFC82117684578D50ACB318EF31ED11CB90
                      Function 02CD3AD1 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3fbc5ec2192cbcd96d8c2993728085254f069c4a88e90668067410c42d6a73b4
                      • Instruction ID: 5afcb7fedcf8bfbc4327141426c07afdbf65fb8f7f5c7322468bc03822033fab
                      • Opcode Fuzzy Hash: 3fbc5ec2192cbcd96d8c2993728085254f069c4a88e90668067410c42d6a73b4
                      • Instruction Fuzzy Hash: 1401B1317082809FD729AB38AAA077D7BE3AFCA241715047ED64ACB341CF70CC129B52
                      Function 02CDBCA0 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 31e8dac3b017fee67f64050889f2a442af70350e0e45b2075773a740132fc003
                      • Instruction ID: 0e3ba17ce7f805b109bf7656e5837f2701828462a4942b5362380a9d239a6cfb
                      • Opcode Fuzzy Hash: 31e8dac3b017fee67f64050889f2a442af70350e0e45b2075773a740132fc003
                      • Instruction Fuzzy Hash: 55119470A002559FCB45FB74E80069E7BF2AF81314B104769C2058B285EB71A91ACFD2
                      Function 02CD9440 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3559b0b2d7deeeb2cd4debc1ee71ad43a7b8970c9bace04e200529197fdd1ea0
                      • Instruction ID: f04e4a35d976863cdddf46e57ab952860234cd82ad8843e72318a3a3e4013346
                      • Opcode Fuzzy Hash: 3559b0b2d7deeeb2cd4debc1ee71ad43a7b8970c9bace04e200529197fdd1ea0
                      • Instruction Fuzzy Hash: 181133B48007498FCB20DF9AC985BDFFBF4EB48324F208419D518A3640C3356544CFA1
                      Function 02CD2A75 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 438743480b549dd07891657871f40a3144c1dcb22dd4219621aa85f1dda95006
                      • Instruction ID: fddb04c6cd58efa3b7890ff7d8fde858c77f1dfc533c9417f505395a53d82dab
                      • Opcode Fuzzy Hash: 438743480b549dd07891657871f40a3144c1dcb22dd4219621aa85f1dda95006
                      • Instruction Fuzzy Hash: 97017874A042049FE7119B18EC50B6EBFA0EF44214B14819AD1888F326C732DC078BA2
                      Function 02CD9448 Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 947ca110a1a975ade08b078a45a0552ef8934023d378bb2fbf6c398a6bba76d5
                      • Instruction ID: 30d1a5b2424dcc8535de1a76d74a583efef132e823ece05f35ae72b5f655f37a
                      • Opcode Fuzzy Hash: 947ca110a1a975ade08b078a45a0552ef8934023d378bb2fbf6c398a6bba76d5
                      • Instruction Fuzzy Hash: AF11EEB5C007498FDB20DF9AC585BDEFBF4EB49324F208459D929A7250C379A944CFA1
                      Function 02CD9367 Relevance: .0, Instructions: 27COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 777bcdd29baa2092c576193a7acbb8cd931976c5f03b1cc5bc40cdde2c48fde5
                      • Instruction ID: c70732a4d292e163f441b73e196942d212147518fd9f5bfd43b1088bc342816a
                      • Opcode Fuzzy Hash: 777bcdd29baa2092c576193a7acbb8cd931976c5f03b1cc5bc40cdde2c48fde5
                      • Instruction Fuzzy Hash: 54E026307062501FC302BBBCE8544E93FAB9FCA30036405D6E045EB7A2CB24CD024BD4
                      Function 02CDA02E Relevance: .0, Instructions: 27COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0826c5ba78b52c417906c5c886b8f3ef99c12b9d2ed72dfcc3414c047b73f68f
                      • Instruction ID: 478e92647beeba770a9c18dba6775e8584da8e3cdf2f11add7cc36ad4e3a0d03
                      • Opcode Fuzzy Hash: 0826c5ba78b52c417906c5c886b8f3ef99c12b9d2ed72dfcc3414c047b73f68f
                      • Instruction Fuzzy Hash: A7F0E5B5A4430ADFE7109F22C851BAD3BB4AF09348F44019AD303D72A2C7B9AE41CF90
                      Function 02CD0E80 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6c48f1e4726c14cb217690254c27ca70a0fb308488eb59483a4e66cd2e3cb2c5
                      • Instruction ID: e0ed7238ab6240b44a12be3a7b552eba0aa7c6570aab6ad174c401015b70d17f
                      • Opcode Fuzzy Hash: 6c48f1e4726c14cb217690254c27ca70a0fb308488eb59483a4e66cd2e3cb2c5
                      • Instruction Fuzzy Hash: C2E08C323002105F8748966EA88495ABBDAEBC8260365487AE509C7315DD71CC014690
                      Function 02CD2204 Relevance: .0, Instructions: 19COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 26e00abdd142c887c5bf911c7fc2be47f1a1042c9f492bf22503dbcf624a54a5
                      • Instruction ID: e2517633ebf3eeca7686a27f90954f554354a26b0f0589d3ac291858a73215b8
                      • Opcode Fuzzy Hash: 26e00abdd142c887c5bf911c7fc2be47f1a1042c9f492bf22503dbcf624a54a5
                      • Instruction Fuzzy Hash: 43D012B0C492095EDB85DFE894113AD7FF6FB0D210F2042A9D94DE2700E73106128F52
                      Function 02CD2E38 Relevance: .0, Instructions: 13COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 960c58b7a424d52bb28381688e5f6a745c6b4bce4696059de3b8481e11f68fa1
                      • Instruction ID: 14c5f86da2a64743304b8b17f098073fa12233ddf140b119cd8932fdd5ece430
                      • Opcode Fuzzy Hash: 960c58b7a424d52bb28381688e5f6a745c6b4bce4696059de3b8481e11f68fa1
                      • Instruction Fuzzy Hash: CFD02238005A01CFE303CA6AE0348113F24FF2860030201A6D041CB732E711DC10CB10
                      Function 02CD0A8F Relevance: .0, Instructions: 9COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e49297bb7b1de8b347c33b9a99c1d402d854f671aeff2e4fe7b9f8cf1a3c133
                      • Instruction ID: 8b6c99d5eb94204aa1d8598e0ba15bbf27b2f06e534ece000b6df8e0dde17b4a
                      • Opcode Fuzzy Hash: 5e49297bb7b1de8b347c33b9a99c1d402d854f671aeff2e4fe7b9f8cf1a3c133
                      • Instruction Fuzzy Hash: B1C08C34EC4207CFE32423A8E80C32C7D50AB80303FC18A06E206880828FB009208317
                      Function 02CD0A73 Relevance: .0, Instructions: 9COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5cd97880f32f503eb2ec306f347f86b39c0a3e89139ac46f342317c201b0cc84
                      • Instruction ID: 535838d1ca1dda219bd0d8388136694de1d5cf5dd3b32497f30a1858af1b4cf7
                      • Opcode Fuzzy Hash: 5cd97880f32f503eb2ec306f347f86b39c0a3e89139ac46f342317c201b0cc84
                      • Instruction Fuzzy Hash: 89C08C30EC464BCFE7246368E80C32C7E50A780303FC18A0AE206880828FB00920C717
                      Function 02CD2E48 Relevance: .0, Instructions: 8COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000016.00000002.2485964887.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_22_2_2cd0000_windowsBook.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 506751fbfa7685a27fa30d8dd7812f3f285af8717179c1bbe3a770d94d8c176c
                      • Instruction ID: 1791b6693c35da7a340fe042f121b8d76dbd1af5d53c121d0ff3060837cd2ea6
                      • Opcode Fuzzy Hash: 506751fbfa7685a27fa30d8dd7812f3f285af8717179c1bbe3a770d94d8c176c
                      • Instruction Fuzzy Hash: E3C048392602088F8244EA9AE588C12B7A8BF58A0034100A9E5018B722CB21F820DA62