Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PRESUPUEST.exe

Overview

General Information

Sample name:PRESUPUEST.exe
Analysis ID:1544960
MD5:9533800ff0c1ef9979f705d23d0a625a
SHA1:818521b032199079f6757cad27c3f5f073a131f6
SHA256:e64bf07778d6213ab62a2e94e764053d4378192b836715aa6552405de1e15832
Tags:AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PRESUPUEST.exe (PID: 6512 cmdline: "C:\Users\user\Desktop\PRESUPUEST.exe" MD5: 9533800FF0C1EF9979F705D23D0A625A)
    • PRESUPUEST.exe (PID: 4424 cmdline: "C:\Users\user\Desktop\PRESUPUEST.exe" MD5: 9533800FF0C1EF9979F705D23D0A625A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "quin.ydns.eu,185.38.142.240", "Port": "1962,1940", "Version": "0.5.8", "MutexName": "dLOEY8XRq1oB", "Autorun": "false", "Group": "null"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x37ee:$x1: AsyncRAT
  • 0x382c:$x1: AsyncRAT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0x97c5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0x10957:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x1be33:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x278e7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x11c5c:$a2: Stub.exe
      • 0x11cec:$a2: Stub.exe
      • 0x1d138:$a2: Stub.exe
      • 0x1d1c8:$a2: Stub.exe
      • 0x28bf8:$a2: Stub.exe
      • 0x28c88:$a2: Stub.exe
      • 0xd71a:$a3: get_ActivatePong
      • 0x18bf6:$a3: get_ActivatePong
      • 0x246aa:$a3: get_ActivatePong
      • 0x10b6f:$a4: vmware
      • 0x1c04b:$a4: vmware
      • 0x27aff:$a4: vmware
      • 0x109e7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x1bec3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x27977:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0xe46c:$a6: get_SslClient
      • 0x19948:$a6: get_SslClient
      • 0x253fc:$a6: get_SslClient
      00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0x109e9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      • 0x1bec5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      • 0x27979:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PRESUPUEST.exe.281b500.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.2.PRESUPUEST.exe.281b500.1.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0x7b33:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x8e38:$a2: Stub.exe
        • 0x8ec8:$a2: Stub.exe
        • 0x48f6:$a3: get_ActivatePong
        • 0x7d4b:$a4: vmware
        • 0x7bc3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0x5648:$a6: get_SslClient
        0.2.PRESUPUEST.exe.281b500.1.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0x7bc5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        0.2.PRESUPUEST.exe.2810024.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.2.PRESUPUEST.exe.2810024.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
          • 0x7b33:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
          • 0x8e38:$a2: Stub.exe
          • 0x8ec8:$a2: Stub.exe
          • 0x48f6:$a3: get_ActivatePong
          • 0x7d4b:$a4: vmware
          • 0x7bc3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          • 0x5648:$a6: get_SslClient
          Click to see the 13 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-29T22:32:10.766832+010020355951Domain Observed Used for C2 Detected185.38.142.2401940192.168.2.549709TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-29T22:32:10.766832+010020356071Domain Observed Used for C2 Detected185.38.142.2401940192.168.2.549709TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-29T22:32:10.766832+010028424781Malware Command and Control Activity Detected185.38.142.2401940192.168.2.549709TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "quin.ydns.eu,185.38.142.240", "Port": "1962,1940", "Version": "0.5.8", "MutexName": "dLOEY8XRq1oB", "Autorun": "false", "Group": "null"}
          Multi AV Scanner detection for submitted file
          Source: PRESUPUEST.exeReversingLabs: Detection: 39%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: PRESUPUEST.exeJoe Sandbox ML: detected
          Source: PRESUPUEST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: PRESUPUEST.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: sFzU.pdb source: PRESUPUEST.exe
          Source: Binary string: sFzU.pdbSHA256. source: PRESUPUEST.exe

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.38.142.240:1940 -> 192.168.2.5:49709
          Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.38.142.240:1940 -> 192.168.2.5:49709
          Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.38.142.240:1940 -> 192.168.2.5:49709
          Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.38.142.240:1940 -> 192.168.2.5:49709
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: quin.ydns.eu
          Yara detected Generic Downloader
          Source: Yara matchFile source: 3.2.PRESUPUEST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, type: UNPACKEDPE
          Source: global trafficTCP traffic: 192.168.2.5:49709 -> 185.38.142.240:1940
          Source: Joe Sandbox ViewASN Name: NETSOLUTIONSNL NETSOLUTIONSNL
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
          Source: global trafficDNS traffic detected: DNS query: quin.ydns.eu
          Source: PRESUPUEST.exe, 00000003.00000002.3275090090.0000000001136000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: PRESUPUEST.exe, 00000003.00000002.3275090090.0000000001136000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
          Source: PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: PRESUPUEST.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.281b500.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.2810024.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PRESUPUEST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PRESUPUEST.exe PID: 6512, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: PRESUPUEST.exe PID: 4424, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0.2.PRESUPUEST.exe.281b500.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.PRESUPUEST.exe.281b500.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.PRESUPUEST.exe.2810024.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.PRESUPUEST.exe.2810024.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 3.2.PRESUPUEST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 3.2.PRESUPUEST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000003.00000002.3275090090.0000000001136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: PRESUPUEST.exe PID: 6512, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: PRESUPUEST.exe PID: 4424, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: PRESUPUEST.exe PID: 4424, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F02F70 NtQueryInformationProcess,0_2_06F02F70
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F02F68 NtQueryInformationProcess,0_2_06F02F68
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_009348590_2_00934859
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_009348680_2_00934868
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06EEEF180_2_06EEEF18
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06EEEF090_2_06EEEF09
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F073230_2_06F07323
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F003080_2_06F00308
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F04CC00_2_06F04CC0
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F08AB80_2_06F08AB8
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F0D6A00_2_06F0D6A0
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F076A50_2_06F076A5
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F0D6910_2_06F0D691
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F077DE0_2_06F077DE
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F0B7580_2_06F0B758
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F002F90_2_06F002F9
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F0D2680_2_06F0D268
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F0D2570_2_06F0D257
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F073BF0_2_06F073BF
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F023800_2_06F02380
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F030F00_2_06F030F0
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F0BFC80_2_06F0BFC8
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F04F300_2_06F04F30
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F01F370_2_06F01F37
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F04F200_2_06F04F20
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F04CB20_2_06F04CB2
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F08AA90_2_06F08AA9
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F0BB900_2_06F0BB90
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F0BB800_2_06F0BB80
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06F028400_2_06F02840
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_08831D500_2_08831D50
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 3_2_02C168683_2_02C16868
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 3_2_02C15F983_2_02C15F98
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 3_2_02C1A7183_2_02C1A718
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 3_2_02C15C503_2_02C15C50
          Source: PRESUPUEST.exe, 00000000.00000000.2016435092.00000000001F8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesFzU.exe8 vs PRESUPUEST.exe
          Source: PRESUPUEST.exe, 00000000.00000002.2036088839.00000000087A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PRESUPUEST.exe
          Source: PRESUPUEST.exe, 00000000.00000002.2029746721.000000000079E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PRESUPUEST.exe
          Source: PRESUPUEST.exe, 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs PRESUPUEST.exe
          Source: PRESUPUEST.exe, 00000000.00000002.2031735911.0000000003F06000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PRESUPUEST.exe
          Source: PRESUPUEST.exe, 00000003.00000002.3274704920.000000000040E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs PRESUPUEST.exe
          Source: PRESUPUEST.exeBinary or memory string: OriginalFilenamesFzU.exe8 vs PRESUPUEST.exe
          Source: PRESUPUEST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.2.PRESUPUEST.exe.281b500.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.PRESUPUEST.exe.281b500.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.PRESUPUEST.exe.2810024.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.PRESUPUEST.exe.2810024.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 3.2.PRESUPUEST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 3.2.PRESUPUEST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000003.00000002.3275090090.0000000001136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: PRESUPUEST.exe PID: 6512, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: PRESUPUEST.exe PID: 4424, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: PRESUPUEST.exe PID: 4424, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: PRESUPUEST.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, Settings.csBase64 encoded string: 'W2k+mHAeLgDgJshoKkTkGKohD2ZOh3g8YLZ3vtwVdRqv2O1ORRSpo0Ihj+59jDpk3xr9NiCIEPDbgTdPFF1IP5ACOFBEhUb8nndRiLbrZLA=', 'Sls6SNFOqyhagBJQZ6XwQq9APcrBHuydWHLh+svm/OkJkvfX8StYQXSKZmiXnWHOJNi9MC+7FUUo/6vXGCJcuA==', 'qAjUSzDkqiDR8V4g0wsMCjqiOFo+D2Yk9UwDvBLmFU4OYCBmDdNtMda8b4xgJ4Xyv+UIHPKD6O303Uv3uQCCtg==', 'I8nZJEkRkaCQWLYs0Bkfch5+aYSdztr798OZmzfOu6iwriFMONKJa0CXf4U80bW70S3yVfs0XiYFssuEmDGeRw==', 'VL3vhqmWluya1BSRnBqOMRQp04xCLMmwQpkww3DwxMm8uhxD1mP9j1mLPZQaq7znHuYWBQZ9GG5nazwOPkRWCQ=='
          Source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, Settings.csBase64 encoded string: 'W2k+mHAeLgDgJshoKkTkGKohD2ZOh3g8YLZ3vtwVdRqv2O1ORRSpo0Ihj+59jDpk3xr9NiCIEPDbgTdPFF1IP5ACOFBEhUb8nndRiLbrZLA=', 'Sls6SNFOqyhagBJQZ6XwQq9APcrBHuydWHLh+svm/OkJkvfX8StYQXSKZmiXnWHOJNi9MC+7FUUo/6vXGCJcuA==', 'qAjUSzDkqiDR8V4g0wsMCjqiOFo+D2Yk9UwDvBLmFU4OYCBmDdNtMda8b4xgJ4Xyv+UIHPKD6O303Uv3uQCCtg==', 'I8nZJEkRkaCQWLYs0Bkfch5+aYSdztr798OZmzfOu6iwriFMONKJa0CXf4U80bW70S3yVfs0XiYFssuEmDGeRw==', 'VL3vhqmWluya1BSRnBqOMRQp04xCLMmwQpkww3DwxMm8uhxD1mP9j1mLPZQaq7znHuYWBQZ9GG5nazwOPkRWCQ=='
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, exaCsACACNKfcw8uay.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, exaCsACACNKfcw8uay.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, exaCsACACNKfcw8uay.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, dErvlFj0e1JvtiOSFO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, exaCsACACNKfcw8uay.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, exaCsACACNKfcw8uay.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, exaCsACACNKfcw8uay.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, dErvlFj0e1JvtiOSFO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, dErvlFj0e1JvtiOSFO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, exaCsACACNKfcw8uay.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, exaCsACACNKfcw8uay.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, exaCsACACNKfcw8uay.csSecurity API names: _0020.AddAccessRule
          Source: classification engineClassification label: mal100.troj.evad.winEXE@3/3@1/1
          Source: C:\Users\user\Desktop\PRESUPUEST.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRESUPUEST.exe.logJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMutant created: NULL
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMutant created: \Sessions\1\BaseNamedObjects\dLOEY8XRq1oB
          Source: PRESUPUEST.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: PRESUPUEST.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\PRESUPUEST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: PRESUPUEST.exeReversingLabs: Detection: 39%
          Source: unknownProcess created: C:\Users\user\Desktop\PRESUPUEST.exe "C:\Users\user\Desktop\PRESUPUEST.exe"
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess created: C:\Users\user\Desktop\PRESUPUEST.exe "C:\Users\user\Desktop\PRESUPUEST.exe"
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess created: C:\Users\user\Desktop\PRESUPUEST.exe "C:\Users\user\Desktop\PRESUPUEST.exe"Jump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PRESUPUEST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PRESUPUEST.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: PRESUPUEST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: sFzU.pdb source: PRESUPUEST.exe
          Source: Binary string: sFzU.pdbSHA256. source: PRESUPUEST.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, exaCsACACNKfcw8uay.cs.Net Code: gBq2apEIOF System.Reflection.Assembly.Load(byte[])
          Source: 0.2.PRESUPUEST.exe.6e40000.4.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, exaCsACACNKfcw8uay.cs.Net Code: gBq2apEIOF System.Reflection.Assembly.Load(byte[])
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, exaCsACACNKfcw8uay.cs.Net Code: gBq2apEIOF System.Reflection.Assembly.Load(byte[])
          Source: PRESUPUEST.exeStatic PE information: 0xE0C10E33 [Mon Jun 27 22:07:47 2089 UTC]
          Source: C:\Users\user\Desktop\PRESUPUEST.exeCode function: 0_2_06EE0D20 push eax; ret 0_2_06EE0D33
          Source: PRESUPUEST.exeStatic PE information: section name: .text entropy: 7.50950168517389
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, t3kVbAXSJNyewcoZOD.csHigh entropy of concatenated method names: 'aZOaO4EOA', 'kutnZOTLl', 'cKOcWL0bu', 'rhMrU4dr1', 'PjamRPh24', 'UbSwT4qUI', 'Px7ZkiDN5rXtG9VNTZ', 'l0XjEie5Y5tk10I2Kw', 'rHpu9g6eH', 'aoFfhtomF'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, nH8VcamtbXRAFSGVQV.csHigh entropy of concatenated method names: 'nEBPn7bkhB', 'CLZPcsx0Th', 'FoEPjSQnhG', 'LCUPmH0SMJ', 'wK5PZ0fDxx', 'nUoPqpO4yO', 'M4RPxYdTTP', 'c94Pu2jVt3', 'w2rP1c0kcd', 'WnTPfW0MlW'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, FbdQRNLAmdbp3c3U4k.csHigh entropy of concatenated method names: 'kTpuyF8vsO', 'o3HuHMQ8Uy', 'cHvuP7cyFU', 'ay0u5MR0Oi', 'XVwut3VumA', 'WFvusCqr6t', 'TvDuCaCsaI', 'ifUuSo6Q4x', 'S2bu0q6mY5', 'fWru6Dd8HT'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, Xf4q2rVhpKuprcnZ9I.csHigh entropy of concatenated method names: 'ejo1DFeMC6', 'DQD1pNq9gV', 'tUm122BB85', 'Cug1ynT7XD', 'brK1H0mWdW', 'g6S15t8XAm', 'aFA1tcKkNU', 'aK3u8gRDAu', 'V8MuLNGy99', 'TDNuiVJYFB'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, yQyCGFwDydenVloVpu.csHigh entropy of concatenated method names: 'oCa54ejqYO', 'WWK5rGstyf', 'tRxPe3XEjt', 'iKPPNKtT1C', 'n8DPUaIi21', 'i5uPW49WAo', 'XbnP7c3xRp', 'bAIPdjWaJO', 'u3xPGmJaWt', 'SauPo1FqKw'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, Kpx2siDEVV8WicuOFLn.csHigh entropy of concatenated method names: 'jXw13TO5E4', 'lkU1ADpFna', 'Dms1a30w8O', 'ekE1nk1L27', 'I8j14kGc8Y', 'TOO1cofM6F', 'BdR1r8dHBA', 'JFV1jscFuR', 'xSr1m3BOeF', 'zGQ1w5TxrB'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, B1KiodG0Pm8CS9YsYC.csHigh entropy of concatenated method names: 'zjgs3q3qM9', 'IQIsAxj3e9', 'FXSsatZlXA', 'L3Ksnw0IpF', 'lifs4QyWRk', 'bvKscnGmE0', 'RAEsrsDac7', 'kBhsjm9bQb', 'WlPsmFVfgN', 'jUAswZnC7p'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, wEnE1BPabiDV1wkoHH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oqeXisRPnw', 'jqbXVuH1fo', 'RamXzrgDC1', 'lpEpEBOO68', 'K79pD5wG41', 'EyHpXmjpZL', 'qSAppbYQDX', 'vQxiEXWs42s7tpb7bwI'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, uC1x4cHf0oyhDZfoHL.csHigh entropy of concatenated method names: 'Dispose', 'hi9DirvnT5', 'RTMXJysJIF', 'YQJWWk3PXa', 'ewbDVdQRNA', 'EdbDzp3c3U', 'ProcessDialogKey', 'BkbXEgYrbH', 'PAMXDunBof', 'ywJXXLf4q2'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, udgj3RO8gg6D0EWyGp.csHigh entropy of concatenated method names: 'zWyljH3Den', 'SbLlmd4BdJ', 'IJYl98W1Gj', 'UhwlJLUkMa', 'DLFlNmXkUZ', 'r0slUuW6ek', 'rIxl7oEcyu', 'mOylddfNCK', 'qd1lo8xXv6', 'xGrlYlXZqw'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, exaCsACACNKfcw8uay.csHigh entropy of concatenated method names: 'PPDphaoyEI', 'pGZpyqWAh8', 'Rt6pH1CoXn', 'b5ipPeI7fM', 'j0np54dqC6', 'Dhqptk09yj', 'AbPps00LbI', 'gBspCo5gSe', 'I0fpSnZbLP', 'idop0O0BVH'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, omCkaM9XowQtfLvfa9.csHigh entropy of concatenated method names: 'SnGtha1Z0P', 'EPxtHRct0T', 'kxIt5ifAZh', 'oRvtsLwFDN', 'zrmtCEV7wU', 'G205Bs2FIL', 'gt75TPljCT', 'Tom58EX1Ba', 'buE5LGaQs1', 'YIU5i338ms'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, dErvlFj0e1JvtiOSFO.csHigh entropy of concatenated method names: 'EdTHbLJPMe', 'ToAHMaBwEF', 'aWgHKR0fur', 'kyiHgMKN6E', 'aopHBnqIhI', 'jj8HTROJ6y', 'u1EH8TBPr0', 'd4UHLIUK9g', 'GUjHiDJq5C', 'vytHVh9ZDS'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, px9IhXDD0vgYCRfAtjx.csHigh entropy of concatenated method names: 'ToString', 'tAOfpcGCaw', 'MSFf2Putjr', 'IAxfh3aibS', 'wJXfyy2tFy', 'UcYfHqMhsJ', 'nSZfPotrZT', 'LQdf5h8K8Y', 'AOV0XRIPirE3h6ugWW4', 'rGs5naI36SN7EJRCBmC'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, FjM0vM7KGHL2GRFEbU.csHigh entropy of concatenated method names: 'Nt9syCYXbx', 'ML8sPCOEYA', 'gPcstfH8P0', 'CWQtVm2ce3', 'rQRtzmgixE', 'DBWsEni7t5', 'jN6sDshvx3', 'iE5sXChjeR', 'KlJspGqm9n', 'ufas2Oso7w'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, rYFu3DbhxwbSfM6hrx.csHigh entropy of concatenated method names: 'AqMZoKIfCH', 'eIPZvfgXNS', 'IkJZbemjE2', 'rvnZMRHchm', 'nmCZJL40Lt', 'Lp5ZewJ0WS', 'K2BZNbs9FS', 'tZpZUolc8Q', 'MHoZWb21FC', 'XPZZ7sR2FA'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, zk4G5XDpI1eph6C7n5h.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AUkfbTMHHa', 'UmEfMv9CIn', 'DR3fKXAQK7', 'L1RfgRaqHy', 'A1afBy5cwf', 'bHMfTtDX97', 'e70f8JYr7n'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, nTQPZBT9T9uihtmf7n.csHigh entropy of concatenated method names: 'BdyxLb3Ya0', 'P8nxVpZSsJ', 'uW7uEwH595', 'TtNuDuR0sN', 'SIGxYNOUWB', 's6GxvPVcK9', 'hClxOsl4hw', 'jYpxbEnaVB', 'HYdxMjGwg6', 'q8XxKkl0OH'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, Efnv6rgWxulOFCdEbW.csHigh entropy of concatenated method names: 'hvkx0LgyCS', 'nGBx6YYGj5', 'ToString', 'RN2xyL1bGo', 'BKwxHxIVup', 'Q8qxPO0DPf', 'IIHx5kymlf', 'Qpwxt3c7BJ', 'Pk0xsuaDN6', 'HGmxCCYMbX'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, E7Rfl82yNWkHqh2om8.csHigh entropy of concatenated method names: 'kX2DsErvlF', 'me1DCJvtiO', 'ztbD0XRAFS', 'MVQD6VAQyC', 'noVDZpulmC', 'uaMDqXowQt', 'lMNhtgLAwR5QM0RGZr', 'H2lPVV8eJfh9srCpNC', 's6mDDUtJHI', 'dEPDplAlDZ'
          Source: 0.2.PRESUPUEST.exe.40961d0.2.raw.unpack, XGPAdsKwaZqnAjRJAl.csHigh entropy of concatenated method names: 'ToString', 'xuyqYJLjjd', 'QuXqJDqitY', 'LlPqe0y1KO', 'DK9qNhCMYF', 'nlBqUaBPYd', 'FK1qWtNNmi', 'w5cq7XmcZd', 'yrFqdDJejl', 'ygaqGsEdfo'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, t3kVbAXSJNyewcoZOD.csHigh entropy of concatenated method names: 'aZOaO4EOA', 'kutnZOTLl', 'cKOcWL0bu', 'rhMrU4dr1', 'PjamRPh24', 'UbSwT4qUI', 'Px7ZkiDN5rXtG9VNTZ', 'l0XjEie5Y5tk10I2Kw', 'rHpu9g6eH', 'aoFfhtomF'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, nH8VcamtbXRAFSGVQV.csHigh entropy of concatenated method names: 'nEBPn7bkhB', 'CLZPcsx0Th', 'FoEPjSQnhG', 'LCUPmH0SMJ', 'wK5PZ0fDxx', 'nUoPqpO4yO', 'M4RPxYdTTP', 'c94Pu2jVt3', 'w2rP1c0kcd', 'WnTPfW0MlW'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, FbdQRNLAmdbp3c3U4k.csHigh entropy of concatenated method names: 'kTpuyF8vsO', 'o3HuHMQ8Uy', 'cHvuP7cyFU', 'ay0u5MR0Oi', 'XVwut3VumA', 'WFvusCqr6t', 'TvDuCaCsaI', 'ifUuSo6Q4x', 'S2bu0q6mY5', 'fWru6Dd8HT'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, Xf4q2rVhpKuprcnZ9I.csHigh entropy of concatenated method names: 'ejo1DFeMC6', 'DQD1pNq9gV', 'tUm122BB85', 'Cug1ynT7XD', 'brK1H0mWdW', 'g6S15t8XAm', 'aFA1tcKkNU', 'aK3u8gRDAu', 'V8MuLNGy99', 'TDNuiVJYFB'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, yQyCGFwDydenVloVpu.csHigh entropy of concatenated method names: 'oCa54ejqYO', 'WWK5rGstyf', 'tRxPe3XEjt', 'iKPPNKtT1C', 'n8DPUaIi21', 'i5uPW49WAo', 'XbnP7c3xRp', 'bAIPdjWaJO', 'u3xPGmJaWt', 'SauPo1FqKw'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, Kpx2siDEVV8WicuOFLn.csHigh entropy of concatenated method names: 'jXw13TO5E4', 'lkU1ADpFna', 'Dms1a30w8O', 'ekE1nk1L27', 'I8j14kGc8Y', 'TOO1cofM6F', 'BdR1r8dHBA', 'JFV1jscFuR', 'xSr1m3BOeF', 'zGQ1w5TxrB'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, B1KiodG0Pm8CS9YsYC.csHigh entropy of concatenated method names: 'zjgs3q3qM9', 'IQIsAxj3e9', 'FXSsatZlXA', 'L3Ksnw0IpF', 'lifs4QyWRk', 'bvKscnGmE0', 'RAEsrsDac7', 'kBhsjm9bQb', 'WlPsmFVfgN', 'jUAswZnC7p'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, wEnE1BPabiDV1wkoHH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oqeXisRPnw', 'jqbXVuH1fo', 'RamXzrgDC1', 'lpEpEBOO68', 'K79pD5wG41', 'EyHpXmjpZL', 'qSAppbYQDX', 'vQxiEXWs42s7tpb7bwI'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, uC1x4cHf0oyhDZfoHL.csHigh entropy of concatenated method names: 'Dispose', 'hi9DirvnT5', 'RTMXJysJIF', 'YQJWWk3PXa', 'ewbDVdQRNA', 'EdbDzp3c3U', 'ProcessDialogKey', 'BkbXEgYrbH', 'PAMXDunBof', 'ywJXXLf4q2'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, udgj3RO8gg6D0EWyGp.csHigh entropy of concatenated method names: 'zWyljH3Den', 'SbLlmd4BdJ', 'IJYl98W1Gj', 'UhwlJLUkMa', 'DLFlNmXkUZ', 'r0slUuW6ek', 'rIxl7oEcyu', 'mOylddfNCK', 'qd1lo8xXv6', 'xGrlYlXZqw'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, exaCsACACNKfcw8uay.csHigh entropy of concatenated method names: 'PPDphaoyEI', 'pGZpyqWAh8', 'Rt6pH1CoXn', 'b5ipPeI7fM', 'j0np54dqC6', 'Dhqptk09yj', 'AbPps00LbI', 'gBspCo5gSe', 'I0fpSnZbLP', 'idop0O0BVH'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, omCkaM9XowQtfLvfa9.csHigh entropy of concatenated method names: 'SnGtha1Z0P', 'EPxtHRct0T', 'kxIt5ifAZh', 'oRvtsLwFDN', 'zrmtCEV7wU', 'G205Bs2FIL', 'gt75TPljCT', 'Tom58EX1Ba', 'buE5LGaQs1', 'YIU5i338ms'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, dErvlFj0e1JvtiOSFO.csHigh entropy of concatenated method names: 'EdTHbLJPMe', 'ToAHMaBwEF', 'aWgHKR0fur', 'kyiHgMKN6E', 'aopHBnqIhI', 'jj8HTROJ6y', 'u1EH8TBPr0', 'd4UHLIUK9g', 'GUjHiDJq5C', 'vytHVh9ZDS'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, px9IhXDD0vgYCRfAtjx.csHigh entropy of concatenated method names: 'ToString', 'tAOfpcGCaw', 'MSFf2Putjr', 'IAxfh3aibS', 'wJXfyy2tFy', 'UcYfHqMhsJ', 'nSZfPotrZT', 'LQdf5h8K8Y', 'AOV0XRIPirE3h6ugWW4', 'rGs5naI36SN7EJRCBmC'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, FjM0vM7KGHL2GRFEbU.csHigh entropy of concatenated method names: 'Nt9syCYXbx', 'ML8sPCOEYA', 'gPcstfH8P0', 'CWQtVm2ce3', 'rQRtzmgixE', 'DBWsEni7t5', 'jN6sDshvx3', 'iE5sXChjeR', 'KlJspGqm9n', 'ufas2Oso7w'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, rYFu3DbhxwbSfM6hrx.csHigh entropy of concatenated method names: 'AqMZoKIfCH', 'eIPZvfgXNS', 'IkJZbemjE2', 'rvnZMRHchm', 'nmCZJL40Lt', 'Lp5ZewJ0WS', 'K2BZNbs9FS', 'tZpZUolc8Q', 'MHoZWb21FC', 'XPZZ7sR2FA'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, zk4G5XDpI1eph6C7n5h.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AUkfbTMHHa', 'UmEfMv9CIn', 'DR3fKXAQK7', 'L1RfgRaqHy', 'A1afBy5cwf', 'bHMfTtDX97', 'e70f8JYr7n'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, nTQPZBT9T9uihtmf7n.csHigh entropy of concatenated method names: 'BdyxLb3Ya0', 'P8nxVpZSsJ', 'uW7uEwH595', 'TtNuDuR0sN', 'SIGxYNOUWB', 's6GxvPVcK9', 'hClxOsl4hw', 'jYpxbEnaVB', 'HYdxMjGwg6', 'q8XxKkl0OH'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, Efnv6rgWxulOFCdEbW.csHigh entropy of concatenated method names: 'hvkx0LgyCS', 'nGBx6YYGj5', 'ToString', 'RN2xyL1bGo', 'BKwxHxIVup', 'Q8qxPO0DPf', 'IIHx5kymlf', 'Qpwxt3c7BJ', 'Pk0xsuaDN6', 'HGmxCCYMbX'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, E7Rfl82yNWkHqh2om8.csHigh entropy of concatenated method names: 'kX2DsErvlF', 'me1DCJvtiO', 'ztbD0XRAFS', 'MVQD6VAQyC', 'noVDZpulmC', 'uaMDqXowQt', 'lMNhtgLAwR5QM0RGZr', 'H2lPVV8eJfh9srCpNC', 's6mDDUtJHI', 'dEPDplAlDZ'
          Source: 0.2.PRESUPUEST.exe.87a0000.5.raw.unpack, XGPAdsKwaZqnAjRJAl.csHigh entropy of concatenated method names: 'ToString', 'xuyqYJLjjd', 'QuXqJDqitY', 'LlPqe0y1KO', 'DK9qNhCMYF', 'nlBqUaBPYd', 'FK1qWtNNmi', 'w5cq7XmcZd', 'yrFqdDJejl', 'ygaqGsEdfo'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, t3kVbAXSJNyewcoZOD.csHigh entropy of concatenated method names: 'aZOaO4EOA', 'kutnZOTLl', 'cKOcWL0bu', 'rhMrU4dr1', 'PjamRPh24', 'UbSwT4qUI', 'Px7ZkiDN5rXtG9VNTZ', 'l0XjEie5Y5tk10I2Kw', 'rHpu9g6eH', 'aoFfhtomF'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, nH8VcamtbXRAFSGVQV.csHigh entropy of concatenated method names: 'nEBPn7bkhB', 'CLZPcsx0Th', 'FoEPjSQnhG', 'LCUPmH0SMJ', 'wK5PZ0fDxx', 'nUoPqpO4yO', 'M4RPxYdTTP', 'c94Pu2jVt3', 'w2rP1c0kcd', 'WnTPfW0MlW'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, FbdQRNLAmdbp3c3U4k.csHigh entropy of concatenated method names: 'kTpuyF8vsO', 'o3HuHMQ8Uy', 'cHvuP7cyFU', 'ay0u5MR0Oi', 'XVwut3VumA', 'WFvusCqr6t', 'TvDuCaCsaI', 'ifUuSo6Q4x', 'S2bu0q6mY5', 'fWru6Dd8HT'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, Xf4q2rVhpKuprcnZ9I.csHigh entropy of concatenated method names: 'ejo1DFeMC6', 'DQD1pNq9gV', 'tUm122BB85', 'Cug1ynT7XD', 'brK1H0mWdW', 'g6S15t8XAm', 'aFA1tcKkNU', 'aK3u8gRDAu', 'V8MuLNGy99', 'TDNuiVJYFB'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, yQyCGFwDydenVloVpu.csHigh entropy of concatenated method names: 'oCa54ejqYO', 'WWK5rGstyf', 'tRxPe3XEjt', 'iKPPNKtT1C', 'n8DPUaIi21', 'i5uPW49WAo', 'XbnP7c3xRp', 'bAIPdjWaJO', 'u3xPGmJaWt', 'SauPo1FqKw'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, Kpx2siDEVV8WicuOFLn.csHigh entropy of concatenated method names: 'jXw13TO5E4', 'lkU1ADpFna', 'Dms1a30w8O', 'ekE1nk1L27', 'I8j14kGc8Y', 'TOO1cofM6F', 'BdR1r8dHBA', 'JFV1jscFuR', 'xSr1m3BOeF', 'zGQ1w5TxrB'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, B1KiodG0Pm8CS9YsYC.csHigh entropy of concatenated method names: 'zjgs3q3qM9', 'IQIsAxj3e9', 'FXSsatZlXA', 'L3Ksnw0IpF', 'lifs4QyWRk', 'bvKscnGmE0', 'RAEsrsDac7', 'kBhsjm9bQb', 'WlPsmFVfgN', 'jUAswZnC7p'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, wEnE1BPabiDV1wkoHH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oqeXisRPnw', 'jqbXVuH1fo', 'RamXzrgDC1', 'lpEpEBOO68', 'K79pD5wG41', 'EyHpXmjpZL', 'qSAppbYQDX', 'vQxiEXWs42s7tpb7bwI'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, uC1x4cHf0oyhDZfoHL.csHigh entropy of concatenated method names: 'Dispose', 'hi9DirvnT5', 'RTMXJysJIF', 'YQJWWk3PXa', 'ewbDVdQRNA', 'EdbDzp3c3U', 'ProcessDialogKey', 'BkbXEgYrbH', 'PAMXDunBof', 'ywJXXLf4q2'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, udgj3RO8gg6D0EWyGp.csHigh entropy of concatenated method names: 'zWyljH3Den', 'SbLlmd4BdJ', 'IJYl98W1Gj', 'UhwlJLUkMa', 'DLFlNmXkUZ', 'r0slUuW6ek', 'rIxl7oEcyu', 'mOylddfNCK', 'qd1lo8xXv6', 'xGrlYlXZqw'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, exaCsACACNKfcw8uay.csHigh entropy of concatenated method names: 'PPDphaoyEI', 'pGZpyqWAh8', 'Rt6pH1CoXn', 'b5ipPeI7fM', 'j0np54dqC6', 'Dhqptk09yj', 'AbPps00LbI', 'gBspCo5gSe', 'I0fpSnZbLP', 'idop0O0BVH'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, omCkaM9XowQtfLvfa9.csHigh entropy of concatenated method names: 'SnGtha1Z0P', 'EPxtHRct0T', 'kxIt5ifAZh', 'oRvtsLwFDN', 'zrmtCEV7wU', 'G205Bs2FIL', 'gt75TPljCT', 'Tom58EX1Ba', 'buE5LGaQs1', 'YIU5i338ms'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, dErvlFj0e1JvtiOSFO.csHigh entropy of concatenated method names: 'EdTHbLJPMe', 'ToAHMaBwEF', 'aWgHKR0fur', 'kyiHgMKN6E', 'aopHBnqIhI', 'jj8HTROJ6y', 'u1EH8TBPr0', 'd4UHLIUK9g', 'GUjHiDJq5C', 'vytHVh9ZDS'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, px9IhXDD0vgYCRfAtjx.csHigh entropy of concatenated method names: 'ToString', 'tAOfpcGCaw', 'MSFf2Putjr', 'IAxfh3aibS', 'wJXfyy2tFy', 'UcYfHqMhsJ', 'nSZfPotrZT', 'LQdf5h8K8Y', 'AOV0XRIPirE3h6ugWW4', 'rGs5naI36SN7EJRCBmC'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, FjM0vM7KGHL2GRFEbU.csHigh entropy of concatenated method names: 'Nt9syCYXbx', 'ML8sPCOEYA', 'gPcstfH8P0', 'CWQtVm2ce3', 'rQRtzmgixE', 'DBWsEni7t5', 'jN6sDshvx3', 'iE5sXChjeR', 'KlJspGqm9n', 'ufas2Oso7w'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, rYFu3DbhxwbSfM6hrx.csHigh entropy of concatenated method names: 'AqMZoKIfCH', 'eIPZvfgXNS', 'IkJZbemjE2', 'rvnZMRHchm', 'nmCZJL40Lt', 'Lp5ZewJ0WS', 'K2BZNbs9FS', 'tZpZUolc8Q', 'MHoZWb21FC', 'XPZZ7sR2FA'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, zk4G5XDpI1eph6C7n5h.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AUkfbTMHHa', 'UmEfMv9CIn', 'DR3fKXAQK7', 'L1RfgRaqHy', 'A1afBy5cwf', 'bHMfTtDX97', 'e70f8JYr7n'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, nTQPZBT9T9uihtmf7n.csHigh entropy of concatenated method names: 'BdyxLb3Ya0', 'P8nxVpZSsJ', 'uW7uEwH595', 'TtNuDuR0sN', 'SIGxYNOUWB', 's6GxvPVcK9', 'hClxOsl4hw', 'jYpxbEnaVB', 'HYdxMjGwg6', 'q8XxKkl0OH'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, Efnv6rgWxulOFCdEbW.csHigh entropy of concatenated method names: 'hvkx0LgyCS', 'nGBx6YYGj5', 'ToString', 'RN2xyL1bGo', 'BKwxHxIVup', 'Q8qxPO0DPf', 'IIHx5kymlf', 'Qpwxt3c7BJ', 'Pk0xsuaDN6', 'HGmxCCYMbX'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, E7Rfl82yNWkHqh2om8.csHigh entropy of concatenated method names: 'kX2DsErvlF', 'me1DCJvtiO', 'ztbD0XRAFS', 'MVQD6VAQyC', 'noVDZpulmC', 'uaMDqXowQt', 'lMNhtgLAwR5QM0RGZr', 'H2lPVV8eJfh9srCpNC', 's6mDDUtJHI', 'dEPDplAlDZ'
          Source: 0.2.PRESUPUEST.exe.40495b0.3.raw.unpack, XGPAdsKwaZqnAjRJAl.csHigh entropy of concatenated method names: 'ToString', 'xuyqYJLjjd', 'QuXqJDqitY', 'LlPqe0y1KO', 'DK9qNhCMYF', 'nlBqUaBPYd', 'FK1qWtNNmi', 'w5cq7XmcZd', 'yrFqdDJejl', 'ygaqGsEdfo'

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.281b500.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.2810024.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PRESUPUEST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PRESUPUEST.exe PID: 6512, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: PRESUPUEST.exe PID: 4424, type: MEMORYSTR
          Source: C:\Users\user\Desktop\PRESUPUEST.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: PRESUPUEST.exe PID: 6512, type: MEMORYSTR
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.281b500.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.2810024.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PRESUPUEST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PRESUPUEST.exe PID: 6512, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: PRESUPUEST.exe PID: 4424, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: PRESUPUEST.exe, 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, PRESUPUEST.exe, 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: 930000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: 8CA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: 9CA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: 9EC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: AEC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: B870000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: C870000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: D870000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: 13E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeWindow / User API: threadDelayed 8058Jump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeWindow / User API: threadDelayed 1794Jump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exe TID: 6604Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exe TID: 6480Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exe TID: 2676Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exe TID: 7148Thread sleep count: 8058 > 30Jump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exe TID: 7148Thread sleep count: 1794 > 30Jump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: PRESUPUEST.exe, 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
          Source: PRESUPUEST.exe, 00000003.00000002.3279239996.0000000005483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: PRESUPUEST.exe, 00000003.00000002.3275090090.0000000001136000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp3G
          Source: PRESUPUEST.exe, 00000003.00000002.3279163807.0000000005469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\PRESUPUEST.exeMemory written: C:\Users\user\Desktop\PRESUPUEST.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeProcess created: C:\Users\user\Desktop\PRESUPUEST.exe "C:\Users\user\Desktop\PRESUPUEST.exe"Jump to behavior
          Source: PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\]q
          Source: PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\]q%
          Source: PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe]q<
          Source: PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe]q8D
          Source: PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp, PRESUPUEST.exe, 00000003.00000002.3276221288.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe]q
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Users\user\Desktop\PRESUPUEST.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Users\user\Desktop\PRESUPUEST.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PRESUPUEST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.281b500.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.2810024.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PRESUPUEST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.281b500.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PRESUPUEST.exe.2810024.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PRESUPUEST.exe PID: 6512, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: PRESUPUEST.exe PID: 4424, type: MEMORYSTR
          Source: PRESUPUEST.exe, 00000003.00000002.3275090090.0000000001136000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: PRESUPUEST.exe, 00000003.00000002.3279518811.0000000005618000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: er\MsMpeng.exe
          Source: C:\Users\user\Desktop\PRESUPUEST.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          Scheduled Task/Job          		112
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		1
          Disable or Modify Tools          		LSASS Memory121
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
          Process Injection          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script121
          Obfuscated Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
          Software Packing          		Cached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Timestomp          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PRESUPUEST.exe39%ReversingLabsByteCode-MSIL.Trojan.Generic
          PRESUPUEST.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          		217.20.57.19
          		truefalse
            		unknown
            quin.ydns.eu
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              quin.ydns.eutrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePRESUPUEST.exe, 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://tempuri.org/DataSet1.xsdPRESUPUEST.exefalse
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.38.142.240
                  		unknownPortugal
                  		47674NETSOLUTIONSNLtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1544960
                  Start date and time:2024-10-29 22:31:08 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 18s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:6
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:PRESUPUEST.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@3/3@1/1
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 101
                  • Number of non-executed functions: 16
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 217.20.57.19, 88.221.110.91, 2.16.100.168
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                  • Execution Graph export aborted for target PRESUPUEST.exe, PID 4424 because it is empty
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: PRESUPUEST.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  17:31:58API Interceptor3x Sleep call for process: PRESUPUEST.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.38.142.240Aviso de transferencia.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                    rUAE_LPO.com.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comNUEVA ORDEN DE COMPRA 73244.xla.xlsxGet hashmaliciousUnknownBrowse
                      • 217.20.57.34
                      scan1738761_rsalinas@wcctxlaw.com.pdfGet hashmaliciousHTMLPhisherBrowse
                      • 84.201.210.37
                      https://forms.office.com/Pages/ShareFormPage.aspx?id=w0PqEzPG80GlVpQ2KYlCgotli86l81ZCgGQV0R07kYhUMDlNVzY4TDhNS0pGV0pGVENBVVNGTURFTi4u&sharetoken=3AKcsZjmxuGhgr7rDwU0Get hashmaliciousUnknownBrowse
                      • 84.201.210.21
                      https://deedayoshayoatmetoback.me/whatever/toni/kross/hala/mbappe/sanchez/mark/tremble/awee/rgguuu/us/invite/Get hashmaliciousUnknownBrowse
                      • 217.20.57.26
                      https://workdrive.zohoexternal.com/file/d3qaw4673940b54374623b165953068c580b5Get hashmaliciousHTMLPhisherBrowse
                      • 217.20.57.25
                      https://abre.ai/lmHCGet hashmaliciousUnknownBrowse
                      • 84.201.210.18
                      https://mail.kb4.io/XT0VNMzRJS3djRnBKZnFha1JaVThBUHFHRmpuS2FmSUY4aUszUlY3Sm0rWmpyUWR3ekQzL2xjN0xhVVJlTzhvZzgyMGtTUkxmSWtGdWlUY2I0NStmRWlLS2xHcGZsNTZUN3VyanNiKzVaNjhaeTRSTXFXVGdwc0J4amUxRFFPMU5DTTd5ejl5aXZxUlBwL1NDaDBRSk9DWVJkc09KRUZodTl0SFh5bFVVWEdYZTMzcm5ZTCtCSGpmZWRIMEprQjhiZExvOE9wSGkwUS9KTjQwSVdjQT0tLVBNYWNLTzcyT0xCdDkzb3ItLURlVmNvdGI3d3BGenM5UWJzc1EreXc9PQ==?cid=2260646675Get hashmaliciousUnknownBrowse
                      • 217.20.57.35
                      https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:91f62fbc-7621-46ca-93fe-fff80a9adcdeGet hashmaliciousUnknownBrowse
                      • 217.20.57.18
                      setup.exeGet hashmaliciousUnknownBrowse
                      • 217.20.57.35
                      https://1drv.ms/o/c/dfbe417e0dc15e08/Esl_LBLy3yNEou5UFJ-QxnIBMGmncz8uv1GwgEHKevm1cw?e=C2cldFGet hashmaliciousUnknownBrowse
                      • 217.20.57.19

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      NETSOLUTIONSNLAviso de transferencia.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                      • 185.38.142.240
                      rUAE_LPO.com.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                      • 185.38.142.240
                      A9BripDhRY.lnkGet hashmaliciousUnknownBrowse
                      • 185.38.142.128
                      93.123.85.253-bot.armv4l-2024-08-28T17_49_11.elfGet hashmaliciousUnknownBrowse
                      • 188.93.233.79
                      a591d3d035cf90395ad1078a415a46b5b44dd813496291b702fe36cfb22dee36_dump.exeGet hashmaliciousRedLineBrowse
                      • 185.38.142.10
                      b3u71vBG0u.exeGet hashmaliciousRedLineBrowse
                      • 185.38.142.10
                      2MbHBiqXH2.rtfGet hashmaliciousRedLineBrowse
                      • 185.38.142.10
                      YPSvIjQCzd.exeGet hashmaliciousRedLineBrowse
                      • 185.38.142.10
                      Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                      • 185.38.142.10
                      MSH INV 2024-0117 Secure Payment Invoice for .exeGet hashmaliciousRedLineBrowse
                      • 185.38.142.10

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Users\user\Desktop\PRESUPUEST.exe
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                      Category:dropped
                      Size (bytes):71954
                      Entropy (8bit):7.996617769952133
                      Encrypted:true
                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Users\user\Desktop\PRESUPUEST.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):328
                      Entropy (8bit):3.150184159866505
                      Encrypted:false
                      SSDEEP:6:kK1B99UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:vkDnLNkPlE99SNxAhUe/3
                      MD5:E55456C70334603D91CBD649698B8F0B
                      SHA1:26628D2C0A75150BD15AD716D56006E51C02F51E
                      SHA-256:DE10FB059ED373190336AF04B4150900B40C793B748E04415E9FB10FA387D5D3
                      SHA-512:B339FAADF2CC7DC0C0AAD79915A1EF29F436EDB1405CC4237D53A213C228887DF961879FA58ABFE5770E5BC03D63697DB0088306F75F1C45A3CEB6622D2ACA0E
                      Malicious:false
                      Reputation:low
                      Preview:p...... ............J*..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRESUPUEST.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\PRESUPUEST.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:true
                      Reputation:high, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.500704444306323
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      • Win32 Executable (generic) a (10002005/4) 49.75%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:PRESUPUEST.exe
                      File size:546'816 bytes
                      MD5:9533800ff0c1ef9979f705d23d0a625a
                      SHA1:818521b032199079f6757cad27c3f5f073a131f6
                      SHA256:e64bf07778d6213ab62a2e94e764053d4378192b836715aa6552405de1e15832
                      SHA512:7f4866986310f3b20e5fdcd46f4cb61fb2d8d6c840457b77ffd1378a84901345b2e6a6b4864836eafd5b8f9764871c255feb88a0adf5b2cfee06962f403128ae
                      SSDEEP:12288:ZBBJwlsFlt4krssP9go6toOmpb0l65xraLr:5mibd1gbwpbW65x
                      TLSH:5FC49ED03B367716DE69AA749219DDB583F11A78B040FAF269DC3B87318D2119E1CF42
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.................0..N...........m... ........@.. ....................................@................................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x486d16
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0xE0C10E33 [Mon Jun 27 22:07:47 2089 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x86cc40x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x5a4.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x849f00x70.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x84d1c0x84e006f165f8ac8a85f3caf0a2be6d72b0bcdFalse0.8180102745766697data7.50950168517389IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x880000x5a40x6002adab10e42bcb9b5dd52ad2ee5dd0603False0.4212239583333333data4.0759705513035245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x8a0000xc0x2008bc633c95cad3528012749c3a0d84c35False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x880900x314data0.4365482233502538
                      RT_MANIFEST0x883b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-10-29T22:32:10.766832+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1185.38.142.2401940192.168.2.549709TCP
                      2024-10-29T22:32:10.766832+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1185.38.142.2401940192.168.2.549709TCP
                      2024-10-29T22:32:10.766832+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1185.38.142.2401940192.168.2.549709TCP
                      2024-10-29T22:32:10.766832+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1185.38.142.2401940192.168.2.549709TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 29, 2024 22:32:09.938831091 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:09.944411993 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:09.944509983 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:09.954083920 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:09.959544897 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:10.753401995 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:10.753479004 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:10.753597021 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:10.761403084 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:10.766832113 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:10.993870020 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:11.047745943 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:19.567157984 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:19.572714090 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:19.572793007 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:19.578629971 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:31.783338070 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:31.788901091 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:31.788969040 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:31.794328928 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:32.030019999 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:32.078960896 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:32.129226923 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:32.137512922 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:32.142903090 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:32.142971992 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:32.148367882 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:32.788238049 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:32.800163031 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:32.800230026 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:44.001293898 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:44.007987976 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:44.008054972 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:44.014153004 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:44.254112005 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:44.297708988 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:44.365904093 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:44.367433071 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:44.373081923 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:44.373233080 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:44.378626108 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:56.220083952 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:56.225656033 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:56.225723028 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:56.231138945 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:56.766550064 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:56.769556046 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:56.775028944 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:32:56.775099039 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:32:56.780503988 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:02.684173107 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:02.735284090 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:02.793797016 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:02.844727039 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:08.438927889 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:08.444273949 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:08.444330931 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:08.450114965 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:08.677608967 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:08.719707012 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:08.786900997 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:08.788614035 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:08.795537949 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:08.795602083 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:08.802635908 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:20.657885075 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:20.663455963 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:20.663574934 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:20.668935061 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:20.896136045 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:20.938437939 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:21.005630016 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:21.007920980 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:21.013276100 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:21.013343096 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:21.018661976 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:32.720525980 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:32.766499996 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:32.795458078 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:32.844635963 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:32.876457930 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:32.881998062 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:32.882087946 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:32.887598038 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:33.113471031 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:33.157121897 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:33.222100019 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:33.225312948 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:33.230717897 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:33.231764078 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:33.237112045 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:45.095021009 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:45.100688934 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:45.100821972 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:45.106314898 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:45.350220919 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:45.391511917 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:45.457860947 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:45.477142096 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:45.482608080 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:45.482695103 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:45.488066912 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:57.357984066 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:57.363778114 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:57.363852024 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:57.369281054 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:57.594506979 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:57.641515017 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:57.703975916 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:57.705698967 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:57.711150885 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:33:57.711219072 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:33:57.716623068 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:34:02.687381983 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:34:02.735356092 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:34:02.796956062 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:34:02.844631910 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:34:05.610599041 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:34:05.615961075 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:34:05.619811058 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:34:05.625983953 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:34:05.851406097 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:34:05.891546011 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:34:05.961019039 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:34:05.961741924 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:34:05.967168093 CET194049709185.38.142.240192.168.2.5
                      Oct 29, 2024 22:34:05.967258930 CET497091940192.168.2.5185.38.142.240
                      Oct 29, 2024 22:34:05.972923040 CET194049709185.38.142.240192.168.2.5

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 29, 2024 22:32:04.890180111 CET5038353192.168.2.51.1.1.1
                      Oct 29, 2024 22:32:04.904010057 CET53503831.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Oct 29, 2024 22:32:04.890180111 CET192.168.2.51.1.1.10xf982Standard query (0)quin.ydns.euA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Oct 29, 2024 22:32:04.904010057 CET1.1.1.1192.168.2.50xf982Name error (3)quin.ydns.eunonenoneA (IP address)IN (0x0001)false
                      Oct 29, 2024 22:32:11.103430033 CET1.1.1.1192.168.2.50x644cNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                      Oct 29, 2024 22:32:11.103430033 CET1.1.1.1192.168.2.50x644cNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:17:31:58
                      Start date:29/10/2024
                      Path:C:\Users\user\Desktop\PRESUPUEST.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\PRESUPUEST.exe"
                      Imagebase:0x170000
                      File size:546'816 bytes
                      MD5 hash:9533800FF0C1EF9979F705D23D0A625A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2031014025.0000000002809000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:3
                      Start time:17:31:59
                      Start date:29/10/2024
                      Path:C:\Users\user\Desktop\PRESUPUEST.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\PRESUPUEST.exe"
                      Imagebase:0xb10000
                      File size:546'816 bytes
                      MD5 hash:9533800FF0C1EF9979F705D23D0A625A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000003.00000002.3274704920.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3275090090.0000000001136000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3276221288.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:12.1%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:1.8%
                        Total number of Nodes:326
                        Total number of Limit Nodes:25
                        execution_graph 37798 6f0ea92 37799 6f0ea98 37798->37799 37804 6f0f1c8 37799->37804 37828 6f0f22e 37799->37828 37853 6f0f1b8 37799->37853 37800 6f0eb0f 37805 6f0f1e2 37804->37805 37817 6f0f1ea 37805->37817 37877 88301d8 37805->37877 37883 883099a 37805->37883 37887 8830696 37805->37887 37893 8830776 37805->37893 37898 8830477 37805->37898 37903 8830271 37805->37903 37909 88302b2 37805->37909 37914 883060d 37805->37914 37919 883032d 37805->37919 37929 883012e 37805->37929 37938 883058f 37805->37938 37943 88302e8 37805->37943 37953 88304ab 37805->37953 37963 8830306 37805->37963 37968 8830507 37805->37968 37974 8830400 37805->37974 37979 88304a0 37805->37979 37984 88308a2 37805->37984 37989 88301fc 37805->37989 37995 883091d 37805->37995 38005 883085e 37805->38005 37817->37800 37830 6f0f1bc 37828->37830 37831 6f0f231 37828->37831 37829 6f0f1ea 37829->37800 37830->37829 37832 88308a2 2 API calls 37830->37832 37833 88304a0 2 API calls 37830->37833 37834 8830400 2 API calls 37830->37834 37835 8830507 2 API calls 37830->37835 37836 8830306 2 API calls 37830->37836 37837 88304ab 4 API calls 37830->37837 37838 88302e8 4 API calls 37830->37838 37839 883058f 2 API calls 37830->37839 37840 883012e 4 API calls 37830->37840 37841 883032d 4 API calls 37830->37841 37842 883060d 2 API calls 37830->37842 37843 88302b2 2 API calls 37830->37843 37844 8830271 2 API calls 37830->37844 37845 8830477 2 API calls 37830->37845 37846 8830776 2 API calls 37830->37846 37847 8830696 2 API calls 37830->37847 37848 883099a 2 API calls 37830->37848 37849 88301d8 2 API calls 37830->37849 37850 883085e 2 API calls 37830->37850 37851 883091d 4 API calls 37830->37851 37852 88301fc 2 API calls 37830->37852 37831->37800 37832->37829 37833->37829 37834->37829 37835->37829 37836->37829 37837->37829 37838->37829 37839->37829 37840->37829 37841->37829 37842->37829 37843->37829 37844->37829 37845->37829 37846->37829 37847->37829 37848->37829 37849->37829 37850->37829 37851->37829 37852->37829 37854 6f0f1c2 37853->37854 37855 88308a2 2 API calls 37854->37855 37856 88304a0 2 API calls 37854->37856 37857 8830400 2 API calls 37854->37857 37858 8830507 2 API calls 37854->37858 37859 8830306 2 API calls 37854->37859 37860 88304ab 4 API calls 37854->37860 37861 88302e8 4 API calls 37854->37861 37862 883058f 2 API calls 37854->37862 37863 883012e 4 API calls 37854->37863 37864 883032d 4 API calls 37854->37864 37865 883060d 2 API calls 37854->37865 37866 88302b2 2 API calls 37854->37866 37867 8830271 2 API calls 37854->37867 37868 8830477 2 API calls 37854->37868 37869 8830776 2 API calls 37854->37869 37870 8830696 2 API calls 37854->37870 37871 883099a 2 API calls 37854->37871 37872 88301d8 2 API calls 37854->37872 37873 6f0f1ea 37854->37873 37874 883085e 2 API calls 37854->37874 37875 883091d 4 API calls 37854->37875 37876 88301fc 2 API calls 37854->37876 37855->37873 37856->37873 37857->37873 37858->37873 37859->37873 37860->37873 37861->37873 37862->37873 37863->37873 37864->37873 37865->37873 37866->37873 37867->37873 37868->37873 37869->37873 37870->37873 37871->37873 37872->37873 37873->37800 37874->37873 37875->37873 37876->37873 37878 88301e4 37877->37878 37880 88306fa 37878->37880 38011 6f0df71 37878->38011 38015 6f0df78 37878->38015 37879 8830b20 37880->37817 38019 8830ee8 37883->38019 38024 8830ef8 37883->38024 37884 88309b5 37890 88301e4 37887->37890 37888 8830b20 37889 88306fa 37889->37817 37890->37889 37891 6f0df71 Wow64SetThreadContext 37890->37891 37892 6f0df78 Wow64SetThreadContext 37890->37892 37891->37888 37892->37888 37894 883077c 37893->37894 37895 88309e1 37894->37895 38029 6f0e110 37894->38029 38033 6f0e109 37894->38033 37899 883049a 37898->37899 37901 6f0e110 WriteProcessMemory 37899->37901 37902 6f0e109 WriteProcessMemory 37899->37902 37900 8830b8a 37901->37900 37902->37900 37905 88301e4 37903->37905 37904 88306fa 37904->37817 37905->37904 37907 6f0df71 Wow64SetThreadContext 37905->37907 37908 6f0df78 Wow64SetThreadContext 37905->37908 37906 8830b20 37907->37906 37908->37906 37910 88302c9 37909->37910 37910->37817 38037 6f0e050 37910->38037 38041 6f0e049 37910->38041 37911 8830bdd 37915 8830627 37914->37915 37917 6f0e050 VirtualAllocEx 37915->37917 37918 6f0e049 VirtualAllocEx 37915->37918 37916 8830bdd 37917->37916 37918->37916 37920 8830348 37919->37920 37921 88301e4 37920->37921 37922 8830bb6 37920->37922 38045 6f0dec0 37920->38045 38049 6f0dec8 37920->38049 37924 88306fa 37921->37924 37925 6f0df71 Wow64SetThreadContext 37921->37925 37926 6f0df78 Wow64SetThreadContext 37921->37926 37923 8830b20 37924->37817 37925->37923 37926->37923 37930 883019d 37929->37930 38053 6f0e398 37930->38053 38057 6f0e38c 37930->38057 37931 88306fa 37931->37817 37932 88301bc 37932->37931 37936 6f0df71 Wow64SetThreadContext 37932->37936 37937 6f0df78 Wow64SetThreadContext 37932->37937 37933 8830b20 37936->37933 37937->37933 37939 8830595 37938->37939 37941 6f0e050 VirtualAllocEx 37939->37941 37942 6f0e049 VirtualAllocEx 37939->37942 37940 8830bdd 37940->37940 37941->37940 37942->37940 37944 88305ca 37943->37944 37945 8830bb6 37944->37945 37946 88301e4 37944->37946 37951 6f0dec0 ResumeThread 37944->37951 37952 6f0dec8 ResumeThread 37944->37952 37948 88306fa 37946->37948 37949 6f0df71 Wow64SetThreadContext 37946->37949 37950 6f0df78 Wow64SetThreadContext 37946->37950 37947 8830b20 37948->37817 37949->37947 37950->37947 37951->37944 37952->37944 37954 8830348 37953->37954 37955 8830bb6 37954->37955 37956 88301e4 37954->37956 37959 6f0dec0 ResumeThread 37954->37959 37960 6f0dec8 ResumeThread 37954->37960 37958 88306fa 37956->37958 37961 6f0df71 Wow64SetThreadContext 37956->37961 37962 6f0df78 Wow64SetThreadContext 37956->37962 37957 8830b20 37958->37817 37959->37954 37960->37954 37961->37957 37962->37957 37964 8830313 37963->37964 37966 6f0e110 WriteProcessMemory 37964->37966 37967 6f0e109 WriteProcessMemory 37964->37967 37965 883040a 37965->37817 37965->37965 37966->37965 37967->37965 37969 88301e4 37968->37969 37971 88306fa 37969->37971 37972 6f0df71 Wow64SetThreadContext 37969->37972 37973 6f0df78 Wow64SetThreadContext 37969->37973 37970 8830b20 37971->37817 37972->37970 37973->37970 37975 8830409 37974->37975 37977 6f0e110 WriteProcessMemory 37975->37977 37978 6f0e109 WriteProcessMemory 37975->37978 37976 883040a 37976->37817 37977->37976 37978->37976 37980 883054b 37979->37980 38061 6f0e200 37980->38061 38065 6f0e1f8 37980->38065 37981 8830570 37985 883078d 37984->37985 37985->37984 37986 88309e1 37985->37986 37987 6f0e110 WriteProcessMemory 37985->37987 37988 6f0e109 WriteProcessMemory 37985->37988 37987->37985 37988->37985 37991 8830202 37989->37991 37990 8830646 37990->37817 37991->37990 37993 6f0e050 VirtualAllocEx 37991->37993 37994 6f0e049 VirtualAllocEx 37991->37994 37992 8830bdd 37993->37992 37994->37992 37996 8830923 37995->37996 37997 8830bb6 37996->37997 37998 88301e4 37996->37998 38001 6f0dec0 ResumeThread 37996->38001 38002 6f0dec8 ResumeThread 37996->38002 38000 88306fa 37998->38000 38003 6f0df71 Wow64SetThreadContext 37998->38003 38004 6f0df78 Wow64SetThreadContext 37998->38004 37999 8830b20 38000->37817 38001->37996 38002->37996 38003->37999 38004->37999 38006 88301e4 38005->38006 38006->38005 38008 88306fa 38006->38008 38009 6f0df71 Wow64SetThreadContext 38006->38009 38010 6f0df78 Wow64SetThreadContext 38006->38010 38007 8830b20 38008->37817 38009->38007 38010->38007 38012 6f0dfbd Wow64SetThreadContext 38011->38012 38014 6f0e005 38012->38014 38014->37879 38016 6f0dfbd Wow64SetThreadContext 38015->38016 38018 6f0e005 38016->38018 38018->37879 38020 8830ef8 38019->38020 38022 6f0df71 Wow64SetThreadContext 38020->38022 38023 6f0df78 Wow64SetThreadContext 38020->38023 38021 8830f23 38021->37884 38022->38021 38023->38021 38025 8830f0d 38024->38025 38027 6f0df71 Wow64SetThreadContext 38025->38027 38028 6f0df78 Wow64SetThreadContext 38025->38028 38026 8830f23 38026->37884 38027->38026 38028->38026 38030 6f0e158 WriteProcessMemory 38029->38030 38032 6f0e1af 38030->38032 38032->37894 38034 6f0e158 WriteProcessMemory 38033->38034 38036 6f0e1af 38034->38036 38036->37894 38038 6f0e090 VirtualAllocEx 38037->38038 38040 6f0e0cd 38038->38040 38040->37911 38042 6f0e090 VirtualAllocEx 38041->38042 38044 6f0e0cd 38042->38044 38044->37911 38046 6f0df08 ResumeThread 38045->38046 38048 6f0df39 38046->38048 38048->37920 38050 6f0df08 ResumeThread 38049->38050 38052 6f0df39 38050->38052 38052->37920 38054 6f0e421 CreateProcessA 38053->38054 38056 6f0e5e3 38054->38056 38056->38056 38058 6f0e398 CreateProcessA 38057->38058 38060 6f0e5e3 38058->38060 38062 6f0e24b ReadProcessMemory 38061->38062 38064 6f0e28f 38062->38064 38064->37981 38066 6f0e24b ReadProcessMemory 38065->38066 38068 6f0e28f 38066->38068 38068->37981 37727 93bf50 37730 93c038 37727->37730 37728 93bf5f 37731 93c07c 37730->37731 37732 93c059 37730->37732 37731->37728 37732->37731 37733 93c280 GetModuleHandleW 37732->37733 37734 93c2ad 37733->37734 37734->37728 37786 93e900 DuplicateHandle 37787 93e996 37786->37787 38069 9355f0 38070 935617 38069->38070 38072 9356f4 38070->38072 38073 934598 38070->38073 38074 936a80 CreateActCtxA 38073->38074 38076 936b43 38074->38076 38076->38076 38077 6f0e855 38079 6f0e868 38077->38079 38078 6f0e7b4 38079->38078 38081 6f0f1c8 12 API calls 38079->38081 38082 6f0f1b8 12 API calls 38079->38082 38083 6f0f22e 12 API calls 38079->38083 38080 6f0eb0f 38081->38080 38082->38080 38083->38080 37735 6eeeee8 37737 6eeeef4 37735->37737 37736 6eeef05 37740 6f01dc8 37737->37740 37745 6f01db8 37737->37745 37741 6f01de4 37740->37741 37750 6f02d00 37741->37750 37755 6f02cf0 37741->37755 37742 6f01e8e 37742->37736 37746 6f01de4 37745->37746 37748 6f02cf0 2 API calls 37746->37748 37749 6f02d00 2 API calls 37746->37749 37747 6f01e8e 37747->37736 37748->37747 37749->37747 37751 6f02d12 37750->37751 37760 6f02d40 37751->37760 37765 6f02d31 37751->37765 37752 6f02d26 37752->37742 37756 6f02d12 37755->37756 37758 6f02d40 2 API calls 37756->37758 37759 6f02d31 2 API calls 37756->37759 37757 6f02d26 37757->37742 37758->37757 37759->37757 37761 6f02d5a 37760->37761 37770 6f02e10 37761->37770 37775 6f02e00 37761->37775 37762 6f02d7d 37762->37752 37766 6f02d5a 37765->37766 37768 6f02e10 2 API calls 37766->37768 37769 6f02e00 2 API calls 37766->37769 37767 6f02d7d 37767->37752 37768->37767 37769->37767 37771 6f02e34 37770->37771 37780 6f02f70 37771->37780 37783 6f02f68 37771->37783 37772 6f02ebb 37772->37762 37776 6f02e34 37775->37776 37778 6f02f70 NtQueryInformationProcess 37776->37778 37779 6f02f68 NtQueryInformationProcess 37776->37779 37777 6f02ebb 37777->37762 37778->37777 37779->37777 37781 6f02fbb NtQueryInformationProcess 37780->37781 37782 6f02ffe 37781->37782 37782->37772 37784 6f02fbb NtQueryInformationProcess 37783->37784 37785 6f02ffe 37784->37785 37785->37772 38084 6eeadc8 38085 6eeae16 DrawTextExW 38084->38085 38087 6eeae6e 38085->38087 38088 6f038d8 38089 6f038fc 38088->38089 38091 6f03ef7 OutputDebugStringW 38089->38091 38095 6f03f80 38089->38095 38099 6f03f78 38089->38099 38103 6f04030 38089->38103 38106 6f0402a 38089->38106 38091->38089 38096 6f03fc6 OutputDebugStringW 38095->38096 38098 6f03fff 38096->38098 38098->38089 38100 6f03fc6 OutputDebugStringW 38099->38100 38102 6f03fff 38100->38102 38102->38089 38104 6f04071 CloseHandle 38103->38104 38105 6f0409e 38104->38105 38105->38089 38107 6f04071 CloseHandle 38106->38107 38108 6f0409e 38107->38108 38108->38089 38109 6f03a5a 38110 6f03994 38109->38110 38111 6f03f80 OutputDebugStringW 38110->38111 38112 6f03ef7 OutputDebugStringW 38110->38112 38113 6f03f78 OutputDebugStringW 38110->38113 38114 6f04030 CloseHandle 38110->38114 38115 6f0402a CloseHandle 38110->38115 38111->38110 38112->38110 38113->38110 38114->38110 38115->38110 37788 8831018 37789 88311a3 37788->37789 37790 883103e 37788->37790 37790->37789 37793 8831298 PostMessageW 37790->37793 37795 8831290 37790->37795 37794 8831304 37793->37794 37794->37790 37796 8831298 PostMessageW 37795->37796 37797 8831304 37796->37797 37797->37790 38116 93e6b8 38117 93e6fe GetCurrentProcess 38116->38117 38119 93e750 GetCurrentThread 38117->38119 38120 93e749 38117->38120 38121 93e786 38119->38121 38122 93e78d GetCurrentProcess 38119->38122 38120->38119 38121->38122 38123 93e7c3 38122->38123 38124 93e7eb GetCurrentThreadId 38123->38124 38125 93e81c 38124->38125

                        Executed Functions

                        Function 06F02F68 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06F02FEF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: 07518d62f840cfb5c134300f4c535f295c86f353995085ea9ee38cf312d3289d
                        • Instruction ID: 0d60a2ac4d64cae213d7d51dc61bced3c25a7ac6f0d3476e151e8a1f39cb78c5
                        • Opcode Fuzzy Hash: 07518d62f840cfb5c134300f4c535f295c86f353995085ea9ee38cf312d3289d
                        • Instruction Fuzzy Hash: AF21DEB59012499FCB10DF9AD884ADEFFF5FF49314F10852AE918A7250D338AA54CFA0
                        Function 06F02F70 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON
                        Download Yara Rule
                        APIs
                        • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06F02FEF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: 41fe51e14f37ba71a003e1b4e528cf4c4916ec3923bfe68ed601ef7e7a1500a2
                        • Instruction ID: bad28fbb9fbc8b25eb10dc82e71a71bf8a92f5a626f816c7d43ce9925737b9cf
                        • Opcode Fuzzy Hash: 41fe51e14f37ba71a003e1b4e528cf4c4916ec3923bfe68ed601ef7e7a1500a2
                        • Instruction Fuzzy Hash: 8321EDB59002499FCB10DF9AD884ADEBBF4FB49310F10842AE918A7250D378AA40CFA4
                        Function 06F00308 Relevance: .5, Instructions: 506COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 43f8eed26a8f3afca1f3d0e80a395518e1f348719bd6447f6f1bce385a1b2975
                        • Instruction ID: 7979803b565c543e9545c6ce4ba668ce74f11712e9e354c0b8c665f04814e1a0
                        • Opcode Fuzzy Hash: 43f8eed26a8f3afca1f3d0e80a395518e1f348719bd6447f6f1bce385a1b2975
                        • Instruction Fuzzy Hash: 08426074E11219CFEB64CF69C984B9DBBF6BF48301F1481A9E809A7355DB34AA81CF50
                        Function 06EEEF18 Relevance: .5, Instructions: 482COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035901446.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6ee0000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ad789502ab7b973e2aa9c6922c0545dcbf83ebff52ac6ae9b53b3cd41e3908c7
                        • Instruction ID: aa832a26c331544addf7eb28b6e6865f1970ee8573e85f97b1ea17f574ff0702
                        • Opcode Fuzzy Hash: ad789502ab7b973e2aa9c6922c0545dcbf83ebff52ac6ae9b53b3cd41e3908c7
                        • Instruction Fuzzy Hash: 6632D070D01219CFDB90DFA9C584A8EFBB2BF48356F55D195D408AB212DB30EA85CFA1
                        Function 08831D50 Relevance: .4, Instructions: 395COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2036216029.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8830000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9dc1eccbdd1cb707d7f8f9db516ad37cd970a90ae809cc742dae357280e2e05
                        • Instruction ID: b15146a96717506ed5dc0f947d9afdca1d5623c1e3965faf31387f4d7e1aaf3c
                        • Opcode Fuzzy Hash: e9dc1eccbdd1cb707d7f8f9db516ad37cd970a90ae809cc742dae357280e2e05
                        • Instruction Fuzzy Hash: D8E1CA347016248FDB29DB69C460BAEB7FAAF88702F14446DE206DB791CB35E901CB91
                        Function 06F07323 Relevance: .2, Instructions: 189COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2c2a92580562f9b4d152443ea1991d43dad4083333a4fc53cf42f56d99eb1033
                        • Instruction ID: fbb29b443d26be1db061de5c5e5c12f7edf9b5cf54cd9ad321785ba1dcb0a73b
                        • Opcode Fuzzy Hash: 2c2a92580562f9b4d152443ea1991d43dad4083333a4fc53cf42f56d99eb1033
                        • Instruction Fuzzy Hash: E5810A74E09219CFEB50EF58C980AAEBBB5BF4A301F5491D4D419AB292C730F981DF91
                        Function 06F077DE Relevance: .2, Instructions: 185COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c05aeef0a8edbd075f1b7f5da3e275d8f36ad954f25f159c5e0310f8ae7a1747
                        • Instruction ID: b90a8d3a34864d9e2b8d164e086a939a28d5333fca198927af36dacb3ea0b6fb
                        • Opcode Fuzzy Hash: c05aeef0a8edbd075f1b7f5da3e275d8f36ad954f25f159c5e0310f8ae7a1747
                        • Instruction Fuzzy Hash: DD81E474E05219CFEB50EF68C580AAEBBB6BF49305F6491D8D409AB252C730F981DF91
                        Function 06F076A5 Relevance: .2, Instructions: 183COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 988eebd5d8395f2d5b9ec6de678518f4b10be765ad6cb412a6b5a6e558f0a23d
                        • Instruction ID: 52a5641269db683087c465c6ecd34299fb5fa173ca34c264388ed3dd600bb98e
                        • Opcode Fuzzy Hash: 988eebd5d8395f2d5b9ec6de678518f4b10be765ad6cb412a6b5a6e558f0a23d
                        • Instruction Fuzzy Hash: 60713874E09219CFEB50EF68C980AAEBBB6FF49301F5491D4D409A7252C730EA81CF91
                        Function 06F073BF Relevance: .2, Instructions: 178COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fc626966b6d3bbc765ae4380f199e79776f448dc57630fce2de6a67962785c85
                        • Instruction ID: d783c19cf0c32327b7c4559ba00d9a1cf19b818090671f40c6079b516627b01f
                        • Opcode Fuzzy Hash: fc626966b6d3bbc765ae4380f199e79776f448dc57630fce2de6a67962785c85
                        • Instruction Fuzzy Hash: 6371F274E05209CFEB90EB68C580AAEFBB6BF4A341F54D1D4D409AB252C730E981DF91
                        Function 06F002F9 Relevance: .2, Instructions: 154COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 31e5972081ef37b9a8c12f3aa820a228f79bf3c7bbb1a29b1630aa0a58065f67
                        • Instruction ID: 2de44acc48f9953c505a0f7e8c5dbf9d1ebf93f51dbf9bf7d3f347898ee7c26e
                        • Opcode Fuzzy Hash: 31e5972081ef37b9a8c12f3aa820a228f79bf3c7bbb1a29b1630aa0a58065f67
                        • Instruction Fuzzy Hash: FE61B775E11218DFEB18CF66C985B9EBBB2FF88300F1481A9E809A7355DB359A41CF50
                        Function 06F04CC0 Relevance: .1, Instructions: 140COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a0f841d7333ea74bd8c214253ff8d0081a3757cb618c851b1c62dfbbba903a45
                        • Instruction ID: a3605223c2532ebfe2e2787dc42765f57f997c0f14be3f580b4e19b0b3a0cdc8
                        • Opcode Fuzzy Hash: a0f841d7333ea74bd8c214253ff8d0081a3757cb618c851b1c62dfbbba903a45
                        • Instruction Fuzzy Hash: CA518275D016199FEB04DFEAC8446EEFBF2FF88301F10802AE519AB254DB745A46CB40
                        Function 06EEEF09 Relevance: .1, Instructions: 110COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035901446.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6ee0000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37e8ad838095a57fb43f30490d49205a7042779860188e50b1a60117602dc3bf
                        • Instruction ID: e73d111b9ab853a2a49d9e1d6c547491dd376101297dc7306ea00070315361b4
                        • Opcode Fuzzy Hash: 37e8ad838095a57fb43f30490d49205a7042779860188e50b1a60117602dc3bf
                        • Instruction Fuzzy Hash: FC41E671E006198FEB58DFAAC84179EBBF2BF88300F14C1AAD45CA7215EB344A85CF51
                        Function 06F04CB2 Relevance: .1, Instructions: 103COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e65d0817e31b7d5cfedc0a1a540f1d47950a34143295b90dcf38c7dbaec9a15b
                        • Instruction ID: 5beab43ed7c0400162963158fb2d8da73ff2008fa1de558fac2e2298910ddf29
                        • Opcode Fuzzy Hash: e65d0817e31b7d5cfedc0a1a540f1d47950a34143295b90dcf38c7dbaec9a15b
                        • Instruction Fuzzy Hash: 93419475E006199FEB08DFAAC8446AEFBF2BF88310F14C16AD518AB254DB345A46CF51
                        Function 06F08AA9 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7add26951bb70fb3dfc73b2f228fa62f5f565a6e7310be715095529bb654a8cf
                        • Instruction ID: 5101dff91bd4c85643d1813dd9d6620e928135b348f33f2d4f539f038231eeed
                        • Opcode Fuzzy Hash: 7add26951bb70fb3dfc73b2f228fa62f5f565a6e7310be715095529bb654a8cf
                        • Instruction Fuzzy Hash: E2211AB5D086188BEB58CFA7C8046EEBFB7AFC9300F14D07A941966296DB740946CF90
                        Function 06F08AB8 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5e2817fc6049ee11765ff7f438be7fa1ca9c7513af04687c0909e8f77be21f66
                        • Instruction ID: 4c8648c68bb4ab5381fe8f2b59c4f17162f5ff77f36a0d104ebd301d6f0fe269
                        • Opcode Fuzzy Hash: 5e2817fc6049ee11765ff7f438be7fa1ca9c7513af04687c0909e8f77be21f66
                        • Instruction Fuzzy Hash: 9611F9B5D086188BEB58CF67C8046EEFABBAFC8340F04D07A941966255EB700945DF90
                        Function 0093E6A8 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 402 93e6a8-93e747 GetCurrentProcess 406 93e750-93e784 GetCurrentThread 402->406 407 93e749-93e74f 402->407 408 93e786-93e78c 406->408 409 93e78d-93e7c1 GetCurrentProcess 406->409 407->406 408->409 411 93e7c3-93e7c9 409->411 412 93e7ca-93e7e5 call 93e888 409->412 411->412 415 93e7eb-93e81a GetCurrentThreadId 412->415 416 93e823-93e885 415->416 417 93e81c-93e822 415->417 417->416
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 0093E736
                        • GetCurrentThread.KERNEL32 ref: 0093E773
                        • GetCurrentProcess.KERNEL32 ref: 0093E7B0
                        • GetCurrentThreadId.KERNEL32 ref: 0093E809
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: b1d8e2f4564a581c6c12034db363f0caff200e7059b3aa7d1a98e23a889f180d
                        • Instruction ID: 02997a581ad10a26c8dd5fef18312ae57ded62e8c805ac050463eb5865b765ca
                        • Opcode Fuzzy Hash: b1d8e2f4564a581c6c12034db363f0caff200e7059b3aa7d1a98e23a889f180d
                        • Instruction Fuzzy Hash: BA5145B09013498FDB24DFAAD988BAEBBF5FF49304F208459E009A73A1D7749944CF65
                        Function 0093E6B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 424 93e6b8-93e747 GetCurrentProcess 428 93e750-93e784 GetCurrentThread 424->428 429 93e749-93e74f 424->429 430 93e786-93e78c 428->430 431 93e78d-93e7c1 GetCurrentProcess 428->431 429->428 430->431 433 93e7c3-93e7c9 431->433 434 93e7ca-93e7e5 call 93e888 431->434 433->434 437 93e7eb-93e81a GetCurrentThreadId 434->437 438 93e823-93e885 437->438 439 93e81c-93e822 437->439 439->438
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 0093E736
                        • GetCurrentThread.KERNEL32 ref: 0093E773
                        • GetCurrentProcess.KERNEL32 ref: 0093E7B0
                        • GetCurrentThreadId.KERNEL32 ref: 0093E809
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: b14de43497d3092e5641da931835389b82b518d896b1f56377d463d553bf0f26
                        • Instruction ID: 9b39e27a7d1f7477b26699d9ba300a6a0ad998083d551c2d174771a84d7c0e41
                        • Opcode Fuzzy Hash: b14de43497d3092e5641da931835389b82b518d896b1f56377d463d553bf0f26
                        • Instruction Fuzzy Hash: 205147B09003098FDB24DFAAD548BAEBBF5FF49304F208459E019A73A0D774A944CF65
                        Function 06EEADC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 562 6eeadc0-6eeae14 563 6eeae1f-6eeae2e 562->563 564 6eeae16-6eeae1c 562->564 565 6eeae33-6eeae6c DrawTextExW 563->565 566 6eeae30 563->566 564->563 567 6eeae6e-6eeae74 565->567 568 6eeae75-6eeae92 565->568 566->565 567->568
                        APIs
                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06EEAE5F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035901446.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6ee0000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: DrawText
                        • String ID: U
                        • API String ID: 2175133113-3372436214
                        • Opcode ID: d792d7f464d01a0aec737a4673f642af517e53fe205a6670919797cdac8083ea
                        • Instruction ID: ace7f86677d2443782da19321877a35dd0262a7058947fcf924e3f72f1154812
                        • Opcode Fuzzy Hash: d792d7f464d01a0aec737a4673f642af517e53fe205a6670919797cdac8083ea
                        • Instruction Fuzzy Hash: 123102B1D007499FDB10CF9AD884AEEBBF5FB58324F14842EE919A7210D375A944CFA1
                        Function 06F0E38C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 654 6f0e38c-6f0e42d 657 6f0e466-6f0e486 654->657 658 6f0e42f-6f0e439 654->658 663 6f0e488-6f0e492 657->663 664 6f0e4bf-6f0e4ee 657->664 658->657 659 6f0e43b-6f0e43d 658->659 661 6f0e460-6f0e463 659->661 662 6f0e43f-6f0e449 659->662 661->657 665 6f0e44b 662->665 666 6f0e44d-6f0e45c 662->666 663->664 667 6f0e494-6f0e496 663->667 674 6f0e4f0-6f0e4fa 664->674 675 6f0e527-6f0e5e1 CreateProcessA 664->675 665->666 666->666 668 6f0e45e 666->668 669 6f0e498-6f0e4a2 667->669 670 6f0e4b9-6f0e4bc 667->670 668->661 672 6f0e4a4 669->672 673 6f0e4a6-6f0e4b5 669->673 670->664 672->673 673->673 676 6f0e4b7 673->676 674->675 677 6f0e4fc-6f0e4fe 674->677 686 6f0e5e3-6f0e5e9 675->686 687 6f0e5ea-6f0e670 675->687 676->670 679 6f0e500-6f0e50a 677->679 680 6f0e521-6f0e524 677->680 681 6f0e50c 679->681 682 6f0e50e-6f0e51d 679->682 680->675 681->682 682->682 683 6f0e51f 682->683 683->680 686->687 697 6f0e680-6f0e684 687->697 698 6f0e672-6f0e676 687->698 700 6f0e694-6f0e698 697->700 701 6f0e686-6f0e68a 697->701 698->697 699 6f0e678 698->699 699->697 703 6f0e6a8-6f0e6ac 700->703 704 6f0e69a-6f0e69e 700->704 701->700 702 6f0e68c 701->702 702->700 706 6f0e6be-6f0e6c5 703->706 707 6f0e6ae-6f0e6b4 703->707 704->703 705 6f0e6a0 704->705 705->703 708 6f0e6c7-6f0e6d6 706->708 709 6f0e6dc 706->709 707->706 708->709 711 6f0e6dd 709->711 711->711
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F0E5CE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 94e1f0aef927a6b8bb6ff5dd04f2ffa3a8e0b3d4e47a0dc0ba1a814804f2aa25
                        • Instruction ID: d280e6754bb0b727b862b98be6586e9511ef4858358d8b675bab1926f376e48c
                        • Opcode Fuzzy Hash: 94e1f0aef927a6b8bb6ff5dd04f2ffa3a8e0b3d4e47a0dc0ba1a814804f2aa25
                        • Instruction Fuzzy Hash: 2CA19D75D00219DFEB64CFA8C841BEDBBB2FF45314F1489A9E808A7280DB749985DF91
                        Function 06F0E398 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 712 6f0e398-6f0e42d 714 6f0e466-6f0e486 712->714 715 6f0e42f-6f0e439 712->715 720 6f0e488-6f0e492 714->720 721 6f0e4bf-6f0e4ee 714->721 715->714 716 6f0e43b-6f0e43d 715->716 718 6f0e460-6f0e463 716->718 719 6f0e43f-6f0e449 716->719 718->714 722 6f0e44b 719->722 723 6f0e44d-6f0e45c 719->723 720->721 724 6f0e494-6f0e496 720->724 731 6f0e4f0-6f0e4fa 721->731 732 6f0e527-6f0e5e1 CreateProcessA 721->732 722->723 723->723 725 6f0e45e 723->725 726 6f0e498-6f0e4a2 724->726 727 6f0e4b9-6f0e4bc 724->727 725->718 729 6f0e4a4 726->729 730 6f0e4a6-6f0e4b5 726->730 727->721 729->730 730->730 733 6f0e4b7 730->733 731->732 734 6f0e4fc-6f0e4fe 731->734 743 6f0e5e3-6f0e5e9 732->743 744 6f0e5ea-6f0e670 732->744 733->727 736 6f0e500-6f0e50a 734->736 737 6f0e521-6f0e524 734->737 738 6f0e50c 736->738 739 6f0e50e-6f0e51d 736->739 737->732 738->739 739->739 740 6f0e51f 739->740 740->737 743->744 754 6f0e680-6f0e684 744->754 755 6f0e672-6f0e676 744->755 757 6f0e694-6f0e698 754->757 758 6f0e686-6f0e68a 754->758 755->754 756 6f0e678 755->756 756->754 760 6f0e6a8-6f0e6ac 757->760 761 6f0e69a-6f0e69e 757->761 758->757 759 6f0e68c 758->759 759->757 763 6f0e6be-6f0e6c5 760->763 764 6f0e6ae-6f0e6b4 760->764 761->760 762 6f0e6a0 761->762 762->760 765 6f0e6c7-6f0e6d6 763->765 766 6f0e6dc 763->766 764->763 765->766 768 6f0e6dd 766->768 768->768
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F0E5CE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: f2c3b779b8297f3180d75ba4624bfc5318be0ea13e6545dbda04eac64446404e
                        • Instruction ID: 54366f5d97c9913637d2ea14f41b8cf9f0bd1f0336ca3f5dbe6c73fb8abc9055
                        • Opcode Fuzzy Hash: f2c3b779b8297f3180d75ba4624bfc5318be0ea13e6545dbda04eac64446404e
                        • Instruction Fuzzy Hash: E9918E75D00219DFEB64CFA8C841BEDBBB2FF45314F1489A9E808A7280DB749985DF91
                        Function 0093C038 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 769 93c038-93c057 770 93c083-93c087 769->770 771 93c059-93c066 call 93a674 769->771 772 93c09b-93c0dc 770->772 773 93c089-93c093 770->773 776 93c068 771->776 777 93c07c 771->777 780 93c0e9-93c0f7 772->780 781 93c0de-93c0e6 772->781 773->772 824 93c06e call 93c2d0 776->824 825 93c06e call 93c2e0 776->825 777->770 783 93c11b-93c11d 780->783 784 93c0f9-93c0fe 780->784 781->780 782 93c074-93c076 782->777 785 93c1b8-93c278 782->785 786 93c120-93c127 783->786 787 93c100-93c107 call 93b3b0 784->787 788 93c109 784->788 819 93c280-93c2ab GetModuleHandleW 785->819 820 93c27a-93c27d 785->820 791 93c134-93c13b 786->791 792 93c129-93c131 786->792 790 93c10b-93c119 787->790 788->790 790->786 794 93c148-93c151 call 93b3c0 791->794 795 93c13d-93c145 791->795 792->791 800 93c153-93c15b 794->800 801 93c15e-93c163 794->801 795->794 800->801 802 93c181-93c18e 801->802 803 93c165-93c16c 801->803 810 93c1b1-93c1b7 802->810 811 93c190-93c1ae 802->811 803->802 805 93c16e-93c17e call 93b3d0 call 93b3e0 803->805 805->802 811->810 821 93c2b4-93c2c8 819->821 822 93c2ad-93c2b3 819->822 820->819 822->821 824->782 825->782
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0093C29E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 3b6c17aa4267efa7f36f5788b896b029a176b21311d0b315205c16d0bf66cbb9
                        • Instruction ID: cf349473b8a1a09ed0eb2b34c6d91c4387335d23455dbae97972df2eb39d8b86
                        • Opcode Fuzzy Hash: 3b6c17aa4267efa7f36f5788b896b029a176b21311d0b315205c16d0bf66cbb9
                        • Instruction Fuzzy Hash: 3B8154B0A04B458FDB24DF69D44079ABBF5BF88300F108A2ED48AD7A51DB75E809CF91
                        Function 00936A75 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 826 936a75-936b41 CreateActCtxA 828 936b43-936b49 826->828 829 936b4a-936ba4 826->829 828->829 836 936bb3-936bb7 829->836 837 936ba6-936ba9 829->837 838 936bb9-936bc5 836->838 839 936bc8 836->839 837->836 838->839 841 936bc9 839->841 841->841
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00936B31
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 0e6c941cb53a4bd4e4ce7044d2528c3bf45d2b238910ea452bb08cda6e2735bd
                        • Instruction ID: 27f24507ff728c0dbd5783ad577203e9546fe6855219f3fb38788a5ccccbf0cf
                        • Opcode Fuzzy Hash: 0e6c941cb53a4bd4e4ce7044d2528c3bf45d2b238910ea452bb08cda6e2735bd
                        • Instruction Fuzzy Hash: E941F3B0C04619CFDB25CFA9C844B9DFBF5BF45308F20846AD408AB255D775694ACF90
                        Function 00934598 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 842 934598-936b41 CreateActCtxA 845 936b43-936b49 842->845 846 936b4a-936ba4 842->846 845->846 853 936bb3-936bb7 846->853 854 936ba6-936ba9 846->854 855 936bb9-936bc5 853->855 856 936bc8 853->856 854->853 855->856 858 936bc9 856->858 858->858
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 00936B31
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: b81428632f18fb3799af27d2c57d0fd4cdd1df5b59a5b9bfc388dc2fc83e6f94
                        • Instruction ID: 2db1cf51f531217b6764c57d1140e1536b79804bdb7d485068a3adb247f62cc8
                        • Opcode Fuzzy Hash: b81428632f18fb3799af27d2c57d0fd4cdd1df5b59a5b9bfc388dc2fc83e6f94
                        • Instruction Fuzzy Hash: 454112B0C04718DBCB24CFA9C844B9DFBF5BF49308F20846AD408AB250DBB56946CF90
                        Function 06F03EF7 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • OutputDebugStringW.KERNELBASE(00000000), ref: 06F03FF0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: DebugOutputString
                        • String ID:
                        • API String ID: 1166629820-0
                        • Opcode ID: 9faf58a61ba36ccdae4389c111f5fa1b84d020d44bcc394e7241bb74a1f059db
                        • Instruction ID: 5a18ba56891c2f37e91c81eef9a1bfc110168f1074dc3804361ab8b71b1ca737
                        • Opcode Fuzzy Hash: 9faf58a61ba36ccdae4389c111f5fa1b84d020d44bcc394e7241bb74a1f059db
                        • Instruction Fuzzy Hash: 4831ABB1C043899FCB15DFA9D8446EEFFB5EF09310F1081AAD808A7291D7385944CFA1
                        Function 06F0E110 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F0E1A0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 5b60f2d8a491f599ebc7e2f77fe37e4d7e192a94eb8386cddd677cc253d233a3
                        • Instruction ID: d30658e5f0eef1297167944bcb67af9699dde5acb262b89ae23fc062b696c6f5
                        • Opcode Fuzzy Hash: 5b60f2d8a491f599ebc7e2f77fe37e4d7e192a94eb8386cddd677cc253d233a3
                        • Instruction Fuzzy Hash: 62213B75D003099FDB10DFA9C845BEEBBF5FF48310F108429E919A7240D7789944DBA0
                        Function 06F0E109 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F0E1A0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 8559e41d0532654afec070c5949a35e332e3877b25f321ad1977634c3e623bbe
                        • Instruction ID: 4ebe7de1f390f497b032f8de20dd74bcff77c0cab37aca5ce661b19dc7bd5882
                        • Opcode Fuzzy Hash: 8559e41d0532654afec070c5949a35e332e3877b25f321ad1977634c3e623bbe
                        • Instruction Fuzzy Hash: FE2157B5D002099FDB10CFA9C985BEEBBF5FF48310F10882AE919A7240D7789944CBA0
                        Function 06EEADC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06EEAE5F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035901446.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6ee0000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: DrawText
                        • String ID:
                        • API String ID: 2175133113-0
                        • Opcode ID: b3a4e73af6b62de91f69f9d97da6590d20efb6785b6392fcdbcae2688399a4f1
                        • Instruction ID: 35d1d4dbc010a9d02173991e87e31a199ebd9ad3fbcc1edc71d207fef6ee1abd
                        • Opcode Fuzzy Hash: b3a4e73af6b62de91f69f9d97da6590d20efb6785b6392fcdbcae2688399a4f1
                        • Instruction Fuzzy Hash: 7E21CEB5D003099FDB10CF9AD884AAEBBF5FB58324F14842EE919A7210D774A944CFA0
                        Function 0093E8F8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0093E987
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 75b6e77270268277d4593717aed3aee9ff09b7a0277dd5763b9cc3bc6fb021a1
                        • Instruction ID: b2886768794ac9609b0dd90e53165af8b0e32147ef2e259c787be6442bd47664
                        • Opcode Fuzzy Hash: 75b6e77270268277d4593717aed3aee9ff09b7a0277dd5763b9cc3bc6fb021a1
                        • Instruction Fuzzy Hash: 7421F4B59002489FDB10CFAAD584AEEBFF9FB48310F14841AE958A3350D378A954CFA1
                        Function 06F0E1F8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F0E280
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 07146a7948337e561394c38918825df54f8109dd595da7c70d4fa452020c7168
                        • Instruction ID: a77291dcd9a5fdfa1a72bfb4f8b8db4d4c43728a5e24be3ec9330ca708f9fdcf
                        • Opcode Fuzzy Hash: 07146a7948337e561394c38918825df54f8109dd595da7c70d4fa452020c7168
                        • Instruction Fuzzy Hash: B92128B1C002499FDB10DFA9C941AEEBBF5FF48310F14842AE959A7250C7389555DBA0
                        Function 06F0E200 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F0E280
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 61c4d0bbe9eaa0be70b9d226891891a8d7e574116e0607b03b35dfeb7358ef76
                        • Instruction ID: 4fe8c22aa99ed7db8f647e4666c822620adf60f50a9e3727c539db3dffaa2757
                        • Opcode Fuzzy Hash: 61c4d0bbe9eaa0be70b9d226891891a8d7e574116e0607b03b35dfeb7358ef76
                        • Instruction Fuzzy Hash: 96213AB1C003499FDB10DFAAC840AEEFBF5FF48310F108429E919A7250D7389940DBA0
                        Function 06F0DF71 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F0DFF6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 63b70502d00be596686290ccdf3ad22f10e67d665dfbf905ff51148f9aab2124
                        • Instruction ID: a10514fe81ce702930738a7960d9a34eca3819050f94407dc88c5dab2f5eb316
                        • Opcode Fuzzy Hash: 63b70502d00be596686290ccdf3ad22f10e67d665dfbf905ff51148f9aab2124
                        • Instruction Fuzzy Hash: 352135B1D002098FDB10DFAAC5857EEBBF5EF88314F14842AD519A7280DB78A944CFA1
                        Function 06F0DF78 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F0DFF6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: d7627c709d879fe884898d6b2aebc889253ce2c5ed139b7e926005a96f8f00c0
                        • Instruction ID: 1dd9e5ff7bb52aa91aea12cafbf0c1d1211d1734f92fbc36559181d1bd0e081e
                        • Opcode Fuzzy Hash: d7627c709d879fe884898d6b2aebc889253ce2c5ed139b7e926005a96f8f00c0
                        • Instruction Fuzzy Hash: 362115B1D002098FDB10DFAAC485BEEBBF5EF49314F14842AD519A7280DB78A945CFA5
                        Function 0093E900 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0093E987
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: cafda30fd9cc81c764e333753d7444e0e5d4487e264f59966fbf3f08b5680c26
                        • Instruction ID: 9ebd765036b70fa4e1b771c8f0439563bfb40110a71fcfa28d268210974f680e
                        • Opcode Fuzzy Hash: cafda30fd9cc81c764e333753d7444e0e5d4487e264f59966fbf3f08b5680c26
                        • Instruction Fuzzy Hash: 0721C4B59002489FDB10CF9AD584AEEFFF9FB48310F14841AE918A3350D379A954CFA5
                        Function 06F0E050 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F0E0BE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 8cf9919e5280a5eefd14b96bf62f65686bcd10988bfe51b827d0601c367f957f
                        • Instruction ID: f127e6a58bfe182ef3db26bccab8d007680c76643afcaa21ffba014e29679f4b
                        • Opcode Fuzzy Hash: 8cf9919e5280a5eefd14b96bf62f65686bcd10988bfe51b827d0601c367f957f
                        • Instruction Fuzzy Hash: 7C1137718002499FDB10DFAAC844AEEBFF5EF48314F208819E519A7250CB79A940CFA1
                        Function 06F0E049 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F0E0BE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: b9fe1eaab25b27fd9c400be94eb9b803aa614d3365f1e20fa0699fedf525b51b
                        • Instruction ID: df1b5a2a0139446ddbd6a904d1d06ebcc07c84db449b9fed00faa835644c307f
                        • Opcode Fuzzy Hash: b9fe1eaab25b27fd9c400be94eb9b803aa614d3365f1e20fa0699fedf525b51b
                        • Instruction Fuzzy Hash: 4D115676C002088FCB10DFA9C944AEEBBF5FF48314F248819E519A7250CB799540CFA0
                        Function 06F03F78 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                        Download Yara Rule
                        APIs
                        • OutputDebugStringW.KERNELBASE(00000000), ref: 06F03FF0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: DebugOutputString
                        • String ID:
                        • API String ID: 1166629820-0
                        • Opcode ID: 799adf4e0e1e96d099af9df682447e29684c80cc5e6107fd3b6d0d41d7a4e5d1
                        • Instruction ID: ad9b6bd20e7a2e7856fb7559b7fe6dd7d831472f03f56ac8311d3ce38ee1c82a
                        • Opcode Fuzzy Hash: 799adf4e0e1e96d099af9df682447e29684c80cc5e6107fd3b6d0d41d7a4e5d1
                        • Instruction Fuzzy Hash: 211142B5D0065A9FCB14DF9AD944AEEFBB4FF08310F10851AD818B3240D738A940CFA5
                        Function 06F0DEC0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 9e488a4e695f4b873809eacecb160830a3325f8533846d90905f73475ba8fd47
                        • Instruction ID: d7e2293b3e143e2f0b40414d63c08e39ddf0a4137450efb9b0f6b9a4faa8c52d
                        • Opcode Fuzzy Hash: 9e488a4e695f4b873809eacecb160830a3325f8533846d90905f73475ba8fd47
                        • Instruction Fuzzy Hash: B81128B1D002488BDB20DFAAD5457EEFBF5EF88314F24841AD519A7240DB78A544CFA4
                        Function 06F03F80 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • OutputDebugStringW.KERNELBASE(00000000), ref: 06F03FF0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: DebugOutputString
                        • String ID:
                        • API String ID: 1166629820-0
                        • Opcode ID: 501cb524c5e3852989948f43fc665e196b5caf68a7586f6d5923c8ba22fdf6e1
                        • Instruction ID: a5c6d93948bf84585a04d7fd966de49fde987091ca47d048acee2c79431c0068
                        • Opcode Fuzzy Hash: 501cb524c5e3852989948f43fc665e196b5caf68a7586f6d5923c8ba22fdf6e1
                        • Instruction Fuzzy Hash: 8B1123B1C0065A9BCB14DF9AD844A9EFBF8FF48310F10851AD818A3240D338A940CFA5
                        Function 06F0DEC8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 4d4ef5b6e56343b2255816573dfc0ba0f9523d7d970914e4742c4a1618f2df45
                        • Instruction ID: 8dc8f7f2af86087d9b74840152b33611c66071e66017431d31c92e2f18b73d3b
                        • Opcode Fuzzy Hash: 4d4ef5b6e56343b2255816573dfc0ba0f9523d7d970914e4742c4a1618f2df45
                        • Instruction Fuzzy Hash: 29113AB1D002488FDB10DFAAC4457EEFBF9EF89314F208419D519A7240CB79A944CBA4
                        Function 0093C238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0093C29E
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: b0c369a904bd8d3cc251b6ab646810a1ec517b852b3fdbcce329c07eb615eec6
                        • Instruction ID: f032a8be3647d91eab72de31453fdf3a664249887d9e287aac94e70eff0e5190
                        • Opcode Fuzzy Hash: b0c369a904bd8d3cc251b6ab646810a1ec517b852b3fdbcce329c07eb615eec6
                        • Instruction Fuzzy Hash: 59110FB5C007498FCB10DF9AC444A9EFBF8EB88314F10841AD829B7200D379A945CFA1
                        Function 08831290 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,?,?,?), ref: 088312F5
                        Memory Dump Source
                        • Source File: 00000000.00000002.2036216029.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8830000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 6b17d3ae153528c134d02beebd5808cbaa50b6702acaf79b47435723c4fffe44
                        • Instruction ID: b01c4959da9dde29bcd9f2f12201aa16ca9b63d8051ac2a1c27e408835cc4cb2
                        • Opcode Fuzzy Hash: 6b17d3ae153528c134d02beebd5808cbaa50b6702acaf79b47435723c4fffe44
                        • Instruction Fuzzy Hash: CC1122B5800349DFCB10DF8AC849BDEBBF8FB49724F10840AE919A7200C378A944CFA5
                        Function 08831298 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,?,?,?), ref: 088312F5
                        Memory Dump Source
                        • Source File: 00000000.00000002.2036216029.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8830000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 68e210b3697c9c858bf0d6dc6130ff49624ef6a7b19b04ad0947fced0464ba80
                        • Instruction ID: 48dbea8e8518204ee60a92f4ad55bdac6e81b4d07340f4f3e8bfb57568cbd919
                        • Opcode Fuzzy Hash: 68e210b3697c9c858bf0d6dc6130ff49624ef6a7b19b04ad0947fced0464ba80
                        • Instruction Fuzzy Hash: BE1103B58003499FCB10DF9AC548BDEBBF8EB49714F108419E518A3600D379A944CFA1
                        Function 06F0402A Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNELBASE(?), ref: 06F0408F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: 8296ae4b046454d4abac0977b6363782d1c5c21930292433d6957a4fad37fae6
                        • Instruction ID: 1176323e38d38a49a52477ec53f070c1dfbcb665698a402aca448b500ec231d4
                        • Opcode Fuzzy Hash: 8296ae4b046454d4abac0977b6363782d1c5c21930292433d6957a4fad37fae6
                        • Instruction Fuzzy Hash: 581136B1900249CFDB10DF9AC844BEEFBF4EF59314F20846AD558A7280D739A944CFA4
                        Function 06F04030 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNELBASE(?), ref: 06F0408F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID:
                        • API String ID: 2962429428-0
                        • Opcode ID: 4b5f642a2bad524b801b1da1a97b02cd661363f4e6dd9abcd43bce0f30e631e3
                        • Instruction ID: d9d472254d88f10d59ff9c9bb1bbfd8458dbdcb94b7af64b3ece7d5f232b4a65
                        • Opcode Fuzzy Hash: 4b5f642a2bad524b801b1da1a97b02cd661363f4e6dd9abcd43bce0f30e631e3
                        • Instruction Fuzzy Hash: C21136B1800249CFDB10DF9AC844BEEFBF8EF49324F208459D518A3240D378A944CFA5
                        Function 008DD630 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030226985.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8dd000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ab3fcdfea3ed56b650afdba4c6d5fa704ac95cc33949eb4f7a28dc34934cfa7b
                        • Instruction ID: 1c12bf1535ab07b756351ea41a66ccd6adf4d3bad4b5836044c90f688bd726a5
                        • Opcode Fuzzy Hash: ab3fcdfea3ed56b650afdba4c6d5fa704ac95cc33949eb4f7a28dc34934cfa7b
                        • Instruction Fuzzy Hash: BC2100B1504304DFCB159F14E980F26BF65FBA8314F20866AE9098B356C33AD806CAE1
                        Function 008ED01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030329899.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8ed000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1df0603f659407cf9e25a862d8c9091256b81fdfa6889c287ef2288f1e6c9472
                        • Instruction ID: 40c32e99cf710cbe9766d6a36896a13769c664a48cbae81cc4eeda1ea34c6a87
                        • Opcode Fuzzy Hash: 1df0603f659407cf9e25a862d8c9091256b81fdfa6889c287ef2288f1e6c9472
                        • Instruction Fuzzy Hash: F121F271604784DFCB14DF25D984B26BF65FB89314F28C569D90A8B396C33AD80BCA61
                        Function 008ED1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030329899.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8ed000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ad38b626a14d254ec6471787d6ba2aaeb5e98ad295551792ababcf690a8adec
                        • Instruction ID: 1976aa5c80cae1fcfdda87ff5ac3ea91bc2054fb47c184518006e84eb2eb9cdd
                        • Opcode Fuzzy Hash: 4ad38b626a14d254ec6471787d6ba2aaeb5e98ad295551792ababcf690a8adec
                        • Instruction Fuzzy Hash: 80210775504384DFDB05DF25D5C0F26BB65FB85314F20C56DDA098B396C33AE80ADA61
                        Function 008ED006 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030329899.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8ed000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c9efac9c6e879d9df2f3f358a439aceb29c8ca35e978e9619f219bb10a74166b
                        • Instruction ID: 4a8d9930c735434b2a3d0eca63016ef08f3e16758bbf2cdd6bc3138f4a809f47
                        • Opcode Fuzzy Hash: c9efac9c6e879d9df2f3f358a439aceb29c8ca35e978e9619f219bb10a74166b
                        • Instruction Fuzzy Hash: C9214F755087809FCB02CF14D994711BF71FB46314F28C5EAD8498B2A7C33A985ACB62
                        Function 008DD62B Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030226985.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8dd000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction ID: b827b746f7537155c02b466156966695c00e87895099e4c881ef14aa66250e5c
                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction Fuzzy Hash: 4F11B176504384CFCB16CF10D9C4B16BF72FB98314F24C6AAD9094B256C336D85ACBA2
                        Function 008ED1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030329899.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8ed000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction ID: c0d69ca982c90a088530a709d392f1e656e30ce16c0f50c253ea6991f167270a
                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction Fuzzy Hash: 3B11BB75504380DFCB02CF10C5C4B15BBA2FB85314F24C6A9D9498B296C33AE80ACB62
                        Function 008DD745 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030226985.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8dd000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3408d2c1882b50a706390e27ec7cdfc75ee48cd69582940ffca37ce86d8a3a3c
                        • Instruction ID: 98e1f84e4f58d3246fc8d7b2de1cff7b6b5145356dad8cf8c546c610c95414e9
                        • Opcode Fuzzy Hash: 3408d2c1882b50a706390e27ec7cdfc75ee48cd69582940ffca37ce86d8a3a3c
                        • Instruction Fuzzy Hash: 43012B310053449AE7208E16CD84B67FF9CFF56324F18C6ABED098B386D2399C00CAB1
                        Function 008DD744 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030226985.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8dd000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dcbe0ef0ac68bfcf2127c816f15657718981bea017d9537ae7e87515ce63b4bc
                        • Instruction ID: 5cde921fe9bcecc0e8d0c8c54fb4c753c1801fc08f099a8b66d4ffb1219334dc
                        • Opcode Fuzzy Hash: dcbe0ef0ac68bfcf2127c816f15657718981bea017d9537ae7e87515ce63b4bc
                        • Instruction Fuzzy Hash: 03F06271405344AAE7208E16C888B62FF98EF56734F18C59AED484B386C2799C44CAB5

                        Non-executed Functions

                        Function 00934859 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4']q
                        • API String ID: 0-1259897404
                        • Opcode ID: 641356b3e38d54b52279038b347a935277080a22a991881e42d724927c6529fb
                        • Instruction ID: da1ce13c9fad33ba01080767ee089a484ae6d4a89eb40bb41bb12e9215f0570a
                        • Opcode Fuzzy Hash: 641356b3e38d54b52279038b347a935277080a22a991881e42d724927c6529fb
                        • Instruction Fuzzy Hash: 42D15EB1828B45CBD710DF26EC681997BB1FB8131AF524309D1A16F2F6DBB4244AEF44
                        Function 06F01F37 Relevance: .3, Instructions: 321COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2132419c6a108f6e40b7f2c541cf5ad00032150c588fafef968e7330f4de12b8
                        • Instruction ID: 4b32eb62b835164e2c60982b61d511069d2329c9c4895f73a157486b0c7f64a5
                        • Opcode Fuzzy Hash: 2132419c6a108f6e40b7f2c541cf5ad00032150c588fafef968e7330f4de12b8
                        • Instruction Fuzzy Hash: 97E11A74E002198FDB14DFA8C5849AEFBF2FF89305F248169D414AB35AD731AA81CF61
                        Function 00934868 Relevance: .3, Instructions: 318COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2030463756.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_930000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4a8ad8e98cfbb5a20caf1d2810a6a2be113837fa0614b2822bb16cddb8f99a7e
                        • Instruction ID: cf4519ca31e23fd91cb85ce475da2e796a9dcdb00ca706d156d85e15376a1f7a
                        • Opcode Fuzzy Hash: 4a8ad8e98cfbb5a20caf1d2810a6a2be113837fa0614b2822bb16cddb8f99a7e
                        • Instruction Fuzzy Hash: 3712B7F2429F458BD710CF26EC6C1893BB1BB4132AF924209D2A15F2F6DBB4154AEF44
                        Function 06F0D6A0 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dcc9d9af457e285d44f6dc068b4efb915ceb9c8f089f86900c2e248b5c147906
                        • Instruction ID: e4e542d6896973b905c7bea8657e6c80b5117b527d8fafec96dca35e899b8345
                        • Opcode Fuzzy Hash: dcc9d9af457e285d44f6dc068b4efb915ceb9c8f089f86900c2e248b5c147906
                        • Instruction Fuzzy Hash: F4E11874E042198FDB14DFA9C5809AEFBF2FF89305F648169E415AB35AD730A941CFA0
                        Function 06F0B758 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 178abfdc3ce0aacea32bfcb945588f711628de5566e1b24dccf4d2c17a13f094
                        • Instruction ID: 860dacdb600a0245cb2084f4909f7a9e37bf9f902fdf1c61446a1bdb2c14297d
                        • Opcode Fuzzy Hash: 178abfdc3ce0aacea32bfcb945588f711628de5566e1b24dccf4d2c17a13f094
                        • Instruction Fuzzy Hash: BFE11A74E002198FDB14DFA9C5809AEFBF2FF89305F248169D415A735AD731A942DFA0
                        Function 06F0D268 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2845e1db2a9f66f5316f36c1c54503466498748be3fb47e0098dba2d22a83c26
                        • Instruction ID: 4be5c2f63a15cff4c6c66925c7cde25929013a05ec0fd79e9eadd7a78d9f475b
                        • Opcode Fuzzy Hash: 2845e1db2a9f66f5316f36c1c54503466498748be3fb47e0098dba2d22a83c26
                        • Instruction Fuzzy Hash: 9BE1FD74E002198FDB14DFA9C5809AEFBF2FF49305F248169E415A735AD730A941DFA1
                        Function 06F02380 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f850e1599008f1858e0fca5a9f620d1c7d684beb0af88a321082dd7c520be553
                        • Instruction ID: 86dcaa4a84eda7ad34a61fd222e6a16537ffc774b43e788e5feb58ee55728954
                        • Opcode Fuzzy Hash: f850e1599008f1858e0fca5a9f620d1c7d684beb0af88a321082dd7c520be553
                        • Instruction Fuzzy Hash: C8E11B74E002198FDB14DFA9C5849AEFBF2FF89305F248169D414AB35AD730AA81DF61
                        Function 06F030F0 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5f0df6ba82b15b7ee2f659bd69511f627dc5ed077f9c23f68c2acdf85985630a
                        • Instruction ID: e458e528855a045f398888a7fa1fc1113a443462284f7a228142fee95774f504
                        • Opcode Fuzzy Hash: 5f0df6ba82b15b7ee2f659bd69511f627dc5ed077f9c23f68c2acdf85985630a
                        • Instruction Fuzzy Hash: BCE12B75E0021A8FDB14DFA8C5809AEFBF2FF89305F648169D414AB35AC731A941CFA0
                        Function 06F0BFC8 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f42a2e380b30dc3fb3678a493c1cc19174398a77858f743a1ee8d1021008982c
                        • Instruction ID: 0cf875e98a9dfe072eff84c824f98966ca4e47cdb004d1aa5962828a81738753
                        • Opcode Fuzzy Hash: f42a2e380b30dc3fb3678a493c1cc19174398a77858f743a1ee8d1021008982c
                        • Instruction Fuzzy Hash: 35E10B74E002198FDB14DFA9C5809AEFBF2FF89305F248269E415A735AD730A941DFA1
                        Function 06F0BB90 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b917cd1fcaff67902010b113c3ccf3c090a231bbc7c29eb1826eadd957117cd6
                        • Instruction ID: 7de1614cd64c03cb23138b04b9f167f3ab82b302f812f827b476a846c644ff67
                        • Opcode Fuzzy Hash: b917cd1fcaff67902010b113c3ccf3c090a231bbc7c29eb1826eadd957117cd6
                        • Instruction Fuzzy Hash: 66E10874E002198FDB14DFA9C5809AEFBF2FF89305F248169E415AB35AD731A941CFA1
                        Function 06F02840 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5c33760725330eb6526f8312a7ea467c0bd784e519bc52b219f187a471c5e341
                        • Instruction ID: 991f8ea7e1a106694613331ee839832e7d40eb1890d7123074570c9d1abef9b3
                        • Opcode Fuzzy Hash: 5c33760725330eb6526f8312a7ea467c0bd784e519bc52b219f187a471c5e341
                        • Instruction Fuzzy Hash: 78E11874E002198FDB14DFA8C5849AEFBF2FF89305F648169D414AB35AD730AA81DF61
                        Function 06F04F30 Relevance: .2, Instructions: 169COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 36d1e18edc8a32b8083ac616bd0b97b20b3a7c255874e49b44a6981c1129e565
                        • Instruction ID: e802f3b662f6d105325049a031378cf2f18228d9b46c1d4b379284ff0d660770
                        • Opcode Fuzzy Hash: 36d1e18edc8a32b8083ac616bd0b97b20b3a7c255874e49b44a6981c1129e565
                        • Instruction Fuzzy Hash: 63719F75E012198FDB44DFAAC98499EFBF2BF88301F14D166E418AB255D734A942CF50
                        Function 06F04F20 Relevance: .1, Instructions: 136COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: acbd9f291022b644d46438e02078c34e5f9fedd0203347f9bd1df9954f3ae45e
                        • Instruction ID: 3c90c64a5ae89e2515d07b2dcae1b8fd77a8e320db3576a8190ce5647f707ce9
                        • Opcode Fuzzy Hash: acbd9f291022b644d46438e02078c34e5f9fedd0203347f9bd1df9954f3ae45e
                        • Instruction Fuzzy Hash: 5451A275E046188FDB48CFAAC98459EFBF2BF89301F14C16AE418AB355DB349A46CF50
                        Function 06F0D257 Relevance: .1, Instructions: 132COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7c77f97ee11cd38f82792d85cdbd676be4aae6b8c1a99ba3f4b94192707a9979
                        • Instruction ID: 2f089811e9f8141c675a6009e61878b1e42ff0c2172b0eef581ccb96c701ff72
                        • Opcode Fuzzy Hash: 7c77f97ee11cd38f82792d85cdbd676be4aae6b8c1a99ba3f4b94192707a9979
                        • Instruction Fuzzy Hash: B451E874E002198FDB14DFA9C5815AEFBF2FF89305F24C169D418AB256D731A942CFA1
                        Function 06F0BB80 Relevance: .1, Instructions: 132COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c3595e54003f0e083e064c752b564abd70d41dd1660bec08950354025be8ac9f
                        • Instruction ID: 19be4f83d72907b79df3888f55fdd52bb509ed4297f5be7414471f84bce713cb
                        • Opcode Fuzzy Hash: c3595e54003f0e083e064c752b564abd70d41dd1660bec08950354025be8ac9f
                        • Instruction Fuzzy Hash: DC51F774E102198FDB14DFA9C5809AEFBF2FF89305F24C169D418A7256D7319A42CFA1
                        Function 06F0D691 Relevance: .1, Instructions: 129COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2035962837.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6f00000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a55619ec525d7ef223a72f681f92829e3a6dc653eedf89a48373d1d4195bd786
                        • Instruction ID: 2f4aa99f00e58c8d26e60236436238ea47a4775f752eb2965219c412e7693c5a
                        • Opcode Fuzzy Hash: a55619ec525d7ef223a72f681f92829e3a6dc653eedf89a48373d1d4195bd786
                        • Instruction Fuzzy Hash: 71510774E042198FDB18DFA9C5805AEFBF2BF89305F24C169D418AB356D7319A42CFA1

                        Executed Functions

                        Function 02C15F98 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: \Vel
                        • API String ID: 0-2485161877
                        • Opcode ID: d0b4842a18ba731325a2662e25268c947e921708b1ea1dd00f983a34fe5f8154
                        • Instruction ID: 30a69d79b17f9dcb0d80a1afbf5ad9bc53a4873156a69a6c0a03a1fc817242a2
                        • Opcode Fuzzy Hash: d0b4842a18ba731325a2662e25268c947e921708b1ea1dd00f983a34fe5f8154
                        • Instruction Fuzzy Hash: 76B15E70E00209CFDF14CFA9C9867ADBBF6BF8A304F248129D819A7254EB749945DF85
                        Function 02C16868 Relevance: .3, Instructions: 266COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3c33fbf9b3c58304af490618f8db799262f49b1c0fb4ca587334497b477402ec
                        • Instruction ID: 969eeb75cdd2e26351666e92a8580cca406be79813bd9ec2af5dd02ffe395f96
                        • Opcode Fuzzy Hash: 3c33fbf9b3c58304af490618f8db799262f49b1c0fb4ca587334497b477402ec
                        • Instruction Fuzzy Hash: ABB16F71E00209CFDF14CFA9C9827ADBBF6AF89314F248129D815A7394EB749985DF81
                        Function 02C11727 Relevance: 5.4, Strings: 4, Instructions: 444COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: a]q$ a]q$,$xaq
                        • API String ID: 0-452644037
                        • Opcode ID: 96ce0cd106cb9bacf45622640c4dc515f2e128325da3eed889ae6a573758e327
                        • Instruction ID: 178a49462d1a9c1d147ffa890c4eaadaad42dfa32ba551a6a0d1ef03165d685e
                        • Opcode Fuzzy Hash: 96ce0cd106cb9bacf45622640c4dc515f2e128325da3eed889ae6a573758e327
                        • Instruction Fuzzy Hash: E802D1747002059FCB15EF29D484B5E7BE6BF89304F248A68D5059B3A9DFB8EC46CB80
                        Function 02C11962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: a]q$ a]q$xaq
                        • API String ID: 0-315583803
                        • Opcode ID: 2923e99141549e8627be05145e28e8a3e44c5a962d37eb5a5f4d7ae89ff1d631
                        • Instruction ID: cebb31a03bebe12995e494e1f455ee7096c3054f07931a047803f2eed78d799f
                        • Opcode Fuzzy Hash: 2923e99141549e8627be05145e28e8a3e44c5a962d37eb5a5f4d7ae89ff1d631
                        • Instruction Fuzzy Hash: BA619C787002008FC715AF29D485B5A7BE6FF89314F148969D5069F3A8DFB9AD46CBC0
                        Function 02C10EBA Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: (aq$Te]q$d6p
                        • API String ID: 0-967301506
                        • Opcode ID: d69f60a722a5a855ec6157f7f2ecd8498d734efeb60e241f769a721f86389fdc
                        • Instruction ID: ecab159ce0496773e7d01a397ab19c717d3b40541637e59aae3c7525f652b654
                        • Opcode Fuzzy Hash: d69f60a722a5a855ec6157f7f2ecd8498d734efeb60e241f769a721f86389fdc
                        • Instruction Fuzzy Hash: 5C518134B101149FCB54DF6DC458A9EBBF6FF89710F2580A9E406DB3A5CA75DC028B90
                        Function 02C10D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: Haq$dLcq
                        • API String ID: 0-1713614415
                        • Opcode ID: 0d03e2f2713b5900e4e2aceeeff509add7932b70d127c95533c35b839c2ab432
                        • Instruction ID: 0ce534460f357d29970c0a4fb483d309e0ff4a13e6b2a5ade0cbd5318095af92
                        • Opcode Fuzzy Hash: 0d03e2f2713b5900e4e2aceeeff509add7932b70d127c95533c35b839c2ab432
                        • Instruction Fuzzy Hash: 4741E1317042049FCB15DF69D454AAEBBF6BF8A304F1484AAE406EB3A1CB35ED45CB90
                        Function 02C19520 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]q$$]q
                        • API String ID: 0-127220927
                        • Opcode ID: 3ccadee4ca497eb11771a5185f13df184b751bdc711c517f97e442fb636b331a
                        • Instruction ID: 4d2f401982b525762da03577233e48934a0995fe863cc3f96675bc71fb7ca894
                        • Opcode Fuzzy Hash: 3ccadee4ca497eb11771a5185f13df184b751bdc711c517f97e442fb636b331a
                        • Instruction Fuzzy Hash: 7A41AC30704541DFC7886FAA91A9529BBB7FFCA7057288948E0069B394CF32DD63DB91
                        Function 02C15F8C Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: \Vel
                        • API String ID: 0-2485161877
                        • Opcode ID: eb51d8f5177cd2a0dfa089c2085c1971f90f43368c2c39042d8c4787ad233daf
                        • Instruction ID: 1d48d6e2087b01e53d46496b6b53790f645709383828ab2d8efdd5c9548d287b
                        • Opcode Fuzzy Hash: eb51d8f5177cd2a0dfa089c2085c1971f90f43368c2c39042d8c4787ad233daf
                        • Instruction Fuzzy Hash: BDD16F70E00209CFDF14CFA8C9867DDBBF6AF8A318F248129D419A7250EB749985DF95
                        Function 02C19D80 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: xaq
                        • API String ID: 0-793007810
                        • Opcode ID: 8cc6b8fedf80f5b455514696af2107fc2f98aca9788d1777e98d69521b520178
                        • Instruction ID: 4d6bfeda28fef928ee9b99dedb2527177cf0bca355acaedd682224cd49a315e9
                        • Opcode Fuzzy Hash: 8cc6b8fedf80f5b455514696af2107fc2f98aca9788d1777e98d69521b520178
                        • Instruction Fuzzy Hash: 0691AC78901210CFDF24CF29E55671537FABB8A318F1442BAC4018BB98DBB5AA46DFD1
                        Function 02C19A58 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te]q
                        • API String ID: 0-52440209
                        • Opcode ID: 48151c715c366cecd9fccdfa72753ab2472c7f861d16635d0701891b69915752
                        • Instruction ID: aaec55027a95751d94e14a3d8fe1ced445976144f4be7f376ddf204e113e0864
                        • Opcode Fuzzy Hash: 48151c715c366cecd9fccdfa72753ab2472c7f861d16635d0701891b69915752
                        • Instruction Fuzzy Hash: C7519F74640604DFEB24DF6AC965B69BBF2FF89714F208169E5029B3E4CBB5AC41CB40
                        Function 02C19509 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: $]q
                        • API String ID: 0-1007455737
                        • Opcode ID: 248e75de4cdef22fe57157aa464a5473a4e3123bbf05a833cb1043d218d7fb16
                        • Instruction ID: 89753d50bc0d5dde59cf8c4faeb64b96176c8fac59e30abf1e40565e38ea5076
                        • Opcode Fuzzy Hash: 248e75de4cdef22fe57157aa464a5473a4e3123bbf05a833cb1043d218d7fb16
                        • Instruction Fuzzy Hash: B041F230708680DFC7895FAA90A9128BBB3BFCA7057388985D0469B394CF36DD53DB91
                        Function 02C11339 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: LR]q
                        • API String ID: 0-3081347316
                        • Opcode ID: 0eba30b369752637976762366ebdc0a27905d7b02b0c663081087407c0253292
                        • Instruction ID: df733c558a32318f248c6250ba3c39deaa247fe30907b11fe4aec9da22803ec7
                        • Opcode Fuzzy Hash: 0eba30b369752637976762366ebdc0a27905d7b02b0c663081087407c0253292
                        • Instruction Fuzzy Hash: 5831AE34F002169FCB44DB79855166EBBF2BFC9214B144069E60ADB3A4EF74DD02CB91
                        Function 02C10D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: dLcq
                        • API String ID: 0-2236789282
                        • Opcode ID: c9801839387960fe4832c8106f4609898255074b026e12afb086f9af19fdf4e5
                        • Instruction ID: f616d61abd76fca1b0f2486cad60cabdd02cfb716a6c1e68a8cd9559a4ba7dd9
                        • Opcode Fuzzy Hash: c9801839387960fe4832c8106f4609898255074b026e12afb086f9af19fdf4e5
                        • Instruction Fuzzy Hash: 9B31A031A002049FDB14DF69C488B9EBBF6FF89304F148569E402AB361CB75ED45CB90
                        Function 02C19438 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te]q
                        • API String ID: 0-52440209
                        • Opcode ID: 12eb93b45ff8957fe3931c9dd45aff318e9378584e685a48e950e741f4f23f43
                        • Instruction ID: be57190059ca789a6a54f208cd96b32f4196f3ef439afb7b18a0a017b17b7b33
                        • Opcode Fuzzy Hash: 12eb93b45ff8957fe3931c9dd45aff318e9378584e685a48e950e741f4f23f43
                        • Instruction Fuzzy Hash: 3A218C307001108FDB149F69C86ABAE7BF6AF89B10F248159E502EB3A4CF75DC05DB91
                        Function 02C19428 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te]q
                        • API String ID: 0-52440209
                        • Opcode ID: c2cd91cba3b35a66b695f85ec7a9e983530ae2f607237d05c7111ab34460441b
                        • Instruction ID: 0c976ad4e6aeccb66117770c870a99e687ccda2c42c588059f8fb13ed6ce6446
                        • Opcode Fuzzy Hash: c2cd91cba3b35a66b695f85ec7a9e983530ae2f607237d05c7111ab34460441b
                        • Instruction Fuzzy Hash: 2D218E317001108FDB14DF69D86AB6E7BF6AF89B10F24809AE506DB3A5CF759C05CB91
                        Function 02C135C9 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: |
                        • API String ID: 0-2343686810
                        • Opcode ID: c6b7c3a4c2a8d37eba6cbb3047fac1374081f776839fce52db44d71791954262
                        • Instruction ID: 86441fd6652cab96331c4cdc3c583ae2e46c027a8c24e44bcf89bac581df265f
                        • Opcode Fuzzy Hash: c6b7c3a4c2a8d37eba6cbb3047fac1374081f776839fce52db44d71791954262
                        • Instruction Fuzzy Hash: F8116D74B002509FDB50EF78C905B6E7BF1AB4D704F1084A9E94AE73A0DB759900DB81
                        Function 02C1993F Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te]q
                        • API String ID: 0-52440209
                        • Opcode ID: a2b0b282a3fda88756e56ef3f9a07afd04f0dad370f693338aca07489895894d
                        • Instruction ID: a5343f1f076ff06f9fd79612162dd0585a8fd2dc12c0f3e5ac09cb45c279116d
                        • Opcode Fuzzy Hash: a2b0b282a3fda88756e56ef3f9a07afd04f0dad370f693338aca07489895894d
                        • Instruction Fuzzy Hash: F5119370B40200DFDB149F69C49ABAEBFE6AF89710F144099E902EB3A5CE719C45DB91
                        Function 02C19950 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te]q
                        • API String ID: 0-52440209
                        • Opcode ID: 2d6d6ad62c4a5a14912631bd4418d273624299239a5851f0834ccce76b26a46a
                        • Instruction ID: 455987c1e116b4a469667795048afa249f90334d639c04c38f1b138912171c36
                        • Opcode Fuzzy Hash: 2d6d6ad62c4a5a14912631bd4418d273624299239a5851f0834ccce76b26a46a
                        • Instruction Fuzzy Hash: 4C119170B40204CFDB149F29C49AFAEBBF6EF88B10F144069E502AB3A5CE719C41DB90
                        Function 02C1A541 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te]q
                        • API String ID: 0-52440209
                        • Opcode ID: 1045e302a1e1953e5a4ff180c5fead12e334b51b1e14571a753a90556338649d
                        • Instruction ID: 685f9c6ddc8d77400a070d90045364bd616490891028eb2c5a7c09a1effc9174
                        • Opcode Fuzzy Hash: 1045e302a1e1953e5a4ff180c5fead12e334b51b1e14571a753a90556338649d
                        • Instruction Fuzzy Hash: 1C11A1757005049FDB149B58C859BAE7BF6AF89700F1000A9E502EB3A1CF719D05DB90
                        Function 02C10E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: Haq
                        • API String ID: 0-725504367
                        • Opcode ID: 0f6c80b98b5e90f40a1cf3fc3f3164227fed7a60504fa0355853de02a7cd4737
                        • Instruction ID: f1a6135c975e78bbb3710d2e85fd240d7398e516d961455e349507caad16d795
                        • Opcode Fuzzy Hash: 0f6c80b98b5e90f40a1cf3fc3f3164227fed7a60504fa0355853de02a7cd4737
                        • Instruction Fuzzy Hash: 91F08B303083801FC346AB3D685046F7FDBAFCB21431644F6E049CB392CE259C0683A1
                        Function 02C18F80 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: LR]q
                        • API String ID: 0-3081347316
                        • Opcode ID: 7ebea991208a45b7408c31ac467e9b4a0d074e73debd3d172f80b7e7c547b129
                        • Instruction ID: 0b39856cd75ac254cec11352277ff5f0d6f9349d20273f0ad9f9dac36dbc8fcb
                        • Opcode Fuzzy Hash: 7ebea991208a45b7408c31ac467e9b4a0d074e73debd3d172f80b7e7c547b129
                        • Instruction Fuzzy Hash: 5701A771B001159FDB44EB6D88426AD73B5FB89700F104259E50ADB250EB305A01DBD1
                        Function 02C18B27 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4']q
                        • API String ID: 0-1259897404
                        • Opcode ID: b0cfad91c892d5fd3d12c85205c9727081816792da604decb33340153cae0eec
                        • Instruction ID: 0e65068faebab479c7c1ac3a66818659ae55924959d01a3dab95da4e6375db6c
                        • Opcode Fuzzy Hash: b0cfad91c892d5fd3d12c85205c9727081816792da604decb33340153cae0eec
                        • Instruction Fuzzy Hash: F501A734A040158FDB14EFB9E851B9D77A5FFC6309F1045A4C4099B368DF3998099792
                        Function 02C1685F Relevance: .3, Instructions: 259COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e23585a3a2e9f2f0ecadc47f29ba1575579431fae40a0f3bb9f69ee7bbad009c
                        • Instruction ID: b29094056e072a5517be9aaa8c611455414c7f4644494238dcdc5ae978f87c95
                        • Opcode Fuzzy Hash: e23585a3a2e9f2f0ecadc47f29ba1575579431fae40a0f3bb9f69ee7bbad009c
                        • Instruction Fuzzy Hash: 67A16DB1E00209CFDF14CFA9C98279DBBF5AF89314F248129D819A7394EB749985DF81
                        Function 02C1A178 Relevance: .3, Instructions: 251COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e11531d5d38bf12e96d724f18842393f4532382bc68dc5ab90d868e9c8dccc6d
                        • Instruction ID: d910a6a2790bbee5c36f2c4a2d29f563ee90c21417d87ace7d36cd293e7b616e
                        • Opcode Fuzzy Hash: e11531d5d38bf12e96d724f18842393f4532382bc68dc5ab90d868e9c8dccc6d
                        • Instruction Fuzzy Hash: B5A1BD787002118FCB09EF35E49561DB7F2EFCA314B208A69D5068B359EF34E90ADB80
                        Function 02C12E18 Relevance: .2, Instructions: 237COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fe756e27249f44acc4e6c1159a35b04b4eba152a092481bc3adf87c8bc7c45a7
                        • Instruction ID: e3d3810da1a1cabf12bef9641870a1075121b1ca301a87445a5b6fa794e8fb43
                        • Opcode Fuzzy Hash: fe756e27249f44acc4e6c1159a35b04b4eba152a092481bc3adf87c8bc7c45a7
                        • Instruction Fuzzy Hash: 79A170786003528FCB05EF31E45491E7BB6FF89354B208A69D5068B35AEF35A94ACFC0
                        Function 02C12E38 Relevance: .2, Instructions: 227COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b4ba83ef4a6f17ef773493f0e14f8ec4964aae5bab1b7b390b7e3c1c36b943e0
                        • Instruction ID: f3a3358e4f97d89031a736745757790b8fd7896a028e5a8feaab166ea0e3c2b3
                        • Opcode Fuzzy Hash: b4ba83ef4a6f17ef773493f0e14f8ec4964aae5bab1b7b390b7e3c1c36b943e0
                        • Instruction Fuzzy Hash: 23A160786003529FCB05EF35E44491E7BB6FF89354B208A69D5068B359EF35A94ACFC0
                        Function 02C196D1 Relevance: .2, Instructions: 170COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aa457b5f721309cb0e896a895ca1519a3ef1ecfefb00886db562837633af8c6b
                        • Instruction ID: 768b1859058b20d15da2cc8d854238542115240ba7ea9dd0ee69c4fc88cfc8b2
                        • Opcode Fuzzy Hash: aa457b5f721309cb0e896a895ca1519a3ef1ecfefb00886db562837633af8c6b
                        • Instruction Fuzzy Hash: A351BF38600245DFCB04DF68D995E6ABBB2FF86311F5684A5E405AF7A6C731EC41CBA0
                        Function 02C136A0 Relevance: .1, Instructions: 120COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3105b87746bec6649de110feb40c33cb0a0c260840e1b1f776554eeea1f3acfc
                        • Instruction ID: e2f80be913a64642579f07aa7ae13e6b8c24b525b32bb0971d680a08668b279a
                        • Opcode Fuzzy Hash: 3105b87746bec6649de110feb40c33cb0a0c260840e1b1f776554eeea1f3acfc
                        • Instruction Fuzzy Hash: C941DE70B002448FCB24EF79D4956AFBBE6AFCA314F24846DD10A97340CF789806CB95
                        Function 02C10AA0 Relevance: .1, Instructions: 118COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b3b1bfee1ace52ffc0f630430afd5006811f3cc7618dbb600c012cf38d7fa72
                        • Instruction ID: cd6ff6a423c1644cc6b7c0fd18395aaaee9e2bd5ce8c828ec9edee042026b4e5
                        • Opcode Fuzzy Hash: 0b3b1bfee1ace52ffc0f630430afd5006811f3cc7618dbb600c012cf38d7fa72
                        • Instruction Fuzzy Hash: 7551A33C500221CFCB1AFF26F584A59777AFF893067108768D4068B66DDB39A966CF90
                        Function 02C111D0 Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6b4657a5d7c24117e2b1c0cbec2418fb7f149ea5ea3bac1d5814a77b7287d79b
                        • Instruction ID: 0e46787f8508208032d8b4beaa785e5c1108de6b39a92682dd8d81bb660e43d1
                        • Opcode Fuzzy Hash: 6b4657a5d7c24117e2b1c0cbec2418fb7f149ea5ea3bac1d5814a77b7287d79b
                        • Instruction Fuzzy Hash: 97416D70A00209AFCB08EFB9854466EFBFAEF89300F248569D449D7345DA389942CB95
                        Function 02C140AF Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 11a1d970f57f4507121ea8c68589732deff009f207211a0ac0409dfa6523fcab
                        • Instruction ID: b1a3ba9b7bc4eca96d7f743ef6dcc9c29ded3f9e9c9a6c96d472f25d47dd16f4
                        • Opcode Fuzzy Hash: 11a1d970f57f4507121ea8c68589732deff009f207211a0ac0409dfa6523fcab
                        • Instruction Fuzzy Hash: 594110B1D003489FCB14DFA9C981ADEBFB5FF48314F248429E809AB250DB75A945CF90
                        Function 02C140B8 Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4884f60a897136f0a7cd3f8cc195715dd776f2bdfe3135968b9e11f91286171f
                        • Instruction ID: 21096fa9275c32c91a566de9f627db6e4e9c7bda9dd4fe6a35badbae884acf7b
                        • Opcode Fuzzy Hash: 4884f60a897136f0a7cd3f8cc195715dd776f2bdfe3135968b9e11f91286171f
                        • Instruction Fuzzy Hash: 9441EFB0D003489FDB14DFA9C985ADEBFB5FF49314F248029E809AB254DB75A945CF90
                        Function 02C10998 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: afc6012ebd238c7cc809ae8bf679f3f0d10690a58d982fda62e598323adf6971
                        • Instruction ID: f08851255f99069777333dd4cb3b27031af288d5d37882124dee99f2e2d3eabc
                        • Opcode Fuzzy Hash: afc6012ebd238c7cc809ae8bf679f3f0d10690a58d982fda62e598323adf6971
                        • Instruction Fuzzy Hash: 04218E38B402069FDF64AB76D55A72E3BA8BF56305F00542DEC07C2184EF30D681EB91
                        Function 0133D4A0 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3275590709.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_133d000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 765e433af6bc543153cdc97f9f1014e98503af6beba4b8a60a98efa836ba4a65
                        • Instruction ID: 3dec6c9a655088333000c09f39c18e3879687bbdecaec8e0fb295ecbfdb43df5
                        • Opcode Fuzzy Hash: 765e433af6bc543153cdc97f9f1014e98503af6beba4b8a60a98efa836ba4a65
                        • Instruction Fuzzy Hash: 41212871544204DFEB05DF98D9C0F26BF69FBD8318F60C569E90A0B296C33AD455C7A2
                        Function 02C1929B Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cb42d73062a1f61bd2fcba1331094f90b7463634356ffa7b536c2d674acc8ce0
                        • Instruction ID: 23eda65a6d901833d812c60e7b5856dad20aa6bea869e0bd44cadfb1afa51dc0
                        • Opcode Fuzzy Hash: cb42d73062a1f61bd2fcba1331094f90b7463634356ffa7b536c2d674acc8ce0
                        • Instruction Fuzzy Hash: 8221CC30A00214CFCB08AB74C5656AE7BF6EF8E308F144528D406AB3A8DF319D47DB95
                        Function 02C109A8 Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a5609eae7c5505c255356ce83b1ce53b476d63853e03ddad4b73759b4deb3451
                        • Instruction ID: ac70a59ce17dea0eda3c4acbd4e59d502b67c5dec33346870325af5803e11e71
                        • Opcode Fuzzy Hash: a5609eae7c5505c255356ce83b1ce53b476d63853e03ddad4b73759b4deb3451
                        • Instruction Fuzzy Hash: 70216F38B402038FDF64AB76A51A72E3AA8BF46305F00453DDC07C2184EF30D681EBA2
                        Function 02C1A169 Relevance: .1, Instructions: 64COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 34716f6dc30a08c43af7367e2b8de79ea5cc8ca13663a3517238812c29eb6bee
                        • Instruction ID: 91e0da6afb633e07fed47fb57e2d645b03dff282990ae7eb4303271b9387889c
                        • Opcode Fuzzy Hash: 34716f6dc30a08c43af7367e2b8de79ea5cc8ca13663a3517238812c29eb6bee
                        • Instruction Fuzzy Hash: 281123397001144BCB18AA79E85055E7BEAEBC9608B108669D90ACB349EF31ED0B87D2
                        Function 02C19CA0 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c02bec82ac2943fe1490b951b2c4087f9d5553611ed58cd8b1b52e78a49d7ea0
                        • Instruction ID: 924680ea73d4cdd986763ccdc631fbcc4d3624963b4e7e73f877a6f2ec6ecbcc
                        • Opcode Fuzzy Hash: c02bec82ac2943fe1490b951b2c4087f9d5553611ed58cd8b1b52e78a49d7ea0
                        • Instruction Fuzzy Hash: 6E1181706002159FCB04FB38E45169EBBB6EF86314B508B69C1058B299EB75AA0BDBD1
                        Function 0133D49B Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3275590709.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_133d000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction ID: ce2ce4c219492223908c6e7fbbf914d42307f4584ad2ae4526b04fc32ce1bdfc
                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction Fuzzy Hash: 9611D376904240CFDB16CF58D5C4B16BF72FB84328F24C5A9E9090B257C336D45ACBA2
                        Function 02C11431 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 481402a9e49d8e54cf0dcedc41a9ddd902b098d0f53e01bb00c9534987b6e9b5
                        • Instruction ID: 7c8dafd364027f9e21e60ac9bfd19626e5e3649718deda4436edd6957d898c1e
                        • Opcode Fuzzy Hash: 481402a9e49d8e54cf0dcedc41a9ddd902b098d0f53e01bb00c9534987b6e9b5
                        • Instruction Fuzzy Hash: 5411ED74A00211DFCF50EBBAD40966E7BF6AF8A70571408B9D509CB304EB39DD12DB80
                        Function 02C11440 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eca9960cc9692b3c4dfc596defa499141f937efe136fde56614dc75fdc2e003a
                        • Instruction ID: e90d3fb5aa0ec1ed2b583bd882bda4507083848bf2f77eeb4932f71c915e074b
                        • Opcode Fuzzy Hash: eca9960cc9692b3c4dfc596defa499141f937efe136fde56614dc75fdc2e003a
                        • Instruction Fuzzy Hash: 7E11AD74B00215DFCB54EFBAD40562A7BFABF8960572408B8D50ACB354EB38DD12CB90
                        Function 02C19CB0 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5eba5e6d5403973aa31b3b734a75ef1b46965c5fdfe72530626a87f4569088fa
                        • Instruction ID: 3afe8d0e0e0cf933a02021b538ce2c73420b52e407c36a9dd4215de3f544af1c
                        • Opcode Fuzzy Hash: 5eba5e6d5403973aa31b3b734a75ef1b46965c5fdfe72530626a87f4569088fa
                        • Instruction Fuzzy Hash: 3411C4706002058FCB04FF38E44169EBBB6EF86314B508769C1058B299EB35AA0BDFD1
                        Function 02C13691 Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8fa8ebb26c8b210c609e2512f2c81203ce22940aa54613a3963a36d4b6a8b624
                        • Instruction ID: 0728a9717cff47aff0c3f689a8b498dba9526efb800a16efc1d9d1c603d542f6
                        • Opcode Fuzzy Hash: 8fa8ebb26c8b210c609e2512f2c81203ce22940aa54613a3963a36d4b6a8b624
                        • Instruction Fuzzy Hash: 3D01D4343006408BDB24BB39AAA463E76D7ABCB215F18453DD50BC7780CF74CC069789
                        Function 02C19008 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 584409e51ceee7accbd23974ddc89694e995184a8c4f83d9f5c7fe708dcbeba7
                        • Instruction ID: e4ca5fbd825a5c46ab37075dfb87ed0146d82d77be36540d09dabc0b62a09a5a
                        • Opcode Fuzzy Hash: 584409e51ceee7accbd23974ddc89694e995184a8c4f83d9f5c7fe708dcbeba7
                        • Instruction Fuzzy Hash: B81112B58003488FCB20DF9AC585BDFBBF8EB49314F208459D529A3250C779A944CFA1
                        Function 02C19010 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 85d296d6c11ac48afbb76433e595af8715abe347e4bca3919ddd8502a42f6c27
                        • Instruction ID: 928ca8e3d0f9d442763f90361f35fdea09a315f2c0bd8feeaec35099617172a4
                        • Opcode Fuzzy Hash: 85d296d6c11ac48afbb76433e595af8715abe347e4bca3919ddd8502a42f6c27
                        • Instruction Fuzzy Hash: 1811F0B59003498FCB20DF9AC585BDEBBF8EB49324F208459D519A7250C379A944CFA5
                        Function 02C125F1 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a710ec83b788a0926cc854db0a23a5814df1cbc1044fba71ad6f435f2e036382
                        • Instruction ID: 9ef1ad6fd33db5939fcb92401829d4ba6bd1f2460dfe4a4bd68241f298f30ab5
                        • Opcode Fuzzy Hash: a710ec83b788a0926cc854db0a23a5814df1cbc1044fba71ad6f435f2e036382
                        • Instruction Fuzzy Hash: 1CD0A7351282848FC701DF69D8E8C523FF8EF1A60030500CAEC808F723C610F815E722
                        Function 02C10A8F Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 81d82bdc36a4bb362f1b2fb94002316f2a87b261dd3b02635db234fc0665849f
                        • Instruction ID: a6270fa537608ff8a0d9e7b78b24f64a5bd9c863e6306d564af6817c57618383
                        • Opcode Fuzzy Hash: 81d82bdc36a4bb362f1b2fb94002316f2a87b261dd3b02635db234fc0665849f
                        • Instruction Fuzzy Hash: C0C08C289C5107CFD33027B0D00EB2C3918AB82302F040066F803004E9CE742580E71A
                        Function 02C10A73 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ce4c44efea8b700224be910a12337b161cf6433df49325d871a4afdbb53b0558
                        • Instruction ID: 0145a366b67fad4b5ffce1f1ce66706fc687afe4e741c99c021f2dfa48ead76e
                        • Opcode Fuzzy Hash: ce4c44efea8b700224be910a12337b161cf6433df49325d871a4afdbb53b0558
                        • Instruction Fuzzy Hash: B2C08C289C554ACFDB301770D00EB2C3A18AB82302F04006BF403004E9CE742580EB1A
                        Function 02C12600 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.3276015676.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2c10000_PRESUPUEST.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 639ebab454430644ebe95f34a6eb83923e0a6382482dbf5e132debd3e9c76669
                        • Instruction ID: 9c4a446639a5aa425dcd0e3d3e157c09e7fd583a380c56f28db8402082b4fc72
                        • Opcode Fuzzy Hash: 639ebab454430644ebe95f34a6eb83923e0a6382482dbf5e132debd3e9c76669
                        • Instruction Fuzzy Hash: 90C048392602088F8244EA9AE588C12B7A8BF58A003510099E5018BB22CB21F820DA61