Windows Analysis Report
rPRESUPUESTO.exe

Overview

General Information

Sample name:	rPRESUPUESTO.exe
Analysis ID:	1465409
MD5:	e78d43a26913cf101b98d1d04839eee2
SHA1:	911c8c10f7c8bc9fd3c6bd16e9f5da11e3c3eb5d
SHA256:	8f9dbdd77e130b7238761966a9c9aa8712baf2100ddebc3d9d206ee17f8f119c
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://www.genesiestudios.online/s29p/	Avira URL Cloud: Label: malware
Source: http://www.genesiestudios.online	Avira URL Cloud: Label: malware
Source: http://www.gsdaluan.shop/8urb/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: rPRESUPUESTO.exe

ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rPRESUPUESTO.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: rPRESUPUESTO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rPRESUPUESTO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251157795.000000000098E000.00000002.00000001.01000000.0000000D.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000000.2398762392.000000000098E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: gESw.pdb source: rPRESUPUESTO.exe
Source:	Binary string: wntdll.pdbUGP source: rPRESUPUESTO.exe, 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2330777913.0000000002976000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2328626906.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gESw.pdbSHA256 source: rPRESUPUESTO.exe
Source:	Binary string: wntdll.pdb source: rPRESUPUESTO.exe, rPRESUPUESTO.exe, 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000009.00000003.2330777913.0000000002976000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2328626906.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdbGCTL source: rPRESUPUESTO.exe, 00000005.00000002.2328360185.0000000001347000.00000004.00000020.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587226649.0000000001028000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmutil.pdb source: rPRESUPUESTO.exe, 00000005.00000002.2328360185.0000000001347000.00000004.00000020.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587226649.0000000001028000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\ktmutil.exe

Code function: 9_2_0019C0E0 FindFirstFileW,FindNextFileW,FindClose,

9_2_0019C0E0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then xor eax, eax		9_2_00189780
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 4x nop then mov ebx, 00000004h		9_2_02A10548

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49722 -> 122.10.13.122:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49727 -> 109.123.121.243:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49728 -> 109.123.121.243:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49731 -> 109.123.121.243:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49733 -> 47.242.109.15:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49734 -> 47.242.109.15:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49737 -> 47.242.109.15:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49739 -> 121.254.178.238:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49740 -> 121.254.178.238:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49742 -> 121.254.178.238:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49743 -> 203.161.62.199:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49744 -> 203.161.62.199:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49746 -> 203.161.62.199:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49747 -> 74.208.236.72:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49748 -> 74.208.236.72:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49750 -> 74.208.236.72:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49751 -> 192.207.62.21:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49752 -> 192.207.62.21:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49754 -> 192.207.62.21:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49755 -> 199.59.243.226:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49756 -> 199.59.243.226:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49758 -> 199.59.243.226:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49759 -> 45.207.12.95:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49760 -> 45.207.12.95:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49762 -> 45.207.12.95:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49763 -> 81.95.96.29:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49764 -> 81.95.96.29:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49766 -> 81.95.96.29:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49767 -> 103.224.182.246:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49768 -> 103.224.182.246:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49770 -> 103.224.182.246:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49771 -> 72.52.179.174:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49772 -> 72.52.179.174:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49774 -> 72.52.179.174:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49775 -> 192.227.175.142:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49776 -> 192.227.175.142:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49778 -> 192.227.175.142:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49779 -> 31.186.11.254:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49780 -> 31.186.11.254:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.quantumvoil.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.207.62.21 192.207.62.21
Source: Joe Sandbox View	IP Address: 72.52.179.174 72.52.179.174
Source: Joe Sandbox View	IP Address: 72.52.179.174 72.52.179.174

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR
Source: Joe Sandbox View	ASN Name: HOSTBREWUS HOSTBREWUS
Source: Joe Sandbox View	ASN Name: LIQUIDWEBUS LIQUIDWEBUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 14:18:21 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4981Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f 2b 55 f9 1f 10 ba 1c 59 b5 02 bf f4 2d 4b ca 73 6c e5 3d af e3 8f 8d bc 49 6d 2e 2e cc 0c 48 42 9c 01 e6 01 33 14 c9 3c df 77 ab d6 f7 cd fa b2 3a fa a0 ca 61 6f af ea e5 42 e9 ff da 06 30 43 ce 0c 87 12 a9 8f ac f3 e1 84 d4 0c 06 e8 6e 00 dd bf ee 06 c0 d9 eb 44 81 7f f0 e9 27 9f 7e b2 d7 a1 c4 83 ab a5 3d 87 28 8a 3a 92 b6 f6 2b b5 8a 29 09 68 44 90 db 21 52 d1 68 bf 12 47 2d bc 5d 31 8d 96 f6 22 16 f9 f4 e0 d1 e3 d7 4f bf 3d 44 cd f5 55 a4 aa b2 2a aa 7b 35 fb c0 56 32 ed 39 09 e8 7e a5 c7 e8 49 28 64 54 41 ae e0 11 e5 40 ef 84 79 51 67 df a3 3d e6 52 6c 6e 56 11 e3 2c 62 c4 c7 ca 25 3e dd 6f 64 c4 b0 64 9e d1 c1 89 90 9e ca 90 99 aa f3 84 2a 57 b2 30 62 82 67 aa 4d 89 3a d5 ee 51 1c 75 84 5c a8 c9 cb 13 4e 2f 6d 81 d2 f1 fa 0c 63 d4 22 d0 55 c1 91 8a 88 8c 10 c6 86 9a cf 78 17 49 ea ef 57 48 18 fa 14 47 22 76 3b 58 d7 ab 20 c5 86 54 ed 57 36 b6 fa 1b 5b 95 64 6a 3a 51 14 aa dd 5a ad 1d b3 2a 71 23 d6 a3 cd f5 aa 3b ac b1 a0 5d d3 ad 6a a4 b9 8e 2d a9 84 1f 36 ed ab 21 6f 57 e6 e5 b8 59 ef 6f d6 6f c0 d1 b4 5f 88 e3 56 b3 bf d5 bc 01 47 d3 7e 31 8e 9b fd ad cd 9b 70 d4 ed 17 e2 d8 68 ac f7 e1 73 03 9e 09 85 c5 b8 36 eb 7d f8 dc 84 ab a5 b0 18 d7 75 90 74 fd 46 7d b5 14 16 e3 ba d1 ec c3 e7 26 5c 2d 85 c5 b8 6e c3 f8 6c df 68 84 2d 85 32 ae 96 53 34 08 01 6e 58 40 da b4 a6 2b 8d 59 ef 80 b8 3b 8b 75 78 cc d4 b6 5d 9c e9 5a b3 bf 76 3d 96 a6 e5 e2 0c 77 36 fb 3b 8b 99 6a ca d0 b4 bc c6 b0 6e f6 1b d7 63 68 5a 4e 18 66 7c 45 a0 f4 9c 33 97 68 c7 84 5f 33 9f 3e 16 7e ce df dc 6b 99 7f 73 b4 7c aa 25 ce b4 9c 4b c4 40 e1 72 c3 ca b0 8a 3a 34 a0 d8 bd 4c b0 c9 18 aa 68 e0 53 d5 a1 34 ba 6a a8 7c e6 48 22 07 35 43 be d6 09 1b 9b 35 d3 b8 ea 2a 35 3f d5 09 45 11 d4 a0 a5 0b dd 6a d4 02 c2 78 15 5a a8 2f 7a fb 5b de 36 5d 6b d6 b7 d6 b7 5a 9b 5b f5 8d 0d b7 41 1a f5 fa 76 cb 71 d7 eb 5e dd 6d 5c c6 cb ea 42 44 fb 91 a6 9d f2 ae 01 fd be eb f1 aa 23 44 a4 22 49 42 7d a3 05 68 c1 e8 60 72 42 95 80 2e ad 57 d7 aa 75 dd 2e 57 5c 0d 40 34 4d 0c b8 2e 05 d4 63 04 50 c4 f7 8d 14 08 2d 24 c7 ac 91 d5 2c 7d c2 3d c6 db e9 60 ea 2e 1a 82 9a cd d2 9f 58 a0 e3 2e 14 4b ff 41 4a 44 cb a8 aa 6d 21 da 3e 25 21 53 e9 80 7e d1 22 01 f3 07 fb af 21 08 f3 7d 16 07 ff f4 1d 75 76 d7 eb f5 d5 2d f8 ec c0 67 13 3e 6b f5 fa e7 2a 76 74 4c e8 83 4a f2 55 f3 8d 41 e0 95 87 86 fb d2 9f cc 20 b4 88 4b d1 0f fa 7e 29 b9 d7 c4 77 d1 72 2a bf 51 47 b5 fc d0 54 51 d2 dd 35 42 2e cf ea aa 26 52 cb b7 ad 52 11 2d af a0 96 90 01 89 1e 2c d3 c0 a1 9e 47 3d 2c 42 d0 5b 18 c7 e5 95 55 43 7c 69 61 c2 51 d4 ca 10 8e 64 4c 6f 46 ef 44 b4 b2 04 ed ed 75 89 a9 5e 3b 43 cb dc 3d 9c 8c f3 09 65 ed 4e b4 8b b8 7e ee 67 1e 18 a5 c8 95 bf b5 f3 a5 93 01 23 8b 23 bc 41 d9 94 55 c6 1a 81 40 23 2a 96 a6 e8 51 d9 f2 c5 09 ee ef a2 0e 83 71 e7 59
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 14:18:24 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4981Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f 2b 55 f9 1f 10 ba 1c 59 b5 02 bf f4 2d 4b ca 73 6c e5 3d af e3 8f 8d bc 49 6d 2e 2e cc 0c 48 42 9c 01 e6 01 33 14 c9 3c df 77 ab d6 f7 cd fa b2 3a fa a0 ca 61 6f af ea e5 42 e9 ff da 06 30 43 ce 0c 87 12 a9 8f ac f3 e1 84 d4 0c 06 e8 6e 00 dd bf ee 06 c0 d9 eb 44 81 7f f0 e9 27 9f 7e b2 d7 a1 c4 83 ab a5 3d 87 28 8a 3a 92 b6 f6 2b b5 8a 29 09 68 44 90 db 21 52 d1 68 bf 12 47 2d bc 5d 31 8d 96 f6 22 16 f9 f4 e0 d1 e3 d7 4f bf 3d 44 cd f5 55 a4 aa b2 2a aa 7b 35 fb c0 56 32 ed 39 09 e8 7e a5 c7 e8 49 28 64 54 41 ae e0 11 e5 40 ef 84 79 51 67 df a3 3d e6 52 6c 6e 56 11 e3 2c 62 c4 c7 ca 25 3e dd 6f 64 c4 b0 64 9e d1 c1 89 90 9e ca 90 99 aa f3 84 2a 57 b2 30 62 82 67 aa 4d 89 3a d5 ee 51 1c 75 84 5c a8 c9 cb 13 4e 2f 6d 81 d2 f1 fa 0c 63 d4 22 d0 55 c1 91 8a 88 8c 10 c6 86 9a cf 78 17 49 ea ef 57 48 18 fa 14 47 22 76 3b 58 d7 ab 20 c5 86 54 ed 57 36 b6 fa 1b 5b 95 64 6a 3a 51 14 aa dd 5a ad 1d b3 2a 71 23 d6 a3 cd f5 aa 3b ac b1 a0 5d d3 ad 6a a4 b9 8e 2d a9 84 1f 36 ed ab 21 6f 57 e6 e5 b8 59 ef 6f d6 6f c0 d1 b4 5f 88 e3 56 b3 bf d5 bc 01 47 d3 7e 31 8e 9b fd ad cd 9b 70 d4 ed 17 e2 d8 68 ac f7 e1 73 03 9e 09 85 c5 b8 36 eb 7d f8 dc 84 ab a5 b0 18 d7 75 90 74 fd 46 7d b5 14 16 e3 ba d1 ec c3 e7 26 5c 2d 85 c5 b8 6e c3 f8 6c df 68 84 2d 85 32 ae 96 53 34 08 01 6e 58 40 da b4 a6 2b 8d 59 ef 80 b8 3b 8b 75 78 cc d4 b6 5d 9c e9 5a b3 bf 76 3d 96 a6 e5 e2 0c 77 36 fb 3b 8b 99 6a ca d0 b4 bc c6 b0 6e f6 1b d7 63 68 5a 4e 18 66 7c 45 a0 f4 9c 33 97 68 c7 84 5f 33 9f 3e 16 7e ce df dc 6b 99 7f 73 b4 7c aa 25 ce b4 9c 4b c4 40 e1 72 c3 ca b0 8a 3a 34 a0 d8 bd 4c b0 c9 18 aa 68 e0 53 d5 a1 34 ba 6a a8 7c e6 48 22 07 35 43 be d6 09 1b 9b 35 d3 b8 ea 2a 35 3f d5 09 45 11 d4 a0 a5 0b dd 6a d4 02 c2 78 15 5a a8 2f 7a fb 5b de 36 5d 6b d6 b7 d6 b7 5a 9b 5b f5 8d 0d b7 41 1a f5 fa 76 cb 71 d7 eb 5e dd 6d 5c c6 cb ea 42 44 fb 91 a6 9d f2 ae 01 fd be eb f1 aa 23 44 a4 22 49 42 7d a3 05 68 c1 e8 60 72 42 95 80 2e ad 57 d7 aa 75 dd 2e 57 5c 0d 40 34 4d 0c b8 2e 05 d4 63 04 50 c4 f7 8d 14 08 2d 24 c7 ac 91 d5 2c 7d c2 3d c6 db e9 60 ea 2e 1a 82 9a cd d2 9f 58 a0 e3 2e 14 4b ff 41 4a 44 cb a8 aa 6d 21 da 3e 25 21 53 e9 80 7e d1 22 01 f3 07 fb af 21 08 f3 7d 16 07 ff f4 1d 75 76 d7 eb f5 d5 2d f8 ec c0 67 13 3e 6b f5 fa e7 2a 76 74 4c e8 83 4a f2 55 f3 8d 41 e0 95 87 86 fb d2 9f cc 20 b4 88 4b d1 0f fa 7e 29 b9 d7 c4 77 d1 72 2a bf 51 47 b5 fc d0 54 51 d2 dd 35 42 2e cf ea aa 26 52 cb b7 ad 52 11 2d af a0 96 90 01 89 1e 2c d3 c0 a1 9e 47 3d 2c 42 d0 5b 18 c7 e5 95 55 43 7c 69 61 c2 51 d4 ca 10 8e 64 4c 6f 46 ef 44 b4 b2 04 ed ed 75 89 a9 5e 3b 43 cb dc 3d 9c 8c f3 09 65 ed 4e b4 8b b8 7e ee 67 1e 18 a5 c8 95 bf b5 f3 a5 93 01 23 8b 23 bc 41 d9 94 55 c6 1a 81 40 23 2a 96 a6 e8 51 d9 f2 c5 09 ee ef a2 0e 83 71 e7 59
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 14:18:26 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4981Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f 2b 55 f9 1f 10 ba 1c 59 b5 02 bf f4 2d 4b ca 73 6c e5 3d af e3 8f 8d bc 49 6d 2e 2e cc 0c 48 42 9c 01 e6 01 33 14 c9 3c df 77 ab d6 f7 cd fa b2 3a fa a0 ca 61 6f af ea e5 42 e9 ff da 06 30 43 ce 0c 87 12 a9 8f ac f3 e1 84 d4 0c 06 e8 6e 00 dd bf ee 06 c0 d9 eb 44 81 7f f0 e9 27 9f 7e b2 d7 a1 c4 83 ab a5 3d 87 28 8a 3a 92 b6 f6 2b b5 8a 29 09 68 44 90 db 21 52 d1 68 bf 12 47 2d bc 5d 31 8d 96 f6 22 16 f9 f4 e0 d1 e3 d7 4f bf 3d 44 cd f5 55 a4 aa b2 2a aa 7b 35 fb c0 56 32 ed 39 09 e8 7e a5 c7 e8 49 28 64 54 41 ae e0 11 e5 40 ef 84 79 51 67 df a3 3d e6 52 6c 6e 56 11 e3 2c 62 c4 c7 ca 25 3e dd 6f 64 c4 b0 64 9e d1 c1 89 90 9e ca 90 99 aa f3 84 2a 57 b2 30 62 82 67 aa 4d 89 3a d5 ee 51 1c 75 84 5c a8 c9 cb 13 4e 2f 6d 81 d2 f1 fa 0c 63 d4 22 d0 55 c1 91 8a 88 8c 10 c6 86 9a cf 78 17 49 ea ef 57 48 18 fa 14 47 22 76 3b 58 d7 ab 20 c5 86 54 ed 57 36 b6 fa 1b 5b 95 64 6a 3a 51 14 aa dd 5a ad 1d b3 2a 71 23 d6 a3 cd f5 aa 3b ac b1 a0 5d d3 ad 6a a4 b9 8e 2d a9 84 1f 36 ed ab 21 6f 57 e6 e5 b8 59 ef 6f d6 6f c0 d1 b4 5f 88 e3 56 b3 bf d5 bc 01 47 d3 7e 31 8e 9b fd ad cd 9b 70 d4 ed 17 e2 d8 68 ac f7 e1 73 03 9e 09 85 c5 b8 36 eb 7d f8 dc 84 ab a5 b0 18 d7 75 90 74 fd 46 7d b5 14 16 e3 ba d1 ec c3 e7 26 5c 2d 85 c5 b8 6e c3 f8 6c df 68 84 2d 85 32 ae 96 53 34 08 01 6e 58 40 da b4 a6 2b 8d 59 ef 80 b8 3b 8b 75 78 cc d4 b6 5d 9c e9 5a b3 bf 76 3d 96 a6 e5 e2 0c 77 36 fb 3b 8b 99 6a ca d0 b4 bc c6 b0 6e f6 1b d7 63 68 5a 4e 18 66 7c 45 a0 f4 9c 33 97 68 c7 84 5f 33 9f 3e 16 7e ce df dc 6b 99 7f 73 b4 7c aa 25 ce b4 9c 4b c4 40 e1 72 c3 ca b0 8a 3a 34 a0 d8 bd 4c b0 c9 18 aa 68 e0 53 d5 a1 34 ba 6a a8 7c e6 48 22 07 35 43 be d6 09 1b 9b 35 d3 b8 ea 2a 35 3f d5 09 45 11 d4 a0 a5 0b dd 6a d4 02 c2 78 15 5a a8 2f 7a fb 5b de 36 5d 6b d6 b7 d6 b7 5a 9b 5b f5 8d 0d b7 41 1a f5 fa 76 cb 71 d7 eb 5e dd 6d 5c c6 cb ea 42 44 fb 91 a6 9d f2 ae 01 fd be eb f1 aa 23 44 a4 22 49 42 7d a3 05 68 c1 e8 60 72 42 95 80 2e ad 57 d7 aa 75 dd 2e 57 5c 0d 40 34 4d 0c b8 2e 05 d4 63 04 50 c4 f7 8d 14 08 2d 24 c7 ac 91 d5 2c 7d c2 3d c6 db e9 60 ea 2e 1a 82 9a cd d2 9f 58 a0 e3 2e 14 4b ff 41 4a 44 cb a8 aa 6d 21 da 3e 25 21 53 e9 80 7e d1 22 01 f3 07 fb af 21 08 f3 7d 16 07 ff f4 1d 75 76 d7 eb f5 d5 2d f8 ec c0 67 13 3e 6b f5 fa e7 2a 76 74 4c e8 83 4a f2 55 f3 8d 41 e0 95 87 86 fb d2 9f cc 20 b4 88 4b d1 0f fa 7e 29 b9 d7 c4 77 d1 72 2a bf 51 47 b5 fc d0 54 51 d2 dd 35 42 2e cf ea aa 26 52 cb b7 ad 52 11 2d af a0 96 90 01 89 1e 2c d3 c0 a1 9e 47 3d 2c 42 d0 5b 18 c7 e5 95 55 43 7c 69 61 c2 51 d4 ca 10 8e 64 4c 6f 46 ef 44 b4 b2 04 ed ed 75 89 a9 5e 3b 43 cb dc 3d 9c 8c f3 09 65 ed 4e b4 8b b8 7e ee 67 1e 18 a5 c8 95 bf b5 f3 a5 93 01 23 8b 23 bc 41 d9 94 55 c6 1a 81 40 23 2a 96 a6 e8 51 d9 f2 c5 09 ee ef a2 0e 83 71 e7 59

Source: global traffic	HTTP traffic detected: GET /ndq7/?3hkl=slNhbLXpBjO8vl&4dV43tA=OxZKnWuwsJOrHHhSr0WAKMos2ZEDKwJVMtvq3iaqcpp4OrE8YxBQJzvCfYPSu8gmodsQI/gccX7lRSYJm35OlpLbr+Emqb863it5vTM6q/0fJzxBvxXG8nRUn7++wRvQdA== HTTP/1.1Host: www.tcqlk.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /hpa2/?4dV43tA=9ukV0lom1Pkt5UJj/K4lBand6ck4dRKkyq6RFoVD1IbXcSjkOX57QIVSlkgD3OdjwHZgiaAyrGOMfaVTdV8W+y7+gTzt+hDR2BCzfmmCLLxuXIcFaZwChPWJYJEFenE0lA==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.rlplatro.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /pyns/?3hkl=slNhbLXpBjO8vl&4dV43tA=K1EGEj+kimjFg9LR9EnSE5iA5qZu36FTtfUVuSlzoP8oPxhtdzERerS5Mp6fVz5Cq8+DdWETSgOpnIOU0gSGOk+1pkQ/H5TXrv7e3gEZftLrUi5jR50/YQGYV+ODUfVL1g== HTTP/1.1Host: www.xsemckm.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /vjxp/?4dV43tA=XkwDhAosLmY8qOGkJKM7nBqGXPMJWqSVPKG+tEu7tnkRRA5qaKsxdm3QH0407PDb0a9c/bEAso+GP5FSns/F0pcfHDqX+WZ2QlqXVXtujZTwrVOl6ODb0zZvjrqBrFnJXw==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.b6fbly7u.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /gb2c/?3hkl=slNhbLXpBjO8vl&4dV43tA=89eEKNhTAfJ0K+ZNbo8QYk1fUSoEpApn1wnFOcVuW0oI5H3wAhPaJlWMgeBIfmA5pU1pUK0VAPZu7D3VTgjehpZPLbfme/O2eAoCBbtXgeZInoaphOuGkqvoaLKQybRjQA== HTTP/1.1Host: www.quantumvoil.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /edi4/?4dV43tA=NUWN0h33C1Yyooj/Nqm5TKnDvFAfPsTlu/xXoo6GTaC/958/rmN21lJSbp33wZ0UtxsuR42FNjevCBZMMsNJEJT8RotDqfV3dG69h6TKJk4r6FZf3JTIotB8t00dC+KIgA==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.transelva.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /8urb/?3hkl=slNhbLXpBjO8vl&4dV43tA=+Wbbbk7eLFmMNhAmT0HXUc8arE4mAIhp5z7AS+/8DqhgdhWyAH0zoQfcqO3QhsAMO97HQEWUjr1A2ySQn1zg0/55KGrPENVTP1yAkCUjuBmNS/fntZ3fyi496lnRN2tFRA== HTTP/1.1Host: www.gsdaluan.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /k4dg/?4dV43tA=nz4FHKR3kHD8T7sos5tKkVQRfY182oQFmZOBlJ8PbPlp6eprRQ8g6Bnz+oNd18dyAKSZqsJ9UtPL5lP5nYFy9dCb86j6n0RTbdEdkH9XwmQfMRZVI+dcEtE4XSVBGLRbLA==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.mommysdaycare.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /dy54/?3hkl=slNhbLXpBjO8vl&4dV43tA=nRvBPTzlzGF4n3rt1QttF4nrN+JQ8KTHZyrUcXxxKI8o38P7J7J9FRPNIVc1TZhiGrLUOXxy1Ju1j9DdTlskr3z+VILb9gUTk9d2pc0Ee/hjvnETVBSGl3uD2JlRjMFEvQ== HTTP/1.1Host: www.203av.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /vi6c/?4dV43tA=bcf+LDcyoYCm+QyU3/UN8JBlUcMDsPN1iNWsx7umrkQm3W+qfOHyOayxGzxcStXTe9ogwFYflhpGlkCNjFINeirDlZuuOL3Enw+3v27XAzPfiFhmkrPFAnkPRuNZJaNv/Q==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.hydrogenmovie.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /n983/?3hkl=slNhbLXpBjO8vl&4dV43tA=e+5nfbuNDjer0F2gZArKywdTCxWjyYobv/bJcL0KsTg4lVUyb9D57z7xFmyHzStdVmhrGKgxJydatVMh3gIVfbA1nNcelGxUr0Cqn1CeETaIIhfK6rSIprtv6DqA0Tv84A== HTTP/1.1Host: www.atmpla.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /2pcd/?4dV43tA=tIH23YAAyU0vk1VwVlLsnDkrzub9KGyrHgMKKMQURaOCIZhbg0Upzh73XSapbsD05fysGFvFeXdkAWPx22YjftjyG2q/7RKdCSWXn7wn/qpIWY7LWJ3oR8OZl3TaORuYDQ==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.europedriveguide.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /irbt/?3hkl=slNhbLXpBjO8vl&4dV43tA=mqJtasd7r+ucb4h/g/ZTmy6JwNbO/v5n7k97Wehkk725AqfiRwLRxT17AJTqC5rNKbn4S3nwUKyYsCTiBBHbxywoRNMYnVscP0z+oucLCcHVoXQNraVEZ5jUDUaptob6FA== HTTP/1.1Host: www.coinmao.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.tcqlk.com
Source: global traffic	DNS traffic detected: DNS query: www.rlplatro.sbs
Source: global traffic	DNS traffic detected: DNS query: www.xsemckm.sbs
Source: global traffic	DNS traffic detected: DNS query: www.b6fbly7u.shop
Source: global traffic	DNS traffic detected: DNS query: www.quantumvoil.xyz
Source: global traffic	DNS traffic detected: DNS query: www.transelva.com
Source: global traffic	DNS traffic detected: DNS query: www.gsdaluan.shop
Source: global traffic	DNS traffic detected: DNS query: www.mommysdaycare.net
Source: global traffic	DNS traffic detected: DNS query: www.203av.com
Source: global traffic	DNS traffic detected: DNS query: www.hydrogenmovie.com
Source: global traffic	DNS traffic detected: DNS query: www.atmpla.net
Source: global traffic	DNS traffic detected: DNS query: www.europedriveguide.com
Source: global traffic	DNS traffic detected: DNS query: www.coinmao.com
Source: global traffic	DNS traffic detected: DNS query: www.genesiestudios.online

Source: unknown

HTTP traffic detected: POST /hpa2/ HTTP/1.1Host: www.rlplatro.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.rlplatro.sbsCache-Control: no-cacheConnection: closeContent-Length: 208Content-Type: application/x-www-form-urlencodedReferer: http://www.rlplatro.sbs/hpa2/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 34 64 56 34 33 74 41 3d 77 73 4d 31 33 52 46 68 70 75 4e 42 35 31 78 55 70 59 59 75 42 34 72 48 6f 39 30 48 53 32 69 71 31 61 6d 4d 63 65 4d 4b 7a 34 76 37 65 68 53 57 51 45 51 74 55 36 74 41 76 51 51 78 31 73 35 36 2b 45 42 70 73 49 4d 67 7a 56 47 4b 62 5a 63 4b 47 55 59 45 33 46 44 43 39 69 2f 71 36 53 44 47 71 43 6d 38 4a 56 2b 6b 4d 37 64 64 49 5a 59 42 64 72 45 32 6d 74 50 4d 65 62 39 42 56 6b 45 2b 32 4b 6d 79 75 54 35 4b 34 55 74 39 36 79 61 49 58 32 65 54 36 30 2b 61 32 50 69 71 76 33 6c 42 48 6f 67 76 49 54 48 2f 47 74 51 73 45 78 4e 4c 44 43 7a 7a 73 43 61 31 30 2b 50 61 7a 57 42 79 4e 70 63 49 41 2f 73 3d Data Ascii: 4dV43tA=wsM13RFhpuNB51xUpYYuB4rHo90HS2iq1amMceMKz4v7ehSWQEQtU6tAvQQx1s56+EBpsIMgzVGKbZcKGUYE3FDC9i/q6SDGqCm8JV+kM7ddIZYBdrE2mtPMeb9BVkE+2KmyuT5K4Ut96yaIX2eT60+a2Piqv3lBHogvITH/GtQsExNLDCzzsCa10+PazWByNpcIA/s=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 14:16:06 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 14:16:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 14:16:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 14:16:19 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:00 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:03 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:05 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:08 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 01 Jul 2024 14:17:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cacheContent-Encoding: gzipData Raw: 33 63 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 5d 6f 13 47 14 7d 8e 7f c5 74 a3 0a 1b c5 3b 6b c7 b8 61 bd b6 44 51 2a 21 52 b5 52 53 f1 80 aa 6a bc 3b eb 1d b2 de d9 ec 8e f3 51 cb 12 49 4b 0a 02 9a a0 12 35 1f 95 68 43 9b 96 46 32 85 54 82 92 18 fe 4c 66 ed 3c e5 2f 74 f6 c3 c6 21 d4 7e d8 9d bb f7 9e 73 cf 9d 33 a3 7d 60 50 9d 2d ba 18 58 ac 6e 57 52 5a ff 81 91 21 56 75 cc 10 d0 2d e4 f9 98 95 a5 06 33 b3 13 92 08 33 c2 6c 5c e9 76 1e 74 f7 36 8f 37 9e 77 97 f6 f8 ce a6 06 e3 70 4a f3 d9 a2 f8 9c 3a df ac 23 af 46 1c 55 29 b9 c8 30 88 53 13 6f 3a b5 a9 a7 8e 16 0a 85 56 aa 4a 8d c5 a6 49 1d 96 f5 c9 37 58 cd 15 dc 85 52 b4 34 51 9d d8 8b aa c4 db 77 8f 3a 3f 4a ad 94 5c 47 c4 69 ce 13 83 59 6a 51 51 44 5e 02 9d 53 3e 04 a8 c1 68 49 e4 44 f4 cd 2a d2 67 6a 1e 6d 38 86 0a 46 f3 0a ba 30 8e 12 52 30 6a 9a 66 4c 10 f1 81 5c 51 00 59 98 d4 2c a6 82 42 88 6a 13 07 67 4f 45 92 ce b3 36 36 45 52 3e 4c 12 54 ba e8 12 3b 6c 88 2c 9b 08 33 c7 cd 8f cc 8b 25 90 80 e4 27 c2 8a 2a f5 0c ec a9 39 77 01 18 c8 b7 b0 01 46 f5 a2 71 b1 5a 1c 0c 26 04 0e 25 e4 9a 71 6e b6 4a 19 a3 75 d1 e3 d9 9a 98 29 54 53 50 14 25 16 34 9f a8 a8 52 db 28 81 64 38 40 11 ff a8 65 d0 97 31 80 9d 88 85 b0 7c b2 49 7d c2 30 0e a2 4d 48 20 43 c4 56 8a da 83 cd 4c 30 41 3e 2f 52 df 6e 6c 98 03 6c d2 1c 1e e1 78 a4 4a 83 89 21 34 68 c5 b6 f2 75 8f b8 ec ad b1 be 9c fe 44 18 0b 10 a3 2c 4d 5d fa fa f2 67 53 53 93 97 a7 25 e0 7b 7a 59 82 d0 37 66 e4 0b 39 d9 46 f0 86 9f 15 8b ac eb 51 b9 4e 1c f9 86 2f 55 04 78 04 26 5c 99 bc 4c 5d 92 89 43 58 ba 49 0c 55 ba fa f9 dc 17 b4 46 ae 91 85 8f 27 27 ad 6b 57 a4 31 7d e6 3d d1 56 66 08 27 b4 65 25 35 a2 19 64 0e e8 36 f2 fd b2 14 da 4f 18 7f e4 54 30 f2 9b 74 f6 18 88 ba 77 53 13 bf 44 10 23 9a db 87 65 39 a9 12 2c ff d9 dd fa ae f7 f4 45 f0 6c 99 bf dc 0d 7e be 73 f4 f2 3e 5f bb 1d ec af f3 d5 e5 60 fd ef 93 c3 7b fc c5 f3 de ce 5e 7c de ba ed 5f bb 6b 2b fc c1 46 af fd ba db 69 07 77 77 83 db 7f 9d 1c 2e 69 d0 7d 17 3d 2f 55 f8 ea d3 de b7 1d fe c3 23 be fd cb c9 e1 d6 20 89 8a b3 2e 5a 19 d1 6c 12 76 10 ac ae 1d bd fa 4d f4 c1 57 6e f1 f6 bf fc de 2d be b6 c7 ef 3f 3b de 7c 22 82 c1 c3 03 fe fd 41 dc a2 06 45 45 a4 02 26 18 43 72 42 c2 dd e5 a3 ce 7a ef 8f c7 7c 65 ff 7f 09 1f df 0c 1e fd 1e 73 c6 84 27 87 db 03 e0 a8 27 01 13 cb 0d ee 6c 08 c5 62 06 82 be b7 f4 b0 bb 7f d0 7d f2 ea f8 a7 7f c2 ea d7 db 7c 7d e5 4c 69 b0 d9 3e be b9 15 57 f7 da 6f 78 7b e7 54 75 74 69 0d 86 38 5c dd 57 a4 c1 78 07 93 a7 06 63 43 f4 fd 95 02 83 9f b8 15 a7 49 1d d3 06 4b 9b 0d 47 67 84 3a e9 4c 73 28 01 cc 21 0f 20 cf 2b 5f 3f 67 31 e6 aa 10 d6 66 8b 85 d9 82 ac 3b b0 e1 63 0f 1a d8 27 35 07 86 36 83 58 44 a0 3f e3 37 f0 ec 6c 63 d6 84 13 b9 73 63 5f 95 86 d0 e6 89 63 d0 79 d9 a6 3a 0a a9 64 cb c3 66 59 a0 5f 77 c3 0b fa 8a c3 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 01 Jul 2024 14:17:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cacheContent-Encoding: gzipData Raw: 33 63 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 5d 6f 13 47 14 7d 8e 7f c5 74 a3 0a 1b c5 3b 6b c7 b8 61 bd b6 44 51 2a 21 52 b5 52 53 f1 80 aa 6a bc 3b eb 1d b2 de d9 ec 8e f3 51 cb 12 49 4b 0a 02 9a a0 12 35 1f 95 68 43 9b 96 46 32 85 54 82 92 18 fe 4c 66 ed 3c e5 2f 74 f6 c3 c6 21 d4 7e d8 9d bb f7 9e 73 cf 9d 33 a3 7d 60 50 9d 2d ba 18 58 ac 6e 57 52 5a ff 81 91 21 56 75 cc 10 d0 2d e4 f9 98 95 a5 06 33 b3 13 92 08 33 c2 6c 5c e9 76 1e 74 f7 36 8f 37 9e 77 97 f6 f8 ce a6 06 e3 70 4a f3 d9 a2 f8 9c 3a df ac 23 af 46 1c 55 29 b9 c8 30 88 53 13 6f 3a b5 a9 a7 8e 16 0a 85 56 aa 4a 8d c5 a6 49 1d 96 f5 c9 37 58 cd 15 dc 85 52 b4 34 51 9d d8 8b aa c4 db 77 8f 3a 3f 4a ad 94 5c 47 c4 69 ce 13 83 59 6a 51 51 44 5e 02 9d 53 3e 04 a8 c1 68 49 e4 44 f4 cd 2a d2 67 6a 1e 6d 38 86 0a 46 f3 0a ba 30 8e 12 52 30 6a 9a 66 4c 10 f1 81 5c 51 00 59 98 d4 2c a6 82 42 88 6a 13 07 67 4f 45 92 ce b3 36 36 45 52 3e 4c 12 54 ba e8 12 3b 6c 88 2c 9b 08 33 c7 cd 8f cc 8b 25 90 80 e4 27 c2 8a 2a f5 0c ec a9 39 77 01 18 c8 b7 b0 01 46 f5 a2 71 b1 5a 1c 0c 26 04 0e 25 e4 9a 71 6e b6 4a 19 a3 75 d1 e3 d9 9a 98 29 54 53 50 14 25 16 34 9f a8 a8 52 db 28 81 64 38 40 11 ff a8 65 d0 97 31 80 9d 88 85 b0 7c b2 49 7d c2 30 0e a2 4d 48 20 43 c4 56 8a da 83 cd 4c 30 41 3e 2f 52 df 6e 6c 98 03 6c d2 1c 1e e1 78 a4 4a 83 89 21 34 68 c5 b6 f2 75 8f b8 ec ad b1 be 9c fe 44 18 0b 10 a3 2c 4d 5d fa fa f2 67 53 53 93 97 a7 25 e0 7b 7a 59 82 d0 37 66 e4 0b 39 d9 46 f0 86 9f 15 8b ac eb 51 b9 4e 1c f9 86 2f 55 04 78 04 26 5c 99 bc 4c 5d 92 89 43 58 ba 49 0c 55 ba fa f9 dc 17 b4 46 ae 91 85 8f 27 27 ad 6b 57 a4 31 7d e6 3d d1 56 66 08 27 b4 65 25 35 a2 19 64 0e e8 36 f2 fd b2 14 da 4f 18 7f e4 54 30 f2 9b 74 f6 18 88 ba 77 53 13 bf 44 10 23 9a db 87 65 39 a9 12 2c ff d9 dd fa ae f7 f4 45 f0 6c 99 bf dc 0d 7e be 73 f4 f2 3e 5f bb 1d ec af f3 d5 e5 60 fd ef 93 c3 7b fc c5 f3 de ce 5e 7c de ba ed 5f bb 6b 2b fc c1 46 af fd ba db 69 07 77 77 83 db 7f 9d 1c 2e 69 d0 7d 17 3d 2f 55 f8 ea d3 de b7 1d fe c3 23 be fd cb c9 e1 d6 20 89 8a b3 2e 5a 19 d1 6c 12 76 10 ac ae 1d bd fa 4d f4 c1 57 6e f1 f6 bf fc de 2d be b6 c7 ef 3f 3b de 7c 22 82 c1 c3 03 fe fd 41 dc a2 06 45 45 a4 02 26 18 43 72 42 c2 dd e5 a3 ce 7a ef 8f c7 7c 65 ff 7f 09 1f df 0c 1e fd 1e 73 c6 84 27 87 db 03 e0 a8 27 01 13 cb 0d ee 6c 08 c5 62 06 82 be b7 f4 b0 bb 7f d0 7d f2 ea f8 a7 7f c2 ea d7 db 7c 7d e5 4c 69 b0 d9 3e be b9 15 57 f7 da 6f 78 7b e7 54 75 74 69 0d 86 38 5c dd 57 a4 c1 78 07 93 a7 06 63 43 f4 fd 95 02 83 9f b8 15 a7 49 1d d3 06 4b 9b 0d 47 67 84 3a e9 4c 73 28 01 cc 21 0f 20 cf 2b 5f 3f 67 31 e6 aa 10 d6 66 8b 85 d9 82 ac 3b b0 e1 63 0f 1a d8 27 35 07 86 36 83 58 44 a0 3f e3 37 f0 ec 6c 63 d6 84 13 b9 73 63 5f 95 86 d0 e6 89 63 d0 79 d9 a6 3a 0a a9 64 cb c3 66 59 a0 5f 77 c3 0b fa 8a c3 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 01 Jul 2024 14:17:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cacheContent-Encoding: gzipData Raw: 33 63 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 5d 6f 13 47 14 7d 8e 7f c5 74 a3 0a 1b c5 3b 6b c7 b8 61 bd b6 44 51 2a 21 52 b5 52 53 f1 80 aa 6a bc 3b eb 1d b2 de d9 ec 8e f3 51 cb 12 49 4b 0a 02 9a a0 12 35 1f 95 68 43 9b 96 46 32 85 54 82 92 18 fe 4c 66 ed 3c e5 2f 74 f6 c3 c6 21 d4 7e d8 9d bb f7 9e 73 cf 9d 33 a3 7d 60 50 9d 2d ba 18 58 ac 6e 57 52 5a ff 81 91 21 56 75 cc 10 d0 2d e4 f9 98 95 a5 06 33 b3 13 92 08 33 c2 6c 5c e9 76 1e 74 f7 36 8f 37 9e 77 97 f6 f8 ce a6 06 e3 70 4a f3 d9 a2 f8 9c 3a df ac 23 af 46 1c 55 29 b9 c8 30 88 53 13 6f 3a b5 a9 a7 8e 16 0a 85 56 aa 4a 8d c5 a6 49 1d 96 f5 c9 37 58 cd 15 dc 85 52 b4 34 51 9d d8 8b aa c4 db 77 8f 3a 3f 4a ad 94 5c 47 c4 69 ce 13 83 59 6a 51 51 44 5e 02 9d 53 3e 04 a8 c1 68 49 e4 44 f4 cd 2a d2 67 6a 1e 6d 38 86 0a 46 f3 0a ba 30 8e 12 52 30 6a 9a 66 4c 10 f1 81 5c 51 00 59 98 d4 2c a6 82 42 88 6a 13 07 67 4f 45 92 ce b3 36 36 45 52 3e 4c 12 54 ba e8 12 3b 6c 88 2c 9b 08 33 c7 cd 8f cc 8b 25 90 80 e4 27 c2 8a 2a f5 0c ec a9 39 77 01 18 c8 b7 b0 01 46 f5 a2 71 b1 5a 1c 0c 26 04 0e 25 e4 9a 71 6e b6 4a 19 a3 75 d1 e3 d9 9a 98 29 54 53 50 14 25 16 34 9f a8 a8 52 db 28 81 64 38 40 11 ff a8 65 d0 97 31 80 9d 88 85 b0 7c b2 49 7d c2 30 0e a2 4d 48 20 43 c4 56 8a da 83 cd 4c 30 41 3e 2f 52 df 6e 6c 98 03 6c d2 1c 1e e1 78 a4 4a 83 89 21 34 68 c5 b6 f2 75 8f b8 ec ad b1 be 9c fe 44 18 0b 10 a3 2c 4d 5d fa fa f2 67 53 53 93 97 a7 25 e0 7b 7a 59 82 d0 37 66 e4 0b 39 d9 46 f0 86 9f 15 8b ac eb 51 b9 4e 1c f9 86 2f 55 04 78 04 26 5c 99 bc 4c 5d 92 89 43 58 ba 49 0c 55 ba fa f9 dc 17 b4 46 ae 91 85 8f 27 27 ad 6b 57 a4 31 7d e6 3d d1 56 66 08 27 b4 65 25 35 a2 19 64 0e e8 36 f2 fd b2 14 da 4f 18 7f e4 54 30 f2 9b 74 f6 18 88 ba 77 53 13 bf 44 10 23 9a db 87 65 39 a9 12 2c ff d9 dd fa ae f7 f4 45 f0 6c 99 bf dc 0d 7e be 73 f4 f2 3e 5f bb 1d ec af f3 d5 e5 60 fd ef 93 c3 7b fc c5 f3 de ce 5e 7c de ba ed 5f bb 6b 2b fc c1 46 af fd ba db 69 07 77 77 83 db 7f 9d 1c 2e 69 d0 7d 17 3d 2f 55 f8 ea d3 de b7 1d fe c3 23 be fd cb c9 e1 d6 20 89 8a b3 2e 5a 19 d1 6c 12 76 10 ac ae 1d bd fa 4d f4 c1 57 6e f1 f6 bf fc de 2d be b6 c7 ef 3f 3b de 7c 22 82 c1 c3 03 fe fd 41 dc a2 06 45 45 a4 02 26 18 43 72 42 c2 dd e5 a3 ce 7a ef 8f c7 7c 65 ff 7f 09 1f df 0c 1e fd 1e 73 c6 84 27 87 db 03 e0 a8 27 01 13 cb 0d ee 6c 08 c5 62 06 82 be b7 f4 b0 bb 7f d0 7d f2 ea f8 a7 7f c2 ea d7 db 7c 7d e5 4c 69 b0 d9 3e be b9 15 57 f7 da 6f 78 7b e7 54 75 74 69 0d 86 38 5c dd 57 a4 c1 78 07 93 a7 06 63 43 f4 fd 95 02 83 9f b8 15 a7 49 1d d3 06 4b 9b 0d 47 67 84 3a e9 4c 73 28 01 cc 21 0f 20 cf 2b 5f 3f 67 31 e6 aa 10 d6 66 8b 85 d9 82 ac 3b b0 e1 63 0f 1a d8 27 35 07 86 36 83 58 44 a0 3f e3 37 f0 ec 6c 63 d6 84 13 b9 73 63 5f 95 86 d0 e6 89 63 d0 79 d9 a6 3a 0a a9 64 cb c3 66 59 a0 5f 77 c3 0b fa 8a c3 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 01 Jul 2024 14:17:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cacheData Raw: 36 31 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 63 6f 6c 6f 72 3a 23 34 34 34 7d 0a 62 6f 64 79 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 e5 ae 8b e4 bd 93 22 7d 0a 2e 6d 61 69 6e 7b 77 69 64 74 68 3a 36 30 30 70 78 3b 6d 61 72 67 69 6e 3a 31 30 25 20 61 75 74 6f 3b 7d 0a 2e 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 30 61 35 33 61 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 68 65 69 67 68 74 3a 20 34 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 34 30 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 7d 0a 2e 63 6f 6e 74 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 33 66 37 66 39 3b 20 68 65 69 67 68 74 3a 32 38 30 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 70 61 64 64 69 6e 67 3a 32 30 70 78 7d 0a 2e 74 31 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 63 6f 6c 6f 72 3a 20 23 66 66 34 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 3b 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 38 70 78 3b 7d 0a 2e 74 32 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 38 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 0a 6f 6c 7b 6d 61 72 67 69 6e 3a 30 20 30 20 32 30 70 78 20 32 32 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 7d 0a 6f 6c 20 6c 69 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 31 2e 6c 61 2f 6a 73 2d 73 64 6b 2d 70 72 6f 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 4c 41 2e 69 6e 69 74 28 7b 69 64 3a 22 4b 50 76 53 6f 67 69 57 69 78 42 45 45 68 57 49 22 2c 63 6b 3a 22 4b 50 76 53 6f 67 69 57 69 78 42 45 45 68 57 49 22 7d 29 3c 2f 73 63 72 69 70 74 3e 0a 3c 62 6f 64 79 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 31 22 3e e6 82 a8 e7 9a 84 e8 af b7 e6 b1 82 e5 b8 a6 e6 9c 89 e4 b8 8d e5 90 88 e6 b3 95 e5 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 01 Jul 2024 14:18:07 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 01 Jul 2024 14:18:10 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 01 Jul 2024 14:18:12 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 01 Jul 2024 14:18:14 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Source: rPRESUPUESTO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: rPRESUPUESTO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000003EA0000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000003E80000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://gq64q4.cn/user/design/clas/euse/sksueqquqf/81
Source: rPRESUPUESTO.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: rPRESUPUESTO.exe, 00000000.00000002.2154526498.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ktmutil.exe, 00000009.00000002.4589157081.00000000044E8000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.00000000044C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://ww16.atmpla.net/n983/?3hkl=slNhbLXpBjO8vl&4dV43tA=e
Source: ktmutil.exe, 00000009.00000002.4589157081.000000000467A000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.000000000465A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://ww7.europedriveguide.com/2pcd/?4dV43tA=tIH23YAAyU0vk1VwVlLsnDkrzub9KGyrHgMKKMQURaOCIZhbg0Upzh
Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4590404042.00000000055B8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.genesiestudios.online
Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4590404042.00000000055B8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.genesiestudios.online/s29p/
Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://active24.com/cssc/a21/main.less?v=7d8e320747f67055c1a1008fbc40d0c1
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://active24.cz/objednavka/domain/availability/list
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://blog.active24.cz//
Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://customer.active24.com/
Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://faq.active24.com/cz/045021-Webov%c3%a9-str%c3%a1nky-a-E-shopy
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://faq.active24.com/cz/085122-Hosting-a-Servery
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://faq.active24.com/cz/162807-DNS-hosting?l=cs
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://faq.active24.com/cz/757409-Bezpe%c4%8dnost
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://faq.active24.com/cz/806087-Z%c3%a1kladn%c3%ad-informace
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://faq.active24.com/cz/808905-E-mailov%c3%a1-%c5%99e%c5%a1en%c3%ad
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://faq.active24.com/cz/920729-Dom%c3%a9ny-a-DNS
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://faq.active24.com/cz/932337-Spolupr%c3%a1ce
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://faq.active24.com/cz/939671-Fakturace-a-platby
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Titillium
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/css/landing.css
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/font/active24-icons.eot
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/font/active24-icons.svg
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/font/active24-icons.ttf
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/font/active24-icons.woff
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/default-domain/dns.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/default-domain/dnssec.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/default-domain/free.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/default-domain/image.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/default-domain/notify.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/default-domain/redirect.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/default-domain/superpage.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-114x114.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-120x120.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-144x144.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-152x152.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-180x180.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-57x57.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-60x60.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-72x72.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-76x76.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-favicon-16x16.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-favicon-192x192.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-favicon-32x32.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-favicon-96x96.png
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/icon/a24-ms-icon-144x144.png
Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/img/webmail_ikony_vlajky.png)
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gui.active24.cz/library/theme/hp16/style.css
Source: ktmutil.exe, 00000009.00000002.4587088156.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ktmutil.exe, 00000009.00000002.4587088156.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ktmutil.exe, 00000009.00000002.4587088156.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ktmutil.exe, 00000009.00000002.4587088156.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ktmutil.exe, 00000009.00000002.4587088156.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ktmutil.exe, 00000009.00000002.4587088156.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ktmutil.exe, 00000009.00000003.2510849899.0000000007480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://mssql.active24.com/
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://mysql.active24.com/
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://webftp.active24.com/
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://webmail.active24.com/
Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/dnssec
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/domeny
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/domeny#m-certifikace
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/jak-na-tvorbu-webu
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/klientska-zona/zakaznicka-podpora
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/o-spolecnosti
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/o-spolecnosti/kariera
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/o-spolecnosti/kontakty
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/o-spolecnosti/media
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/o-spolecnosti/obchodni-podminky
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/o-spolecnosti/rikaji-o-nas-zakaznici
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/objednavka/login
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/spoluprace
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/upozorneni
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/webforward-mailforward
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.active24.com/weby/mojestranky
Source: rPRESUPUESTO.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: ktmutil.exe, 00000009.00000002.4589157081.000000000480C000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.00000000047EC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.coinmao.com/irbt/?3hkl=slNhbLXpBjO8vl&4dV43tA=mqJtasd7r
Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004032000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004012000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.superstranka.cz/
Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000003CEE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.transelva.com/edi4/?4dV43tA=NUWN0h33C1Yyooj/Nqm5TKnDvFAfPsTlu/xXoo6GTaC/958/rmN21lJSbp33

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2329601584.00000000038F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2329601584.0000000002EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4588318441.0000000004260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0042B623 NtClose,	5_2_0042B623
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812B60 NtClose,LdrInitializeThunk,	5_2_01812B60
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01812DF0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_01812C70
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018135C0 NtCreateMutant,LdrInitializeThunk,	5_2_018135C0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01814340 NtSetContextThread,	5_2_01814340
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01814650 NtSuspendThread,	5_2_01814650
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812B80 NtQueryInformationFile,	5_2_01812B80
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812BA0 NtEnumerateValueKey,	5_2_01812BA0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812BE0 NtQueryValueKey,	5_2_01812BE0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812BF0 NtAllocateVirtualMemory,	5_2_01812BF0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812AB0 NtWaitForSingleObject,	5_2_01812AB0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812AD0 NtReadFile,	5_2_01812AD0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812AF0 NtWriteFile,	5_2_01812AF0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812DB0 NtEnumerateKey,	5_2_01812DB0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812DD0 NtDelayExecution,	5_2_01812DD0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812D00 NtSetInformationFile,	5_2_01812D00
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812D10 NtMapViewOfSection,	5_2_01812D10
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812D30 NtUnmapViewOfSection,	5_2_01812D30
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812CA0 NtQueryInformationToken,	5_2_01812CA0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812CC0 NtQueryVirtualMemory,	5_2_01812CC0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812CF0 NtOpenProcess,	5_2_01812CF0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812C00 NtQueryInformationProcess,	5_2_01812C00
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812C60 NtCreateKey,	5_2_01812C60
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812F90 NtProtectVirtualMemory,	5_2_01812F90
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812FA0 NtQuerySection,	5_2_01812FA0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812FB0 NtResumeThread,	5_2_01812FB0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812FE0 NtCreateFile,	5_2_01812FE0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812F30 NtCreateSection,	5_2_01812F30
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812F60 NtCreateProcessEx,	5_2_01812F60
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812E80 NtReadVirtualMemory,	5_2_01812E80
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812EA0 NtAdjustPrivilegesToken,	5_2_01812EA0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812EE0 NtQueueApcThread,	5_2_01812EE0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01812E30 NtWriteVirtualMemory,	5_2_01812E30
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01813090 NtSetValueKey,	5_2_01813090
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01813010 NtOpenDirectoryObject,	5_2_01813010
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018139B0 NtGetContextThread,	5_2_018139B0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01813D10 NtOpenProcessToken,	5_2_01813D10
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01813D70 NtOpenThread,	5_2_01813D70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B94340 NtSetContextThread,LdrInitializeThunk,	9_2_02B94340
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B94650 NtSuspendThread,LdrInitializeThunk,	9_2_02B94650
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92AF0 NtWriteFile,LdrInitializeThunk,	9_2_02B92AF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92AD0 NtReadFile,LdrInitializeThunk,	9_2_02B92AD0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92BA0 NtEnumerateValueKey,LdrInitializeThunk,	9_2_02B92BA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_02B92BF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92BE0 NtQueryValueKey,LdrInitializeThunk,	9_2_02B92BE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92B60 NtClose,LdrInitializeThunk,	9_2_02B92B60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_02B92E80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92EE0 NtQueueApcThread,LdrInitializeThunk,	9_2_02B92EE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92FB0 NtResumeThread,LdrInitializeThunk,	9_2_02B92FB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92FE0 NtCreateFile,LdrInitializeThunk,	9_2_02B92FE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92F30 NtCreateSection,LdrInitializeThunk,	9_2_02B92F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_02B92CA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_02B92C70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92C60 NtCreateKey,LdrInitializeThunk,	9_2_02B92C60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_02B92DF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92DD0 NtDelayExecution,LdrInitializeThunk,	9_2_02B92DD0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_02B92D30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_02B92D10
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B935C0 NtCreateMutant,LdrInitializeThunk,	9_2_02B935C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B939B0 NtGetContextThread,LdrInitializeThunk,	9_2_02B939B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92AB0 NtWaitForSingleObject,	9_2_02B92AB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92B80 NtQueryInformationFile,	9_2_02B92B80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92EA0 NtAdjustPrivilegesToken,	9_2_02B92EA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92E30 NtWriteVirtualMemory,	9_2_02B92E30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92FA0 NtQuerySection,	9_2_02B92FA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92F90 NtProtectVirtualMemory,	9_2_02B92F90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92F60 NtCreateProcessEx,	9_2_02B92F60
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92CF0 NtOpenProcess,	9_2_02B92CF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92CC0 NtQueryVirtualMemory,	9_2_02B92CC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92C00 NtQueryInformationProcess,	9_2_02B92C00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92DB0 NtEnumerateKey,	9_2_02B92DB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B92D00 NtSetInformationFile,	9_2_02B92D00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B93090 NtSetValueKey,	9_2_02B93090
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B93010 NtOpenDirectoryObject,	9_2_02B93010
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B93D10 NtOpenProcessToken,	9_2_02B93D10
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B93D70 NtOpenThread,	9_2_02B93D70
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_001A8010 NtReadFile,	9_2_001A8010
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_001A80F0 NtDeleteFile,	9_2_001A80F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_001A8190 NtClose,	9_2_001A8190
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_001A82E0 NtAllocateVirtualMemory,	9_2_001A82E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_001A7EB0 NtCreateFile,	9_2_001A7EB0

Detected potential crypto function

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_0110DF14	0_2_0110DF14
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_07874320	0_2_07874320
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_0787D2F8	0_2_0787D2F8
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_07872AC1	0_2_07872AC1
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_078787A8	0_2_078787A8
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_07877768	0_2_07877768
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_07877330	0_2_07877330
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_078792CF	0_2_078792CF
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_078792E0	0_2_078792E0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_07876EF8	0_2_07876EF8
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_0787ECC0	0_2_0787ECC0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_078789F8	0_2_078789F8
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00402800	5_2_00402800
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0042DA63	5_2_0042DA63
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00403207	5_2_00403207
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00403210	5_2_00403210
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_004022CC	5_2_004022CC
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_004022D0	5_2_004022D0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0041028D	5_2_0041028D
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00410293	5_2_00410293
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00416BFE	5_2_00416BFE
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00416C03	5_2_00416C03
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_004024CC	5_2_004024CC
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_004024D0	5_2_004024D0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00402C8B	5_2_00402C8B
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00402C90	5_2_00402C90
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_004104B3	5_2_004104B3
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0040E52A	5_2_0040E52A
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0040E533	5_2_0040E533
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00402EC0	5_2_00402EC0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00402EBB	5_2_00402EBB
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018A01AA	5_2_018A01AA
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018941A2	5_2_018941A2
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018981CC	5_2_018981CC
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017D0100	5_2_017D0100
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0187A118	5_2_0187A118
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01868158	5_2_01868158
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01872000	5_2_01872000
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018A03E6	5_2_018A03E6
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017EE3F0	5_2_017EE3F0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189A352	5_2_0189A352
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018602C0	5_2_018602C0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01880274	5_2_01880274
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018A0591	5_2_018A0591
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E0535	5_2_017E0535
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0188E4F6	5_2_0188E4F6
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01884420	5_2_01884420
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01892446	5_2_01892446
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E0770	5_2_017E0770
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017DC7C0	5_2_017DC7C0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01804750	5_2_01804750
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017FC6E0	5_2_017FC6E0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017F6962	5_2_017F6962
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018AA9A6	5_2_018AA9A6
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E29A0	5_2_017E29A0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E2840	5_2_017E2840
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017EA840	5_2_017EA840
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0180E8F0	5_2_0180E8F0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017C68B8	5_2_017C68B8
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01896BD7	5_2_01896BD7
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189AB40	5_2_0189AB40
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017DEA80	5_2_017DEA80
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017EAD00	5_2_017EAD00
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0187CD1F	5_2_0187CD1F
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017DADE0	5_2_017DADE0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017F8DBF	5_2_017F8DBF
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01880CB5	5_2_01880CB5
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E0C00	5_2_017E0C00
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017D0CF2	5_2_017D0CF2
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0185EFA0	5_2_0185EFA0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017ECFE0	5_2_017ECFE0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01822F28	5_2_01822F28
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01800F30	5_2_01800F30
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017D2FC8	5_2_017D2FC8
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01882F30	5_2_01882F30
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01854F40	5_2_01854F40
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189CE93	5_2_0189CE93
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E0E59	5_2_017E0E59
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189EEDB	5_2_0189EEDB
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189EE26	5_2_0189EE26
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017F2E90	5_2_017F2E90
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017CF172	5_2_017CF172
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017EB1B0	5_2_017EB1B0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018AB16B	5_2_018AB16B
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0181516C	5_2_0181516C
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0188F0CC	5_2_0188F0CC
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018970E9	5_2_018970E9
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189F0E0	5_2_0189F0E0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E70C0	5_2_017E70C0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0182739A	5_2_0182739A
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017CD34C	5_2_017CD34C
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189132D	5_2_0189132D
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018812ED	5_2_018812ED
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017FB2C0	5_2_017FB2C0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E52A0	5_2_017E52A0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0187D5B0	5_2_0187D5B0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018A95C3	5_2_018A95C3
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01897571	5_2_01897571
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017D1460	5_2_017D1460
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189F43F	5_2_0189F43F
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189F7B0	5_2_0189F7B0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_018916CC	5_2_018916CC
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01825630	5_2_01825630
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E9950	5_2_017E9950
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017FB950	5_2_017FB950
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01875910	5_2_01875910
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0184D800	5_2_0184D800
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E38E0	5_2_017E38E0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01855BF0	5_2_01855BF0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0181DBF9	5_2_0181DBF9
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189FB76	5_2_0189FB76
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017FFB80	5_2_017FFB80
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01825AA0	5_2_01825AA0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0187DAAC	5_2_0187DAAC
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01881AA3	5_2_01881AA3
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0188DAC6	5_2_0188DAC6
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189FA49	5_2_0189FA49
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01897A46	5_2_01897A46
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01853A6C	5_2_01853A6C
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E3D40	5_2_017E3D40
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017FFDC0	5_2_017FFDC0
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01891D5A	5_2_01891D5A
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01897D73	5_2_01897D73
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189FCF2	5_2_0189FCF2
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_01859C32	5_2_01859C32
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189FFB1	5_2_0189FFB1
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0189FF09	5_2_0189FF09
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E1F92	5_2_017E1F92
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017E9EB0	5_2_017E9EB0
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Code function: 8_2_04C6BFCA	8_2_04C6BFCA
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BE02C0	9_2_02BE02C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C00274	9_2_02C00274
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C203E6	9_2_02C203E6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B6E3F0	9_2_02B6E3F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1A352	9_2_02C1A352
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BF2000	9_2_02BF2000
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C181CC	9_2_02C181CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C141A2	9_2_02C141A2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C201AA	9_2_02C201AA
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BFA118	9_2_02BFA118
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B50100	9_2_02B50100
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BE8158	9_2_02BE8158
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B7C6E0	9_2_02B7C6E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B5C7C0	9_2_02B5C7C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B60770	9_2_02B60770
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B84750	9_2_02B84750
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C0E4F6	9_2_02C0E4F6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C12446	9_2_02C12446
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C04420	9_2_02C04420
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C20591	9_2_02C20591
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B60535	9_2_02B60535
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B5EA80	9_2_02B5EA80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C16BD7	9_2_02C16BD7
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1AB40	9_2_02C1AB40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B468B8	9_2_02B468B8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B8E8F0	9_2_02B8E8F0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B62840	9_2_02B62840
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B6A840	9_2_02B6A840
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B629A0	9_2_02B629A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C2A9A6	9_2_02C2A9A6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B76962	9_2_02B76962
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1EEDB	9_2_02C1EEDB
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B72E90	9_2_02B72E90
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1CE93	9_2_02C1CE93
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1EE26	9_2_02C1EE26
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B60E59	9_2_02B60E59
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BDEFA0	9_2_02BDEFA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B6CFE0	9_2_02B6CFE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B52FC8	9_2_02B52FC8
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B80F30	9_2_02B80F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BA2F28	9_2_02BA2F28
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C02F30	9_2_02C02F30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BD4F40	9_2_02BD4F40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B50CF2	9_2_02B50CF2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C00CB5	9_2_02C00CB5
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B60C00	9_2_02B60C00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B78DBF	9_2_02B78DBF
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B5ADE0	9_2_02B5ADE0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BFCD1F	9_2_02BFCD1F
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B6AD00	9_2_02B6AD00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B652A0	9_2_02B652A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C012ED	9_2_02C012ED
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B7B2C0	9_2_02B7B2C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BA739A	9_2_02BA739A
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1132D	9_2_02C1132D
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B4D34C	9_2_02B4D34C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C0F0CC	9_2_02C0F0CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1F0E0	9_2_02C1F0E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C170E9	9_2_02C170E9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B670C0	9_2_02B670C0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B6B1B0	9_2_02B6B1B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C2B16B	9_2_02C2B16B
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B4F172	9_2_02B4F172
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B9516C	9_2_02B9516C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C116CC	9_2_02C116CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1F7B0	9_2_02C1F7B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B51460	9_2_02B51460
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1F43F	9_2_02C1F43F
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BFD5B0	9_2_02BFD5B0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C17571	9_2_02C17571
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C0DAC6	9_2_02C0DAC6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BFDAAC	9_2_02BFDAAC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BA5AA0	9_2_02BA5AA0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C01AA3	9_2_02C01AA3
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C17A46	9_2_02C17A46
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1FA49	9_2_02C1FA49
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BD3A6C	9_2_02BD3A6C
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B7FB80	9_2_02B7FB80
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B9DBF9	9_2_02B9DBF9
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BD5BF0	9_2_02BD5BF0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1FB76	9_2_02C1FB76
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B638E0	9_2_02B638E0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BCD800	9_2_02BCD800
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BF5910	9_2_02BF5910
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B69950	9_2_02B69950
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B7B950	9_2_02B7B950
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B69EB0	9_2_02B69EB0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B61F92	9_2_02B61F92
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1FFB1	9_2_02C1FFB1
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1FF09	9_2_02C1FF09
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C1FCF2	9_2_02C1FCF2
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02BD9C32	9_2_02BD9C32
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B7FDC0	9_2_02B7FDC0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C11D5A	9_2_02C11D5A
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02C17D73	9_2_02C17D73
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B63D40	9_2_02B63D40
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_00191C30	9_2_00191C30
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_001AA5D0	9_2_001AA5D0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_0018CDFA	9_2_0018CDFA
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_0018CE00	9_2_0018CE00
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_0018D020	9_2_0018D020
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_0018B097	9_2_0018B097
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_0018B0A0	9_2_0018B0A0
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_00193770	9_2_00193770
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_0019376B	9_2_0019376B
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02A1C0CC	9_2_02A1C0CC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02A1B138	9_2_02A1B138
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02A1BC18	9_2_02A1BC18
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02A1BD34	9_2_02A1BD34

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 02BDF290 appears 105 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 02BA7E54 appears 102 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 02B95130 appears 58 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 02BCEA12 appears 86 times
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: String function: 02B4B970 appears 280 times
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: String function: 01815130 appears 58 times
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: String function: 0184EA12 appears 86 times
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: String function: 0185F290 appears 105 times
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: String function: 017CB970 appears 280 times
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: String function: 01827E54 appears 111 times

PE / OLE file has an invalid certificate

Source: rPRESUPUESTO.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: rPRESUPUESTO.exe, 00000000.00000002.2177247151.0000000008260000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rPRESUPUESTO.exe
Source: rPRESUPUESTO.exe, 00000000.00000002.2156547994.0000000003B94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rPRESUPUESTO.exe
Source: rPRESUPUESTO.exe, 00000000.00000000.2107699346.000000000058E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegESw.exe, vs rPRESUPUESTO.exe
Source: rPRESUPUESTO.exe, 00000000.00000002.2154526498.0000000002951000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs rPRESUPUESTO.exe
Source: rPRESUPUESTO.exe, 00000000.00000002.2170963335.00000000076B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs rPRESUPUESTO.exe
Source: rPRESUPUESTO.exe, 00000000.00000002.2153184688.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rPRESUPUESTO.exe
Source: rPRESUPUESTO.exe, 00000005.00000002.2328360185.0000000001347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamektmutil.exej% vs rPRESUPUESTO.exe
Source: rPRESUPUESTO.exe, 00000005.00000002.2328716564.00000000018CD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rPRESUPUESTO.exe
Source: rPRESUPUESTO.exe	Binary or memory string: OriginalFilenamegESw.exe, vs rPRESUPUESTO.exe

Uses 32bit PE files

Source: rPRESUPUESTO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2329601584.00000000038F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2329601584.0000000002EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4588318441.0000000004260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: rPRESUPUESTO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, kMIXWOixU8twbSWtxx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, kMIXWOixU8twbSWtxx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, kMIXWOixU8twbSWtxx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/7@16/14

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rPRESUPUESTO.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: unknown	Process created: C:\Users\user\Desktop\rPRESUPUESTO.exe "C:\Users\user\Desktop\rPRESUPUESTO.exe"
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process created: C:\Users\user\Desktop\rPRESUPUESTO.exe "C:\Users\user\Desktop\rPRESUPUESTO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process created: C:\Users\user\Desktop\rPRESUPUESTO.exe "C:\Users\user\Desktop\rPRESUPUESTO.exe"	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Process created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	.Net Code: M9vXm3sDMA System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	.Net Code: M9vXm3sDMA System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	.Net Code: M9vXm3sDMA System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 0_2_0787AF9B push B807888Ch; iretd	0_2_0787AFA5
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00414873 push ds; ret	5_2_00414882
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00405163 push F29618B7h; iretd	5_2_00405168
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00424103 push edi; retf	5_2_0042410C
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_0040512C push esi; iretd	5_2_0040512F
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_004169CC push ecx; retf	5_2_004169CD
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_004049E6 push ecx; retf	5_2_004049E7
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_004049E8 push eax; retf	5_2_004049EB
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00411B84 push es; ret	5_2_00411B8F
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00411B97 pushfd ; ret	5_2_00411BAB
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00403490 push eax; ret	5_2_00403492
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_00404D07 push ds; ret	5_2_00404D10
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Code function: 5_2_017D09AD push ecx; mov dword ptr [esp], ecx	5_2_017D09B6
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Code function: 8_2_04C6D089 push eax; ret	8_2_04C6D08B
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Code function: 8_2_04C6265F push edi; retf	8_2_04C62673
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Code function: 8_2_04C6AE6D push cs; retf	8_2_04C6AE6E
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Code function: 8_2_04C6266A push edi; retf	8_2_04C62673
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Code function: 8_2_04C6221D push esp; iretd	8_2_04C6223A
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Code function: 8_2_04C6278D push ecx; iretd	8_2_04C6278E
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Code function: 8_2_04C617BB push esp; iretd	8_2_04C617CA
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	Code function: 8_2_04C62743 push ecx; iretd	8_2_04C62744
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_02B509AD push ecx; mov dword ptr [esp], ecx	9_2_02B509B6
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_0018E6F1 push es; ret	9_2_0018E6FC
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_0018E704 pushfd ; ret	9_2_0018E718
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_001A0C70 push edi; retf	9_2_001A0C79
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_001913E0 push ds; ret	9_2_001913EF
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_00193539 push ecx; retf	9_2_0019353A
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_00181553 push ecx; retf	9_2_00181554
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_00181555 push eax; retf	9_2_00181558
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_00181874 push ds; ret	9_2_0018187D
Source: C:\Windows\SysWOW64\ktmutil.exe	Code function: 9_2_00181C99 push esi; iretd	9_2_00181C9C

Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, dYxsZezjD2vd6yPHgC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UI3xEXPaLx', 'chPxoE7mpQ', 'n9XxtcsV6d', 'lctx2jJrAR', 'isbxl1oKcg', 'NwPxxJXMot', 'm6LxLK9j1p'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, jnNieI10C29r6YPK4W.cs	High entropy of concatenated method names: 'eHdTwuS5tA', 'boeTsV9I6h', 'Vmy40wruRa', 'ICi4Pe4v12', 'qrs4ZhUHZE', 'Mbk4n9y99p', 'lsj4Kwow1e', 'sbx4UbY56q', 'Qc94fwFVfi', 'Qih4Qv82R2'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, l1J7HFBZ1MgJlBwPK5.cs	High entropy of concatenated method names: 'do1xkYJ5ZO', 'YhaxGaoLyJ', 'RhXxXkFT5n', 'l7Kxu5gOvP', 'HGwxpekyZ9', 'lPVxTt5ep8', 'U5vxyTZ9cl', 'A4hlVHD1iO', 'hL9l7qNwUP', 'tPTlDHmnFm'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, rMS3WvcctN5gsoIYYg.cs	High entropy of concatenated method names: 'fD827ngggY', 'DD82B3cVQZ', 'Lp2lqNSVFd', 'THIlkGEP5h', 't2F2aIPypX', 'wgo2Rb6yG6', 'aRo2CnF7Zw', 'Bp82jLna0g', 'pGL29waH5P', 'fA72O7uumC'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, jcxJwOgYMsNuWo6rDt.cs	High entropy of concatenated method names: 'w874r60JFP', 'EhP4vNPr6I', 'Jfw4iu0Aha', 'sCK4gdGvN4', 'eYJ4orhu6n', 'EJL4td4MwM', 'zbB42iprRT', 'yS64lYXdSW', 'eXQ4xGl3EE', 'FEC4LiqFaE'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, kMIXWOixU8twbSWtxx.cs	High entropy of concatenated method names: 'FUEpj5hc98', 'Pdnp9h3jT5', 'HYQpON6Pb0', 'c3CpIwqvD9', 'qmYpAdPls6', 'GelpcZy3sK', 'Y0rpVgHqBY', 'Yqpp7qno6P', 'mnvpDnBbkp', 'gKHpBmkixK'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Ays466Ye2OgS5tPSlk.cs	High entropy of concatenated method names: 'UmI8jD4es13CVk9kWCJ', 'g8JfXI4OovIFxvqN7DX', 'MqKyly7TfD', 'CPXyxPIsdo', 'AGpyLOup2E', 'PlVSsj4fyiHdeOSQnrT', 'y6kUTv4EZ0bm7gBVQwN'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, NZwxqDXBm7FlmwqLQl.cs	High entropy of concatenated method names: 'SWNkHMIXWO', 'rU8kNtwbSW', 'TYMkbsNuWo', 'urDkWtHnNi', 'GPKko4WFFj', 'btfktZgqUl', 'If4Uknt3EXGbCdPc05', 'LpM7y6pvYCRCX7TIDS', 'z71KoHr8C5kZiNNQmm', 'qRrkk768NW'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, sTe3F6fHuEKyNny7Lb.cs	High entropy of concatenated method names: 'L8EHJAGhxX', 'VjrH5PQ6B8', 'RQwHmyJ5SQ', 'a27HrQcZy5', 'l3OHwbyL49', 'aHkHva3jEA', 'Cu1HsUjETg', 'yEGHihThoL', 'A1GHg9NQqI', 'SFiH1EG3OT'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Ljd7rDCBt3UIxc8BUY.cs	High entropy of concatenated method names: 'P5eEiKjnhp', 'F5pEgh7Qes', 'bARESosOXZ', 'kEbEYnsw5Y', 'jwPEPsSQ0t', 'mv4EZM9Km2', 'STiEKTRlL1', 'AkiEU4XKZG', 'pcoEQKtcOS', 'RCmEa4hv8y'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, CHhd18p30b5FjJ912H.cs	High entropy of concatenated method names: 'Dispose', 'j5GkDvOn2u', 'ImG8Y3ZePm', 'Bullllp2VL', 'acykBvj2dR', 'v9wkzc0YZE', 'ProcessDialogKey', 'Fcr8qSVmU4', 'VMZ8krBmlK', 'ldn88h1J7H'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Vyvj2d7RF9wc0YZE1c.cs	High entropy of concatenated method names: 'zpZludnjXV', 'UdUlpS8247', 'W6Vl4HV2Wg', 'lJBlTexnAb', 'nSdlyqoh1J', 'yeVlH1sQsw', 'yjRlNEO0lj', 'Q6clh5w74c', 'wwMlbuAV6r', 'IAqlWlyyL2'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	High entropy of concatenated method names: 'bFqG3Bxpp6', 'yAGGuY70PU', 'nlNGpbAlrr', 'F3AG4IR8F1', 'RNTGTYo0nD', 'hxcGye63W4', 'wXIGHoZCg3', 'vReGNArNZa', 'FLYGh78DeE', 'EArGbxNRbA'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Atp1CPja1oRVV7weY4.cs	High entropy of concatenated method names: 'WZwoQhBlxl', 'oL7oRW3WCI', 'dBlojLiYHI', 'Cwho9gk8Qq', 'z5HoYmWkVu', 'yiJo0VWJCO', 'XVSoPE2ZDk', 'zUToZCfc53', 'UsDonLwqt3', 'OKHoKH6cnW'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Ek4TwYkqWlNK1TUGl6X.cs	High entropy of concatenated method names: 'esoxJTp71h', 'Gubx54Mx1e', 'G4XxmxmZyp', 'd3OxrK9mQu', 'SEaxwknDFj', 'k1Wxv6ICe5', 'c50xs7AND3', 'LuHxiLvJTY', 'pBDxgS0Zn4', 'Rrrx1XDUIG'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, YgVJrRKCxx1HS9qZcX.cs	High entropy of concatenated method names: 'D3GHu4qYg9', 'BZBH4Asg9u', 'glIHyechCm', 'miLyBNYn17', 'YVhyzfd1qT', 'iLNHqvHgoV', 'HnwHkGC7Na', 'sKIH87vdqT', 'JJDHGKTpkV', 'L1BHXpRKnF'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, JByv60Ip9yJbwQWgNM.cs	High entropy of concatenated method names: 'UCv2bh8dET', 'SMZ2WkXBHc', 'ToString', 'r3F2u1E950', 'xGB2pLwjce', 'e9T240BC4S', 'MOI2TrZXAE', 'Orm2ySqx1B', 'jBN2HH4x3M', 'tR62NNPoqu'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, vFj8tfSZgqUlYsQxMp.cs	High entropy of concatenated method names: 'y9Jy35RRa0', 'sy6ypiTSuA', 'ClhyTRlbPt', 'YvNyHymtc8', 'YYjyNe3OmX', 'BVYTABXb1X', 'L6bTcTtYhA', 'FIsTVBjUJb', 'jhrT7MD3SY', 'XUrTDEKKIR'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, ASVmU4DcMZrBmlKhdn.cs	High entropy of concatenated method names: 'qlHlSmAUJw', 'kQplY6rd28', 'Wp6l0fAp2x', 'vl0lPeWgKf', 'c9ZljWUKW5', 'N7NlZm7yiV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, g9VT4R8NH23savAS8y.cs	High entropy of concatenated method names: 'CFOmpREXH', 'bG4rB6jxd', 'aHovDNemB', 'gj4svE4Tl', 's9QgTtGy4', 'oWw1gifUZ', 'ioxvO00wCF9lcA6DVg', 'ajlr4mBnZ769RSx0QF', 'D49jwEYpeYrfarkWnR', 'kNLlV1xQb'
Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, AjQT9mkG0ultOemfqx7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JJTLjH8whY', 'aCnL9xAyiN', 'u0xLOSw2b8', 'KmBLIh5pcY', 'ls5LApRAqR', 'fn8LchAfKy', 'd4eLVmvLa8'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, dYxsZezjD2vd6yPHgC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UI3xEXPaLx', 'chPxoE7mpQ', 'n9XxtcsV6d', 'lctx2jJrAR', 'isbxl1oKcg', 'NwPxxJXMot', 'm6LxLK9j1p'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, jnNieI10C29r6YPK4W.cs	High entropy of concatenated method names: 'eHdTwuS5tA', 'boeTsV9I6h', 'Vmy40wruRa', 'ICi4Pe4v12', 'qrs4ZhUHZE', 'Mbk4n9y99p', 'lsj4Kwow1e', 'sbx4UbY56q', 'Qc94fwFVfi', 'Qih4Qv82R2'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, l1J7HFBZ1MgJlBwPK5.cs	High entropy of concatenated method names: 'do1xkYJ5ZO', 'YhaxGaoLyJ', 'RhXxXkFT5n', 'l7Kxu5gOvP', 'HGwxpekyZ9', 'lPVxTt5ep8', 'U5vxyTZ9cl', 'A4hlVHD1iO', 'hL9l7qNwUP', 'tPTlDHmnFm'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, rMS3WvcctN5gsoIYYg.cs	High entropy of concatenated method names: 'fD827ngggY', 'DD82B3cVQZ', 'Lp2lqNSVFd', 'THIlkGEP5h', 't2F2aIPypX', 'wgo2Rb6yG6', 'aRo2CnF7Zw', 'Bp82jLna0g', 'pGL29waH5P', 'fA72O7uumC'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, jcxJwOgYMsNuWo6rDt.cs	High entropy of concatenated method names: 'w874r60JFP', 'EhP4vNPr6I', 'Jfw4iu0Aha', 'sCK4gdGvN4', 'eYJ4orhu6n', 'EJL4td4MwM', 'zbB42iprRT', 'yS64lYXdSW', 'eXQ4xGl3EE', 'FEC4LiqFaE'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, kMIXWOixU8twbSWtxx.cs	High entropy of concatenated method names: 'FUEpj5hc98', 'Pdnp9h3jT5', 'HYQpON6Pb0', 'c3CpIwqvD9', 'qmYpAdPls6', 'GelpcZy3sK', 'Y0rpVgHqBY', 'Yqpp7qno6P', 'mnvpDnBbkp', 'gKHpBmkixK'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Ays466Ye2OgS5tPSlk.cs	High entropy of concatenated method names: 'UmI8jD4es13CVk9kWCJ', 'g8JfXI4OovIFxvqN7DX', 'MqKyly7TfD', 'CPXyxPIsdo', 'AGpyLOup2E', 'PlVSsj4fyiHdeOSQnrT', 'y6kUTv4EZ0bm7gBVQwN'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, NZwxqDXBm7FlmwqLQl.cs	High entropy of concatenated method names: 'SWNkHMIXWO', 'rU8kNtwbSW', 'TYMkbsNuWo', 'urDkWtHnNi', 'GPKko4WFFj', 'btfktZgqUl', 'If4Uknt3EXGbCdPc05', 'LpM7y6pvYCRCX7TIDS', 'z71KoHr8C5kZiNNQmm', 'qRrkk768NW'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, sTe3F6fHuEKyNny7Lb.cs	High entropy of concatenated method names: 'L8EHJAGhxX', 'VjrH5PQ6B8', 'RQwHmyJ5SQ', 'a27HrQcZy5', 'l3OHwbyL49', 'aHkHva3jEA', 'Cu1HsUjETg', 'yEGHihThoL', 'A1GHg9NQqI', 'SFiH1EG3OT'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Ljd7rDCBt3UIxc8BUY.cs	High entropy of concatenated method names: 'P5eEiKjnhp', 'F5pEgh7Qes', 'bARESosOXZ', 'kEbEYnsw5Y', 'jwPEPsSQ0t', 'mv4EZM9Km2', 'STiEKTRlL1', 'AkiEU4XKZG', 'pcoEQKtcOS', 'RCmEa4hv8y'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, CHhd18p30b5FjJ912H.cs	High entropy of concatenated method names: 'Dispose', 'j5GkDvOn2u', 'ImG8Y3ZePm', 'Bullllp2VL', 'acykBvj2dR', 'v9wkzc0YZE', 'ProcessDialogKey', 'Fcr8qSVmU4', 'VMZ8krBmlK', 'ldn88h1J7H'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Vyvj2d7RF9wc0YZE1c.cs	High entropy of concatenated method names: 'zpZludnjXV', 'UdUlpS8247', 'W6Vl4HV2Wg', 'lJBlTexnAb', 'nSdlyqoh1J', 'yeVlH1sQsw', 'yjRlNEO0lj', 'Q6clh5w74c', 'wwMlbuAV6r', 'IAqlWlyyL2'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	High entropy of concatenated method names: 'bFqG3Bxpp6', 'yAGGuY70PU', 'nlNGpbAlrr', 'F3AG4IR8F1', 'RNTGTYo0nD', 'hxcGye63W4', 'wXIGHoZCg3', 'vReGNArNZa', 'FLYGh78DeE', 'EArGbxNRbA'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Atp1CPja1oRVV7weY4.cs	High entropy of concatenated method names: 'WZwoQhBlxl', 'oL7oRW3WCI', 'dBlojLiYHI', 'Cwho9gk8Qq', 'z5HoYmWkVu', 'yiJo0VWJCO', 'XVSoPE2ZDk', 'zUToZCfc53', 'UsDonLwqt3', 'OKHoKH6cnW'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Ek4TwYkqWlNK1TUGl6X.cs	High entropy of concatenated method names: 'esoxJTp71h', 'Gubx54Mx1e', 'G4XxmxmZyp', 'd3OxrK9mQu', 'SEaxwknDFj', 'k1Wxv6ICe5', 'c50xs7AND3', 'LuHxiLvJTY', 'pBDxgS0Zn4', 'Rrrx1XDUIG'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, YgVJrRKCxx1HS9qZcX.cs	High entropy of concatenated method names: 'D3GHu4qYg9', 'BZBH4Asg9u', 'glIHyechCm', 'miLyBNYn17', 'YVhyzfd1qT', 'iLNHqvHgoV', 'HnwHkGC7Na', 'sKIH87vdqT', 'JJDHGKTpkV', 'L1BHXpRKnF'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, JByv60Ip9yJbwQWgNM.cs	High entropy of concatenated method names: 'UCv2bh8dET', 'SMZ2WkXBHc', 'ToString', 'r3F2u1E950', 'xGB2pLwjce', 'e9T240BC4S', 'MOI2TrZXAE', 'Orm2ySqx1B', 'jBN2HH4x3M', 'tR62NNPoqu'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, vFj8tfSZgqUlYsQxMp.cs	High entropy of concatenated method names: 'y9Jy35RRa0', 'sy6ypiTSuA', 'ClhyTRlbPt', 'YvNyHymtc8', 'YYjyNe3OmX', 'BVYTABXb1X', 'L6bTcTtYhA', 'FIsTVBjUJb', 'jhrT7MD3SY', 'XUrTDEKKIR'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, ASVmU4DcMZrBmlKhdn.cs	High entropy of concatenated method names: 'qlHlSmAUJw', 'kQplY6rd28', 'Wp6l0fAp2x', 'vl0lPeWgKf', 'c9ZljWUKW5', 'N7NlZm7yiV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, g9VT4R8NH23savAS8y.cs	High entropy of concatenated method names: 'CFOmpREXH', 'bG4rB6jxd', 'aHovDNemB', 'gj4svE4Tl', 's9QgTtGy4', 'oWw1gifUZ', 'ioxvO00wCF9lcA6DVg', 'ajlr4mBnZ769RSx0QF', 'D49jwEYpeYrfarkWnR', 'kNLlV1xQb'
Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, AjQT9mkG0ultOemfqx7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JJTLjH8whY', 'aCnL9xAyiN', 'u0xLOSw2b8', 'KmBLIh5pcY', 'ls5LApRAqR', 'fn8LchAfKy', 'd4eLVmvLa8'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, dYxsZezjD2vd6yPHgC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UI3xEXPaLx', 'chPxoE7mpQ', 'n9XxtcsV6d', 'lctx2jJrAR', 'isbxl1oKcg', 'NwPxxJXMot', 'm6LxLK9j1p'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, jnNieI10C29r6YPK4W.cs	High entropy of concatenated method names: 'eHdTwuS5tA', 'boeTsV9I6h', 'Vmy40wruRa', 'ICi4Pe4v12', 'qrs4ZhUHZE', 'Mbk4n9y99p', 'lsj4Kwow1e', 'sbx4UbY56q', 'Qc94fwFVfi', 'Qih4Qv82R2'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, l1J7HFBZ1MgJlBwPK5.cs	High entropy of concatenated method names: 'do1xkYJ5ZO', 'YhaxGaoLyJ', 'RhXxXkFT5n', 'l7Kxu5gOvP', 'HGwxpekyZ9', 'lPVxTt5ep8', 'U5vxyTZ9cl', 'A4hlVHD1iO', 'hL9l7qNwUP', 'tPTlDHmnFm'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, rMS3WvcctN5gsoIYYg.cs	High entropy of concatenated method names: 'fD827ngggY', 'DD82B3cVQZ', 'Lp2lqNSVFd', 'THIlkGEP5h', 't2F2aIPypX', 'wgo2Rb6yG6', 'aRo2CnF7Zw', 'Bp82jLna0g', 'pGL29waH5P', 'fA72O7uumC'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, jcxJwOgYMsNuWo6rDt.cs	High entropy of concatenated method names: 'w874r60JFP', 'EhP4vNPr6I', 'Jfw4iu0Aha', 'sCK4gdGvN4', 'eYJ4orhu6n', 'EJL4td4MwM', 'zbB42iprRT', 'yS64lYXdSW', 'eXQ4xGl3EE', 'FEC4LiqFaE'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, kMIXWOixU8twbSWtxx.cs	High entropy of concatenated method names: 'FUEpj5hc98', 'Pdnp9h3jT5', 'HYQpON6Pb0', 'c3CpIwqvD9', 'qmYpAdPls6', 'GelpcZy3sK', 'Y0rpVgHqBY', 'Yqpp7qno6P', 'mnvpDnBbkp', 'gKHpBmkixK'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Ays466Ye2OgS5tPSlk.cs	High entropy of concatenated method names: 'UmI8jD4es13CVk9kWCJ', 'g8JfXI4OovIFxvqN7DX', 'MqKyly7TfD', 'CPXyxPIsdo', 'AGpyLOup2E', 'PlVSsj4fyiHdeOSQnrT', 'y6kUTv4EZ0bm7gBVQwN'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, NZwxqDXBm7FlmwqLQl.cs	High entropy of concatenated method names: 'SWNkHMIXWO', 'rU8kNtwbSW', 'TYMkbsNuWo', 'urDkWtHnNi', 'GPKko4WFFj', 'btfktZgqUl', 'If4Uknt3EXGbCdPc05', 'LpM7y6pvYCRCX7TIDS', 'z71KoHr8C5kZiNNQmm', 'qRrkk768NW'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, sTe3F6fHuEKyNny7Lb.cs	High entropy of concatenated method names: 'L8EHJAGhxX', 'VjrH5PQ6B8', 'RQwHmyJ5SQ', 'a27HrQcZy5', 'l3OHwbyL49', 'aHkHva3jEA', 'Cu1HsUjETg', 'yEGHihThoL', 'A1GHg9NQqI', 'SFiH1EG3OT'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Ljd7rDCBt3UIxc8BUY.cs	High entropy of concatenated method names: 'P5eEiKjnhp', 'F5pEgh7Qes', 'bARESosOXZ', 'kEbEYnsw5Y', 'jwPEPsSQ0t', 'mv4EZM9Km2', 'STiEKTRlL1', 'AkiEU4XKZG', 'pcoEQKtcOS', 'RCmEa4hv8y'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, CHhd18p30b5FjJ912H.cs	High entropy of concatenated method names: 'Dispose', 'j5GkDvOn2u', 'ImG8Y3ZePm', 'Bullllp2VL', 'acykBvj2dR', 'v9wkzc0YZE', 'ProcessDialogKey', 'Fcr8qSVmU4', 'VMZ8krBmlK', 'ldn88h1J7H'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Vyvj2d7RF9wc0YZE1c.cs	High entropy of concatenated method names: 'zpZludnjXV', 'UdUlpS8247', 'W6Vl4HV2Wg', 'lJBlTexnAb', 'nSdlyqoh1J', 'yeVlH1sQsw', 'yjRlNEO0lj', 'Q6clh5w74c', 'wwMlbuAV6r', 'IAqlWlyyL2'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.cs	High entropy of concatenated method names: 'bFqG3Bxpp6', 'yAGGuY70PU', 'nlNGpbAlrr', 'F3AG4IR8F1', 'RNTGTYo0nD', 'hxcGye63W4', 'wXIGHoZCg3', 'vReGNArNZa', 'FLYGh78DeE', 'EArGbxNRbA'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Atp1CPja1oRVV7weY4.cs	High entropy of concatenated method names: 'WZwoQhBlxl', 'oL7oRW3WCI', 'dBlojLiYHI', 'Cwho9gk8Qq', 'z5HoYmWkVu', 'yiJo0VWJCO', 'XVSoPE2ZDk', 'zUToZCfc53', 'UsDonLwqt3', 'OKHoKH6cnW'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Ek4TwYkqWlNK1TUGl6X.cs	High entropy of concatenated method names: 'esoxJTp71h', 'Gubx54Mx1e', 'G4XxmxmZyp', 'd3OxrK9mQu', 'SEaxwknDFj', 'k1Wxv6ICe5', 'c50xs7AND3', 'LuHxiLvJTY', 'pBDxgS0Zn4', 'Rrrx1XDUIG'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, YgVJrRKCxx1HS9qZcX.cs	High entropy of concatenated method names: 'D3GHu4qYg9', 'BZBH4Asg9u', 'glIHyechCm', 'miLyBNYn17', 'YVhyzfd1qT', 'iLNHqvHgoV', 'HnwHkGC7Na', 'sKIH87vdqT', 'JJDHGKTpkV', 'L1BHXpRKnF'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, JByv60Ip9yJbwQWgNM.cs	High entropy of concatenated method names: 'UCv2bh8dET', 'SMZ2WkXBHc', 'ToString', 'r3F2u1E950', 'xGB2pLwjce', 'e9T240BC4S', 'MOI2TrZXAE', 'Orm2ySqx1B', 'jBN2HH4x3M', 'tR62NNPoqu'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, vFj8tfSZgqUlYsQxMp.cs	High entropy of concatenated method names: 'y9Jy35RRa0', 'sy6ypiTSuA', 'ClhyTRlbPt', 'YvNyHymtc8', 'YYjyNe3OmX', 'BVYTABXb1X', 'L6bTcTtYhA', 'FIsTVBjUJb', 'jhrT7MD3SY', 'XUrTDEKKIR'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, ASVmU4DcMZrBmlKhdn.cs	High entropy of concatenated method names: 'qlHlSmAUJw', 'kQplY6rd28', 'Wp6l0fAp2x', 'vl0lPeWgKf', 'c9ZljWUKW5', 'N7NlZm7yiV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, g9VT4R8NH23savAS8y.cs	High entropy of concatenated method names: 'CFOmpREXH', 'bG4rB6jxd', 'aHovDNemB', 'gj4svE4Tl', 's9QgTtGy4', 'oWw1gifUZ', 'ioxvO00wCF9lcA6DVg', 'ajlr4mBnZ769RSx0QF', 'D49jwEYpeYrfarkWnR', 'kNLlV1xQb'
Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, AjQT9mkG0ultOemfqx7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JJTLjH8whY', 'aCnL9xAyiN', 'u0xLOSw2b8', 'KmBLIh5pcY', 'ls5LApRAqR', 'fn8LchAfKy', 'd4eLVmvLa8'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\ktmutil.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Memory allocated: D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Memory allocated: 83F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Memory allocated: 93F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Memory allocated: 95D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Memory allocated: A5D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Thread delayed: delay time: 239873	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Thread delayed: delay time: 239749	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Window / User API: threadDelayed 1817	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Window / User API: threadDelayed 5188	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4913	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 478	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Window / User API: threadDelayed 9841	Jump to behavior

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\ktmutil.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 3012	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 3012	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 3012	Thread sleep time: -239873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 3012	Thread sleep time: -239749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 2352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1576	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 5852	Thread sleep count: 131 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 5852	Thread sleep time: -262000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 5852	Thread sleep count: 9841 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe TID: 5852	Thread sleep time: -19682000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe TID: 5656	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe TID: 5656	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe TID: 5656	Thread sleep time: -37000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ktmutil.exe	Last function: Thread delayed

Source: 07c402-5.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 07c402-5.9.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 07c402-5.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 07c402-5.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 07c402-5.9.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 07c402-5.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 07c402-5.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 07c402-5.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 07c402-5.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 07c402-5.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 07c402-5.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 07c402-5.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 07c402-5.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 07c402-5.9.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 07c402-5.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4587902470.0000000001349000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 07c402-5.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 07c402-5.9.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 07c402-5.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 07c402-5.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 07c402-5.9.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 07c402-5.9.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 07c402-5.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 07c402-5.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 07c402-5.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 07c402-5.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 07c402-5.9.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 07c402-5.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: firefox.exe, 0000000D.00000002.2619239385.000001F415C3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGGJ
Source: 07c402-5.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: ktmutil.exe, 00000009.00000002.4587088156.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|(TE
Source: 07c402-5.9.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 07c402-5.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 07c402-5.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtQueryValueKey: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: NULL target: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\ktmutil.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587906906.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251522914.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588158664.00000000018B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587906906.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251522914.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588158664.00000000018B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587906906.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251522914.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588158664.00000000018B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587906906.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251522914.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588158664.00000000018B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Windows Analysis Report rPRESUPUESTO.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
rPRESUPUESTO.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Queries volume information: C:\Users\user\Desktop\rPRESUPUESTO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rPRESUPUESTO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\ktmutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
122.10.13.122	2xin3.zhanghonghong.com	Hong Kong	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
74.208.236.72	www.transelva.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
121.254.178.238	www.b6fbly7u.shop	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
192.207.62.21	225.jtrhc.fun	United States	394180	HOSTBREWUS	true
72.52.179.174	www.europedriveguide.com	United States	32244	LIQUIDWEBUS	true
192.227.175.142	www.coinmao.com	United States	36352	AS-COLOCROSSINGUS	true
199.59.243.226	www.mommysdaycare.net	United States	395082	BODIS-NJUS	true
203.161.62.199	www.quantumvoil.xyz	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
109.123.121.243	www.rlplatro.sbs	United Kingdom	13213	UK2NET-ASGB	true
103.224.182.246	www.atmpla.net	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
31.186.11.254	genesiestudios.online	Turkey	199484	BETAINTERNATIONALTR	true
45.207.12.95	www.203av.com	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
81.95.96.29	www.hydrogenmovie.com	Czech Republic	25234	GLOBE-AShttpwwwactive24czCZ	true
47.242.109.15	www.xsemckm.sbs	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Name	Malicious	Antivirus Detection	Reputation
http://www.rlplatro.sbs/hpa2/	true	Avira URL Cloud: safe	unknown
http://www.transelva.com/edi4/	true	Avira URL Cloud: safe	unknown
http://www.coinmao.com/irbt/	true	Avira URL Cloud: safe	unknown
http://www.xsemckm.sbs/pyns/	true	Avira URL Cloud: safe	unknown
http://www.quantumvoil.xyz/gb2c/	true	Avira URL Cloud: safe	unknown
http://www.genesiestudios.online/s29p/	true	Avira URL Cloud: malware	unknown
http://www.203av.com/dy54/	true	Avira URL Cloud: safe	unknown
http://www.gsdaluan.shop/8urb/	true	Avira URL Cloud: malware	unknown
http://www.hydrogenmovie.com/vi6c/	true	Avira URL Cloud: safe	unknown
http://www.atmpla.net/n983/	true	Avira URL Cloud: safe	unknown
http://www.europedriveguide.com/2pcd/	true	Avira URL Cloud: safe	unknown
http://www.mommysdaycare.net/k4dg/	true	Avira URL Cloud: safe	unknown

ID:	1465409
Product:	CloudBasic
Start time:	16:14:15
Start date:	01.07.2024
Sample:	rPRESUPUESTO.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e78d43a26913cf101b98d1d04839eee2
SHA1:	911c8c10f7c8bc9fd3c6bd16e9f5da11e3c3eb5d
SHA256:	8f9dbdd77e130b7238761966a9c9aa8712baf2100ddebc3d9d206ee17f8f119c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rPRESUPUESTO.exe.log	ASCII text, with CRLF line terminators	215B3562F83C4FB9BBB129D2F9E59ADA	0534A53F6F42ECA7E56EB02E328A2025254AC511	4CF4451F940D8D730D8209079E1404A1EAD1A36C33E69AB8AE43E0E7D33B4450
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	E4532FAC52FB479867BAF60958F8E50C	6736C4FA0AFCE32F8E206C7F414A902A96A45E5B	E1475E82065BB6BAD4E6C71F033E48B8DEEB85FACB251FC1D098E4D22AB6F7FB
C:\Users\user\AppData\Local\Temp\07c402-5	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggwsvlml.yr5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oaoerwqi.pzx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pul4memt.qud.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtza4nxy.w3x.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7