Loading ...

Play interactive tourEdit tour

Windows Analysis Report Pedido_73580523.exe

Overview

General Information

Sample Name:Pedido_73580523.exe
Analysis ID:452720
MD5:facf53403056e3d7529fc8a5ce8be77f
SHA1:384a0565e553ac374dd6d197b51a94bace517f36
SHA256:3bd0c04ee4c4ba078c54f4e7f5f956894204b2ccfbe84cdf934c40b28e30165e
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Pedido_73580523.exe (PID: 5300 cmdline: 'C:\Users\user\Desktop\Pedido_73580523.exe' MD5: FACF53403056E3D7529FC8A5CE8BE77F)
    • schtasks.exe (PID: 5572 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AsJOyfF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE123.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Pedido_73580523.exe (PID: 5556 cmdline: C:\Users\user\Desktop\Pedido_73580523.exe MD5: FACF53403056E3D7529FC8A5CE8BE77F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "comercial@fil-net.com", "Password": "Fil-2020net+", "Host": "smtp.fil-net.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000A.00000002.483335897.0000000002D9E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.Pedido_73580523.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              10.2.Pedido_73580523.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 10.2.Pedido_73580523.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "comercial@fil-net.com", "Password": "Fil-2020net+", "Host": "smtp.fil-net.com"}
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\AsJOyfF.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: Pedido_73580523.exeJoe Sandbox ML: detected
                Source: 10.2.Pedido_73580523.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: Pedido_73580523.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: Pedido_73580523.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Pedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Pedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Pedido_73580523.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
                Source: Pedido_73580523.exe, 00000000.00000003.210447083.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                Source: Pedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: http://mGfDbY.com
                Source: Pedido_73580523.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
                Source: Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmp, Pedido_73580523.exe, 00000000.00000003.215200841.0000000006234000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: Pedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Pedido_73580523.exe, 00000000.00000003.216583599.0000000006231000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                Source: Pedido_73580523.exe, 00000000.00000003.217489630.0000000006209000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html.
                Source: Pedido_73580523.exe, 00000000.00000003.218151297.00000000061F7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: Pedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd$
                Source: Pedido_73580523.exe, 00000000.00000003.218151297.00000000061F7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: Pedido_73580523.exe, 00000000.00000003.218151297.00000000061F7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
                Source: Pedido_73580523.exe, 00000000.00000003.218151297.00000000061F7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlic
                Source: Pedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
                Source: Pedido_73580523.exe, 00000000.00000003.213128785.00000000061F6000.00000004.00000001.sdmp, Pedido_73580523.exe, 00000000.00000003.212415190.000000000160D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Pedido_73580523.exe, 00000000.00000003.213128785.00000000061F6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn-
                Source: Pedido_73580523.exe, 00000000.00000003.213128785.00000000061F6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: Pedido_73580523.exe, 00000000.00000003.212934206.00000000061F8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/W
                Source: Pedido_73580523.exe, 00000000.00000003.212709588.00000000061F7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnQ
                Source: Pedido_73580523.exe, 00000000.00000003.213128785.00000000061F6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnS
                Source: Pedido_73580523.exe, 00000000.00000003.212339302.00000000061FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnhte
                Source: Pedido_73580523.exe, 00000000.00000003.218489742.0000000006203000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: Pedido_73580523.exe, 00000000.00000003.220042751.0000000006202000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Pedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
                Source: Pedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmp, Pedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                Source: Pedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
                Source: Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                Source: Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                Source: Pedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/the
                Source: Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
                Source: Pedido_73580523.exe, 00000000.00000003.210192777.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Pedido_73580523.exe, 00000000.00000003.211275545.000000000620B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Pedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: Pedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deiv
                Source: Pedido_73580523.exe, 0000000A.00000002.483185292.0000000002D96000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                Source: Pedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: Pedido_73580523.exe, 0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Pedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 10.2.Pedido_73580523.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b10ED4C56u002d571Cu002d402Eu002dB4B1u002d87E9BCA3C5C4u007d/CBB7CA1Au002dED7Au002d47B8u002d88E9u002dF0C8884A2598.csLarge array initialization: .cctor: array initializer size 11976
                Source: C:\Users\user\Desktop\Pedido_73580523.exeCode function: 10_2_007B2F6510_2_007B2F65
                Source: C:\Users\user\Desktop\Pedido_73580523.exeCode function: 10_2_0105004010_2_01050040
                Source: C:\Users\user\Desktop\Pedido_73580523.exeCode function: 10_2_0105607810_2_01056078
                Source: C:\Users\user\Desktop\Pedido_73580523.exeCode function: 10_2_010571A810_2_010571A8
                Source: C:\Users\user\Desktop\Pedido_73580523.exeCode function: 10_2_011047A010_2_011047A0
                Source: C:\Users\user\Desktop\Pedido_73580523.exeCode function: 10_2_011046B010_2_011046B0
                Source: C:\Users\user\Desktop\Pedido_73580523.exeCode function: 10_2_011046D010_2_011046D0
                Source: Pedido_73580523.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: AsJOyfF.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Pedido_73580523.exe, 00000000.00000000.207704573.0000000000D78000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNullableMarshal.exe8 vs Pedido_73580523.exe
                Source: Pedido_73580523.exe, 0000000A.00000002.482059336.0000000002CC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Pedido_73580523.exe
                Source: Pedido_73580523.exe, 0000000A.00000000.272608589.0000000000878000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNullableMarshal.exe8 vs Pedido_73580523.exe
                Source: Pedido_73580523.exe, 0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenDAdqEzYkDSGpDZYlPMgRyM.exe4 vs Pedido_73580523.exe
                Source: Pedido_73580523.exe, 0000000A.00000002.485962524.0000000005D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Pedido_73580523.exe
                Source: Pedido_73580523.exeBinary or memory string: OriginalFilenameNullableMarshal.exe8 vs Pedido_73580523.exe
                Source: C:\Users\user\Desktop\Pedido_73580523.exeSection loaded: scrrun.dllJump to behavior
                Source: Pedido_73580523.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: Pedido_73580523.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: AsJOyfF.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: Pedido_73580523.exe, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csCryptographic APIs: 'CreateDecryptor'
                Source: AsJOyfF.exe.0.dr, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csCryptographic APIs: 'CreateDecryptor'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csCryptographic APIs: 'CreateDecryptor'
                Source: 10.2.Pedido_73580523.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 10.2.Pedido_73580523.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@0/0
                Source: C:\Users\user\Desktop\Pedido_73580523.exeFile created: C:\Users\user\AppData\Roaming\AsJOyfF.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_01
                Source: C:\Users\user\Desktop\Pedido_73580523.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE123.tmpJump to behavior
                Source: Pedido_73580523.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Pedido_73580523.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Pedido_73580523.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeFile read: C:\Users\user\Desktop\Pedido_73580523.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Pedido_73580523.exe 'C:\Users\user\Desktop\Pedido_73580523.exe'
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AsJOyfF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE123.tmp'
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess created: C:\Users\user\Desktop\Pedido_73580523.exe C:\Users\user\Desktop\Pedido_73580523.exe
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AsJOyfF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE123.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess created: C:\Users\user\Desktop\Pedido_73580523.exe C:\Users\user\Desktop\Pedido_73580523.exeJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Pedido_73580523.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Pedido_73580523.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: initial sampleStatic PE information: section name: .text entropy: 7.55884475799
                Source: initial sampleStatic PE information: section name: .text entropy: 7.55884475799
                Source: Pedido_73580523.exe, l3IX98V73sUCBF1DMc/gusKqNENHKelgRLO50.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'Nv2lUlWcJK', 'TAUuA6T5UP', 'QWGuQkf6CD', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'WD8uNUgw1p'
                Source: Pedido_73580523.exe, GbFWveBmWYUfQpE0t1/hiVkAR2J6uZHhOXYqv.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'oP3l40GEEn', 'EeMx3q0PqP', 'jLGxv98x6H', 'gbwxGHK5We', 'cGMxjNCQ9C', 'DR6xVXlwPG', 'V7yxkwJQGF', 'StsxAPY9Tx'
                Source: Pedido_73580523.exe, thKZU6uM8BnUXXSY2C/dLiD5cbbT9vCIHCY4a.csHigh entropy of concatenated method names: 'i0DTXd37Jr', 'hrPTYuVdQp', 'otBT85twNs', 'gPQTw8DNd4', 'gSLTk1e2K8', 'lsnTnE5AM7', 'pHjTJUyoHf', 'NiZTPuGyOE', 'wDoTsoxRPF', 'YNKTvCZgeL'
                Source: Pedido_73580523.exe, OQaLV83CLCcgFekSoO/FK1FvBMnLR2h3Ynjwt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EVaRyTGt7W', 'WqYl6JPuKm', 'KQdlreO1Hl', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'tVv999YmWM'
                Source: Pedido_73580523.exe, vbrstF6UNbiQbaC7Fk/oLpULScGds3ogJvbnx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'iwyR4ysLB5', 'Q5dRFeBTWx', 'lIpRWWQbX1', 'eXMRxDB0aH', 'lDqRJEsWHg', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL'
                Source: Pedido_73580523.exe, bGjaFXK4AxoNuRDKdf/cCKFfNgbfW6LXdnuAW.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'BUUdZ4Pffv', 'Eqp9NV3PkW', 'JPi9z1a3jf', 'e8olLukTcP', 'r1FlKEHmgs', 'ggjl520xDU', 'N7UlwoAOcv', 'lLxlD3bJVS'
                Source: Pedido_73580523.exe, b2msoQPN7ewA6kYygC/KMbPfbnAvgFi7u0QLQ.csHigh entropy of concatenated method names: 'pmWIbYUfQp', 'M0tIu1CusK', 'fLOIq50H3I', 'q98I573sUC', 'OFfIpNbfW6', 'XXdItnuAWT', 'pjaIQFX4Ax', 'yNuIDRDKdf', 'k3oIOgJvbn', 'j9bI2rstFU'
                Source: Pedido_73580523.exe, uN58hUtKpKHESFnAWw/SOSVYwp5dV1e67DZTl.csHigh entropy of concatenated method names: 'L6jmNocZEF', 'ncvmOlGKs7', 'yHYmBETN97', 'siemE8ZuHC', 'GjFmgwB35f', 'RuTmKGcCBi', 'M95mcEHMTy', 'zZsm6Y3kRL', 'BdOm30u3KK', 'KuxmagolDg'
                Source: Pedido_73580523.exe, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csHigh entropy of concatenated method names: 'xrECuAC1eC', 'iXsCpulKC2', 'BAyCt5axUV', '.ctor', '.ctor', 'VKgCjqQ6a9', 't8lCqJQdPp', 'aPgC5rOI0h', 'EhqCy3sUiS', 'OFDo377AD3Z5Et4Pcb6'
                Source: Pedido_73580523.exe, bso0TjOMFiq0gqErD5/b95wlyN3pg0wI9HhYC.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EshxqvQgy5', 'qAHxpRP1VS', 'mXKxSKksJf', 'MrhxXHuAQt', 'uxgxc4ka3x', 'p6hx2rYjMu', 'dU2xFA7Cfd', 'bMHxeEtmL3'
                Source: Pedido_73580523.exe, VHWJSn7IA2UoPAAISe/aNL8n8aSqN4K15x1JL.csHigh entropy of concatenated method names: '.ctor', 'yh0CIkSXto', 'AJxCTDdANe', 'qc8Cmb0xYQ', 'X3DClBADlW', 'rutCd3s73O', 'e0WCRbffml', 'j5Zrkw7QUcWaSA33HhC', 'nuGViT7iGlqsu4snG6Y', 'AZhXyG7o5P44f2QHEeh'
                Source: Pedido_73580523.exe, xSOS3t5IFyYYMiRg2f/E1BXjUq1EXP7kpVXGa.csHigh entropy of concatenated method names: 'NZemHNXHAj', 'HUbmfgeC7V', 'SP0m09M6oG', 'e79mGd91Hs', 'FApmXXOKC7', 'N0UmYXfeCq', 'xmLmrFJ834', 'xSXm8oOugB', 'YsamwuFL3C', 'e80m9nxNof'
                Source: Pedido_73580523.exe, wDooxRImPFlpULW3lDh/x6wypoIT0NyGHjUyoHf.csHigh entropy of concatenated method names: '.ctor', 'lekCacMHkr', 'ydjC7QDeJC', 'vSaCZgAX4N', 'XwnC1ZoEvW', 'SbgCUw9Aoc', 'w0MCLZCQy3', 'BeTCiLe7Ff', 'rgbChCknKY', 'WCICzKT1cm'
                Source: AsJOyfF.exe.0.dr, l3IX98V73sUCBF1DMc/gusKqNENHKelgRLO50.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'Nv2lUlWcJK', 'TAUuA6T5UP', 'QWGuQkf6CD', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'WD8uNUgw1p'
                Source: AsJOyfF.exe.0.dr, GbFWveBmWYUfQpE0t1/hiVkAR2J6uZHhOXYqv.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'oP3l40GEEn', 'EeMx3q0PqP', 'jLGxv98x6H', 'gbwxGHK5We', 'cGMxjNCQ9C', 'DR6xVXlwPG', 'V7yxkwJQGF', 'StsxAPY9Tx'
                Source: AsJOyfF.exe.0.dr, thKZU6uM8BnUXXSY2C/dLiD5cbbT9vCIHCY4a.csHigh entropy of concatenated method names: 'i0DTXd37Jr', 'hrPTYuVdQp', 'otBT85twNs', 'gPQTw8DNd4', 'gSLTk1e2K8', 'lsnTnE5AM7', 'pHjTJUyoHf', 'NiZTPuGyOE', 'wDoTsoxRPF', 'YNKTvCZgeL'
                Source: AsJOyfF.exe.0.dr, OQaLV83CLCcgFekSoO/FK1FvBMnLR2h3Ynjwt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EVaRyTGt7W', 'WqYl6JPuKm', 'KQdlreO1Hl', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'tVv999YmWM'
                Source: AsJOyfF.exe.0.dr, vbrstF6UNbiQbaC7Fk/oLpULScGds3ogJvbnx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'iwyR4ysLB5', 'Q5dRFeBTWx', 'lIpRWWQbX1', 'eXMRxDB0aH', 'lDqRJEsWHg', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL'
                Source: AsJOyfF.exe.0.dr, bGjaFXK4AxoNuRDKdf/cCKFfNgbfW6LXdnuAW.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'BUUdZ4Pffv', 'Eqp9NV3PkW', 'JPi9z1a3jf', 'e8olLukTcP', 'r1FlKEHmgs', 'ggjl520xDU', 'N7UlwoAOcv', 'lLxlD3bJVS'
                Source: AsJOyfF.exe.0.dr, b2msoQPN7ewA6kYygC/KMbPfbnAvgFi7u0QLQ.csHigh entropy of concatenated method names: 'pmWIbYUfQp', 'M0tIu1CusK', 'fLOIq50H3I', 'q98I573sUC', 'OFfIpNbfW6', 'XXdItnuAWT', 'pjaIQFX4Ax', 'yNuIDRDKdf', 'k3oIOgJvbn', 'j9bI2rstFU'
                Source: AsJOyfF.exe.0.dr, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csHigh entropy of concatenated method names: 'xrECuAC1eC', 'iXsCpulKC2', 'BAyCt5axUV', '.ctor', '.ctor', 'VKgCjqQ6a9', 't8lCqJQdPp', 'aPgC5rOI0h', 'EhqCy3sUiS', 'OFDo377AD3Z5Et4Pcb6'
                Source: AsJOyfF.exe.0.dr, uN58hUtKpKHESFnAWw/SOSVYwp5dV1e67DZTl.csHigh entropy of concatenated method names: 'L6jmNocZEF', 'ncvmOlGKs7', 'yHYmBETN97', 'siemE8ZuHC', 'GjFmgwB35f', 'RuTmKGcCBi', 'M95mcEHMTy', 'zZsm6Y3kRL', 'BdOm30u3KK', 'KuxmagolDg'
                Source: AsJOyfF.exe.0.dr, bso0TjOMFiq0gqErD5/b95wlyN3pg0wI9HhYC.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EshxqvQgy5', 'qAHxpRP1VS', 'mXKxSKksJf', 'MrhxXHuAQt', 'uxgxc4ka3x', 'p6hx2rYjMu', 'dU2xFA7Cfd', 'bMHxeEtmL3'
                Source: AsJOyfF.exe.0.dr, xSOS3t5IFyYYMiRg2f/E1BXjUq1EXP7kpVXGa.csHigh entropy of concatenated method names: 'NZemHNXHAj', 'HUbmfgeC7V', 'SP0m09M6oG', 'e79mGd91Hs', 'FApmXXOKC7', 'N0UmYXfeCq', 'xmLmrFJ834', 'xSXm8oOugB', 'YsamwuFL3C', 'e80m9nxNof'
                Source: AsJOyfF.exe.0.dr, VHWJSn7IA2UoPAAISe/aNL8n8aSqN4K15x1JL.csHigh entropy of concatenated method names: '.ctor', 'yh0CIkSXto', 'AJxCTDdANe', 'qc8Cmb0xYQ', 'X3DClBADlW', 'rutCd3s73O', 'e0WCRbffml', 'j5Zrkw7QUcWaSA33HhC', 'nuGViT7iGlqsu4snG6Y', 'AZhXyG7o5P44f2QHEeh'
                Source: AsJOyfF.exe.0.dr, wDooxRImPFlpULW3lDh/x6wypoIT0NyGHjUyoHf.csHigh entropy of concatenated method names: '.ctor', 'lekCacMHkr', 'ydjC7QDeJC', 'vSaCZgAX4N', 'XwnC1ZoEvW', 'SbgCUw9Aoc', 'w0MCLZCQy3', 'BeTCiLe7Ff', 'rgbChCknKY', 'WCICzKT1cm'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, l3IX98V73sUCBF1DMc/gusKqNENHKelgRLO50.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'Nv2lUlWcJK', 'TAUuA6T5UP', 'QWGuQkf6CD', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'WD8uNUgw1p'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, GbFWveBmWYUfQpE0t1/hiVkAR2J6uZHhOXYqv.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'oP3l40GEEn', 'EeMx3q0PqP', 'jLGxv98x6H', 'gbwxGHK5We', 'cGMxjNCQ9C', 'DR6xVXlwPG', 'V7yxkwJQGF', 'StsxAPY9Tx'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, OQaLV83CLCcgFekSoO/FK1FvBMnLR2h3Ynjwt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EVaRyTGt7W', 'WqYl6JPuKm', 'KQdlreO1Hl', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'tVv999YmWM'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, thKZU6uM8BnUXXSY2C/dLiD5cbbT9vCIHCY4a.csHigh entropy of concatenated method names: 'i0DTXd37Jr', 'hrPTYuVdQp', 'otBT85twNs', 'gPQTw8DNd4', 'gSLTk1e2K8', 'lsnTnE5AM7', 'pHjTJUyoHf', 'NiZTPuGyOE', 'wDoTsoxRPF', 'YNKTvCZgeL'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, vbrstF6UNbiQbaC7Fk/oLpULScGds3ogJvbnx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'iwyR4ysLB5', 'Q5dRFeBTWx', 'lIpRWWQbX1', 'eXMRxDB0aH', 'lDqRJEsWHg', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, b2msoQPN7ewA6kYygC/KMbPfbnAvgFi7u0QLQ.csHigh entropy of concatenated method names: 'pmWIbYUfQp', 'M0tIu1CusK', 'fLOIq50H3I', 'q98I573sUC', 'OFfIpNbfW6', 'XXdItnuAWT', 'pjaIQFX4Ax', 'yNuIDRDKdf', 'k3oIOgJvbn', 'j9bI2rstFU'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, bGjaFXK4AxoNuRDKdf/cCKFfNgbfW6LXdnuAW.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'BUUdZ4Pffv', 'Eqp9NV3PkW', 'JPi9z1a3jf', 'e8olLukTcP', 'r1FlKEHmgs', 'ggjl520xDU', 'N7UlwoAOcv', 'lLxlD3bJVS'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, uN58hUtKpKHESFnAWw/SOSVYwp5dV1e67DZTl.csHigh entropy of concatenated method names: 'L6jmNocZEF', 'ncvmOlGKs7', 'yHYmBETN97', 'siemE8ZuHC', 'GjFmgwB35f', 'RuTmKGcCBi', 'M95mcEHMTy', 'zZsm6Y3kRL', 'BdOm30u3KK', 'KuxmagolDg'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, bso0TjOMFiq0gqErD5/b95wlyN3pg0wI9HhYC.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EshxqvQgy5', 'qAHxpRP1VS', 'mXKxSKksJf', 'MrhxXHuAQt', 'uxgxc4ka3x', 'p6hx2rYjMu', 'dU2xFA7Cfd', 'bMHxeEtmL3'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csHigh entropy of concatenated method names: 'xrECuAC1eC', 'iXsCpulKC2', 'BAyCt5axUV', '.ctor', '.ctor', 'VKgCjqQ6a9', 't8lCqJQdPp', 'aPgC5rOI0h', 'EhqCy3sUiS', 'OFDo377AD3Z5Et4Pcb6'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, xSOS3t5IFyYYMiRg2f/E1BXjUq1EXP7kpVXGa.csHigh entropy of concatenated method names: 'NZemHNXHAj', 'HUbmfgeC7V', 'SP0m09M6oG', 'e79mGd91Hs', 'FApmXXOKC7', 'N0UmYXfeCq', 'xmLmrFJ834', 'xSXm8oOugB', 'YsamwuFL3C', 'e80m9nxNof'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, VHWJSn7IA2UoPAAISe/aNL8n8aSqN4K15x1JL.csHigh entropy of concatenated method names: '.ctor', 'yh0CIkSXto', 'AJxCTDdANe', 'qc8Cmb0xYQ', 'X3DClBADlW', 'rutCd3s73O', 'e0WCRbffml', 'j5Zrkw7QUcWaSA33HhC', 'nuGViT7iGlqsu4snG6Y', 'AZhXyG7o5P44f2QHEeh'
                Source: 0.0.Pedido_73580523.exe.cb0000.0.unpack, wDooxRImPFlpULW3lDh/x6wypoIT0NyGHjUyoHf.csHigh entropy of concatenated method names: '.ctor', 'lekCacMHkr', 'ydjC7QDeJC', 'vSaCZgAX4N', 'XwnC1ZoEvW', 'SbgCUw9Aoc', 'w0MCLZCQy3', 'BeTCiLe7Ff', 'rgbChCknKY', 'WCICzKT1cm'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, l3IX98V73sUCBF1DMc/gusKqNENHKelgRLO50.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'Nv2lUlWcJK', 'TAUuA6T5UP', 'QWGuQkf6CD', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'WD8uNUgw1p'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, GbFWveBmWYUfQpE0t1/hiVkAR2J6uZHhOXYqv.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'oP3l40GEEn', 'EeMx3q0PqP', 'jLGxv98x6H', 'gbwxGHK5We', 'cGMxjNCQ9C', 'DR6xVXlwPG', 'V7yxkwJQGF', 'StsxAPY9Tx'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, thKZU6uM8BnUXXSY2C/dLiD5cbbT9vCIHCY4a.csHigh entropy of concatenated method names: 'i0DTXd37Jr', 'hrPTYuVdQp', 'otBT85twNs', 'gPQTw8DNd4', 'gSLTk1e2K8', 'lsnTnE5AM7', 'pHjTJUyoHf', 'NiZTPuGyOE', 'wDoTsoxRPF', 'YNKTvCZgeL'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, OQaLV83CLCcgFekSoO/FK1FvBMnLR2h3Ynjwt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EVaRyTGt7W', 'WqYl6JPuKm', 'KQdlreO1Hl', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'tVv999YmWM'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, bGjaFXK4AxoNuRDKdf/cCKFfNgbfW6LXdnuAW.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'BUUdZ4Pffv', 'Eqp9NV3PkW', 'JPi9z1a3jf', 'e8olLukTcP', 'r1FlKEHmgs', 'ggjl520xDU', 'N7UlwoAOcv', 'lLxlD3bJVS'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, vbrstF6UNbiQbaC7Fk/oLpULScGds3ogJvbnx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'iwyR4ysLB5', 'Q5dRFeBTWx', 'lIpRWWQbX1', 'eXMRxDB0aH', 'lDqRJEsWHg', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, b2msoQPN7ewA6kYygC/KMbPfbnAvgFi7u0QLQ.csHigh entropy of concatenated method names: 'pmWIbYUfQp', 'M0tIu1CusK', 'fLOIq50H3I', 'q98I573sUC', 'OFfIpNbfW6', 'XXdItnuAWT', 'pjaIQFX4Ax', 'yNuIDRDKdf', 'k3oIOgJvbn', 'j9bI2rstFU'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, bso0TjOMFiq0gqErD5/b95wlyN3pg0wI9HhYC.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EshxqvQgy5', 'qAHxpRP1VS', 'mXKxSKksJf', 'MrhxXHuAQt', 'uxgxc4ka3x', 'p6hx2rYjMu', 'dU2xFA7Cfd', 'bMHxeEtmL3'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, VHWJSn7IA2UoPAAISe/aNL8n8aSqN4K15x1JL.csHigh entropy of concatenated method names: '.ctor', 'yh0CIkSXto', 'AJxCTDdANe', 'qc8Cmb0xYQ', 'X3DClBADlW', 'rutCd3s73O', 'e0WCRbffml', 'j5Zrkw7QUcWaSA33HhC', 'nuGViT7iGlqsu4snG6Y', 'AZhXyG7o5P44f2QHEeh'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, uN58hUtKpKHESFnAWw/SOSVYwp5dV1e67DZTl.csHigh entropy of concatenated method names: 'L6jmNocZEF', 'ncvmOlGKs7', 'yHYmBETN97', 'siemE8ZuHC', 'GjFmgwB35f', 'RuTmKGcCBi', 'M95mcEHMTy', 'zZsm6Y3kRL', 'BdOm30u3KK', 'KuxmagolDg'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csHigh entropy of concatenated method names: 'xrECuAC1eC', 'iXsCpulKC2', 'BAyCt5axUV', '.ctor', '.ctor', 'VKgCjqQ6a9', 't8lCqJQdPp', 'aPgC5rOI0h', 'EhqCy3sUiS', 'OFDo377AD3Z5Et4Pcb6'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, xSOS3t5IFyYYMiRg2f/E1BXjUq1EXP7kpVXGa.csHigh entropy of concatenated method names: 'NZemHNXHAj', 'HUbmfgeC7V', 'SP0m09M6oG', 'e79mGd91Hs', 'FApmXXOKC7', 'N0UmYXfeCq', 'xmLmrFJ834', 'xSXm8oOugB', 'YsamwuFL3C', 'e80m9nxNof'
                Source: 10.2.Pedido_73580523.exe.7b0000.1.unpack, wDooxRImPFlpULW3lDh/x6wypoIT0NyGHjUyoHf.csHigh entropy of concatenated method names: '.ctor', 'lekCacMHkr', 'ydjC7QDeJC', 'vSaCZgAX4N', 'XwnC1ZoEvW', 'SbgCUw9Aoc', 'w0MCLZCQy3', 'BeTCiLe7Ff', 'rgbChCknKY', 'WCICzKT1cm'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, l3IX98V73sUCBF1DMc/gusKqNENHKelgRLO50.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'Nv2lUlWcJK', 'TAUuA6T5UP', 'QWGuQkf6CD', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'WD8uNUgw1p'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, GbFWveBmWYUfQpE0t1/hiVkAR2J6uZHhOXYqv.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'oP3l40GEEn', 'EeMx3q0PqP', 'jLGxv98x6H', 'gbwxGHK5We', 'cGMxjNCQ9C', 'DR6xVXlwPG', 'V7yxkwJQGF', 'StsxAPY9Tx'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, wDooxRImPFlpULW3lDh/x6wypoIT0NyGHjUyoHf.csHigh entropy of concatenated method names: '.ctor', 'lekCacMHkr', 'ydjC7QDeJC', 'vSaCZgAX4N', 'XwnC1ZoEvW', 'SbgCUw9Aoc', 'w0MCLZCQy3', 'BeTCiLe7Ff', 'rgbChCknKY', 'WCICzKT1cm'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, OQaLV83CLCcgFekSoO/FK1FvBMnLR2h3Ynjwt.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EVaRyTGt7W', 'WqYl6JPuKm', 'KQdlreO1Hl', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL', 'ML3uhFIFgo', 'tVv999YmWM'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, thKZU6uM8BnUXXSY2C/dLiD5cbbT9vCIHCY4a.csHigh entropy of concatenated method names: 'i0DTXd37Jr', 'hrPTYuVdQp', 'otBT85twNs', 'gPQTw8DNd4', 'gSLTk1e2K8', 'lsnTnE5AM7', 'pHjTJUyoHf', 'NiZTPuGyOE', 'wDoTsoxRPF', 'YNKTvCZgeL'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, vbrstF6UNbiQbaC7Fk/oLpULScGds3ogJvbnx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'iwyR4ysLB5', 'Q5dRFeBTWx', 'lIpRWWQbX1', 'eXMRxDB0aH', 'lDqRJEsWHg', 'gWmugd7qSv', 'Es0utUWhtZ', 'bVlufrPVWL'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, b2msoQPN7ewA6kYygC/KMbPfbnAvgFi7u0QLQ.csHigh entropy of concatenated method names: 'pmWIbYUfQp', 'M0tIu1CusK', 'fLOIq50H3I', 'q98I573sUC', 'OFfIpNbfW6', 'XXdItnuAWT', 'pjaIQFX4Ax', 'yNuIDRDKdf', 'k3oIOgJvbn', 'j9bI2rstFU'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, bGjaFXK4AxoNuRDKdf/cCKFfNgbfW6LXdnuAW.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'BUUdZ4Pffv', 'Eqp9NV3PkW', 'JPi9z1a3jf', 'e8olLukTcP', 'r1FlKEHmgs', 'ggjl520xDU', 'N7UlwoAOcv', 'lLxlD3bJVS'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, uN58hUtKpKHESFnAWw/SOSVYwp5dV1e67DZTl.csHigh entropy of concatenated method names: 'L6jmNocZEF', 'ncvmOlGKs7', 'yHYmBETN97', 'siemE8ZuHC', 'GjFmgwB35f', 'RuTmKGcCBi', 'M95mcEHMTy', 'zZsm6Y3kRL', 'BdOm30u3KK', 'KuxmagolDg'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, RF8PXKLrFH3jwUt3cN/oBbAM0U5fbpRrmLh7v.csHigh entropy of concatenated method names: 'xrECuAC1eC', 'iXsCpulKC2', 'BAyCt5axUV', '.ctor', '.ctor', 'VKgCjqQ6a9', 't8lCqJQdPp', 'aPgC5rOI0h', 'EhqCy3sUiS', 'OFDo377AD3Z5Et4Pcb6'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, VHWJSn7IA2UoPAAISe/aNL8n8aSqN4K15x1JL.csHigh entropy of concatenated method names: '.ctor', 'yh0CIkSXto', 'AJxCTDdANe', 'qc8Cmb0xYQ', 'X3DClBADlW', 'rutCd3s73O', 'e0WCRbffml', 'j5Zrkw7QUcWaSA33HhC', 'nuGViT7iGlqsu4snG6Y', 'AZhXyG7o5P44f2QHEeh'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, bso0TjOMFiq0gqErD5/b95wlyN3pg0wI9HhYC.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EshxqvQgy5', 'qAHxpRP1VS', 'mXKxSKksJf', 'MrhxXHuAQt', 'uxgxc4ka3x', 'p6hx2rYjMu', 'dU2xFA7Cfd', 'bMHxeEtmL3'
                Source: 10.0.Pedido_73580523.exe.7b0000.0.unpack, xSOS3t5IFyYYMiRg2f/E1BXjUq1EXP7kpVXGa.csHigh entropy of concatenated method names: 'NZemHNXHAj', 'HUbmfgeC7V', 'SP0m09M6oG', 'e79mGd91Hs', 'FApmXXOKC7', 'N0UmYXfeCq', 'xmLmrFJ834', 'xSXm8oOugB', 'YsamwuFL3C', 'e80m9nxNof'
                Source: C:\Users\user\Desktop\Pedido_73580523.exeFile created: C:\Users\user\AppData\Roaming\AsJOyfF.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AsJOyfF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE123.tmp'
                Source: C:\Users\user\Desktop\Pedido_73580523.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Pedido_73580523.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Pedido_73580523.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\Pedido_73580523.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeWindow / User API: threadDelayed 1302Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeWindow / User API: threadDelayed 8530Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exe TID: 1380Thread sleep time: -44059s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exe TID: 5900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exe TID: 5576Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exe TID: 6032Thread sleep count: 1302 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exe TID: 6032Thread sleep count: 8530 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Pedido_73580523.exeThread delayed: delay time: 44059Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Pedido_73580523.exe, 0000000A.00000002.485962524.0000000005D60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Pedido_73580523.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
                Source: Pedido_73580523.exe, 0000000A.00000002.485962524.0000000005D60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Pedido_73580523.exe, 0000000A.00000002.485962524.0000000005D60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Pedido_73580523.exe, 0000000A.00000002.485962524.0000000005D60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\Pedido_73580523.exeMemory written: C:\Users\user\Desktop\Pedido_73580523.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AsJOyfF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE123.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeProcess created: C:\Users\user\Desktop\Pedido_73580523.exe C:\Users\user\Desktop\Pedido_73580523.exeJump to behavior
                Source: Pedido_73580523.exe, 0000000A.00000002.480804673.0000000001650000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: Pedido_73580523.exe, 0000000A.00000002.480804673.0000000001650000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Pedido_73580523.exe, 0000000A.00000002.480804673.0000000001650000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Pedido_73580523.exe, 0000000A.00000002.480804673.0000000001650000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Users\user\Desktop\Pedido_73580523.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Users\user\Desktop\Pedido_73580523.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 10.2.Pedido_73580523.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 10.2.Pedido_73580523.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.483335897.0000000002D9E000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Pedido_73580523.exe PID: 5556, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Pedido_73580523.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Pedido_73580523.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\Pedido_73580523.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: Yara matchFile source: 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Pedido_73580523.exe PID: 5556, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 10.2.Pedido_73580523.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 10.2.Pedido_73580523.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.483335897.0000000002D9E000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Pedido_73580523.exe PID: 5556, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1DLL Side-Loading1Scheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Pedido_73580523.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\AsJOyfF.exe100%Joe Sandbox ML

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                10.2.Pedido_73580523.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.jiyu-kobo.co.jp/the0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.founder.com.cn/cnQ0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/T0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/T0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/T0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/T0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.founder.com.cn/cnS0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.urwpp.deiv0%Avira URL Cloudsafe
                http://www.fontbureau.comlic0%URL Reputationsafe
                http://www.fontbureau.comlic0%URL Reputationsafe
                http://www.fontbureau.comlic0%URL Reputationsafe
                http://www.fontbureau.comcomd$0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://mGfDbY.com0%Avira URL Cloudsafe
                http://en.w0%URL Reputationsafe
                http://en.w0%URL Reputationsafe
                http://en.w0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/y0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/y0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/y0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn/W0%Avira URL Cloudsafe
                http://www.fontbureau.comoitu0%URL Reputationsafe
                http://www.fontbureau.comoitu0%URL Reputationsafe
                http://www.fontbureau.comoitu0%URL Reputationsafe
                http://www.founder.com.cn/cn-0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
                http://www.founder.com.cn/cnhte0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.jiyu-kobo.co.jp/thePedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://127.0.0.1:HTTP/1.1Pedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.fontbureau.comPedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cnQPedido_73580523.exe, 00000000.00000003.212709588.00000000061F7000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.galapagosdesign.com/Pedido_73580523.exe, 00000000.00000003.218489742.0000000006203000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://DynDns.comDynDNSPedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.comFPedido_73580523.exe, 00000000.00000003.218151297.00000000061F7000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/TPedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cnSPedido_73580523.exe, 00000000.00000003.213128785.00000000061F6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.fontbureau.com/designers/frere-jones.html.Pedido_73580523.exe, 00000000.00000003.217489630.0000000006209000.00000004.00000001.sdmpfalse
                    high
                    http://api.twitter.com/1/direct_messages.xml?since_id=Pedido_73580523.exefalse
                      high
                      http://www.tiro.comPedido_73580523.exe, 00000000.00000003.211275545.000000000620B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.urwpp.deivPedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.comlicPedido_73580523.exe, 00000000.00000003.218151297.00000000061F7000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.comcomd$Pedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://twitter.com/statuses/user_timeline.xml?screen_name=Pedido_73580523.exefalse
                        high
                        http://www.jiyu-kobo.co.jp/jp/Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmp, Pedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.comdPedido_73580523.exe, 00000000.00000003.218151297.00000000061F7000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://mGfDbY.comPedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://en.wPedido_73580523.exe, 00000000.00000003.210447083.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.sajatypeworks.comPedido_73580523.exe, 00000000.00000003.210192777.00000000061F3000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cn/Pedido_73580523.exe, 00000000.00000003.213128785.00000000061F6000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/yPedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/staff/dennis.htmPedido_73580523.exe, 00000000.00000003.220042751.0000000006202000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cnPedido_73580523.exe, 00000000.00000003.213128785.00000000061F6000.00000004.00000001.sdmp, Pedido_73580523.exe, 00000000.00000003.212415190.000000000160D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cn/WPedido_73580523.exe, 00000000.00000003.212934206.00000000061F8000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.comoituPedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cn-Pedido_73580523.exe, 00000000.00000003.213128785.00000000061F6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/sPedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/oPedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/pPedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/Pedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/kPedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cnhtePedido_73580523.exe, 00000000.00000003.212339302.00000000061FD000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/Y0Pedido_73580523.exe, 00000000.00000003.214626858.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://api.ipify.org%GETMozilla/5.0Pedido_73580523.exe, 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        low
                        http://www.ascendercorp.com/typedesigners.htmlPedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmp, Pedido_73580523.exe, 00000000.00000003.215200841.0000000006234000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.urwpp.dePedido_73580523.exe, 00000000.00000003.217980203.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.sakkal.comPedido_73580523.exe, 00000000.00000003.215049753.00000000061F5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/Pedido_73580523.exe, 00000000.00000003.216583599.0000000006231000.00000004.00000001.sdmpfalse
                          high
                          https://api.ipify.org%Pedido_73580523.exe, 0000000A.00000002.483185292.0000000002D96000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          low
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPedido_73580523.exe, 0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.comitudPedido_73580523.exe, 00000000.00000003.218151297.00000000061F7000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown

                          Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:452720
                          Start date:22.07.2021
                          Start time:18:57:08
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 7m 43s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:Pedido_73580523.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:30
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@6/4@0/0
                          EGA Information:Failed
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 15
                          • Number of non-executed functions: 2
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          18:58:26API Interceptor621x Sleep call for process: Pedido_73580523.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pedido_73580523.exe.log
                          Process:C:\Users\user\Desktop\Pedido_73580523.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):1314
                          Entropy (8bit):5.350128552078965
                          Encrypted:false
                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                          C:\Users\user\AppData\Local\Temp\tmpE123.tmp
                          Process:C:\Users\user\Desktop\Pedido_73580523.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1640
                          Entropy (8bit):5.189035414438582
                          Encrypted:false
                          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBJtn:cbh47TlNQ//rydbz9I3YODOLNdq3t
                          MD5:1CFD403DA59597FBE594CD86E12C9F07
                          SHA1:9D8F9C78554F0A1B57CAC5C955D1EFCBA5B46086
                          SHA-256:13E8734988EB55A665C821F06E4CC25DFF34058E3B0F4A70084E210AAF0D1A1F
                          SHA-512:BE8F7F482567A25E5D6FC92AF79CB10B669604A85A012F6000E75BEE17554B35748F8A5E6521E87DCC576A797106A8FD5903213FEDDA279DD612E1C889C6FBA5
                          Malicious:true
                          Reputation:low
                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                          C:\Users\user\AppData\Roaming\AsJOyfF.exe
                          Process:C:\Users\user\Desktop\Pedido_73580523.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):1018368
                          Entropy (8bit):7.253301273224395
                          Encrypted:false
                          SSDEEP:24576:m+K48+PqKfwtB3ZklaTV1S3wqNqzahprNeLc:Xq6wvZGaTVWwNOiLc
                          MD5:FACF53403056E3D7529FC8A5CE8BE77F
                          SHA1:384A0565E553AC374DD6D197B51A94BACE517F36
                          SHA-256:3BD0C04EE4C4BA078C54F4E7F5F956894204B2CCFBE84CDF934C40B28E30165E
                          SHA-512:1F1FACE7BA52A0FB9451E65B022BA630FD395FF55F1EA3666541B677203FBF0095A98A75A0FECB12CDEFAA59627AD6125AF5C3547D56AB034F57E51594E55E83
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:low
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .`.................$...b.......B... ...`....@.. ....................................@..................................B..K........]........................................................................... ............... ..H............text...."... ...$.................. ..`.sdata.......`.......(..............@....rsrc....].......^...*..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Roaming\AsJOyfF.exe:Zone.Identifier
                          Process:C:\Users\user\Desktop\Pedido_73580523.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview: [ZoneTransfer]....ZoneId=0

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.253301273224395
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                          File name:Pedido_73580523.exe
                          File size:1018368
                          MD5:facf53403056e3d7529fc8a5ce8be77f
                          SHA1:384a0565e553ac374dd6d197b51a94bace517f36
                          SHA256:3bd0c04ee4c4ba078c54f4e7f5f956894204b2ccfbe84cdf934c40b28e30165e
                          SHA512:1f1face7ba52a0fb9451e65b022ba630fd395ff55f1ea3666541b677203fbf0095a98a75a0fecb12cdefaa59627ad6125af5c3547d56ab034f57e51594e55e83
                          SSDEEP:24576:m+K48+PqKfwtB3ZklaTV1S3wqNqzahprNeLc:Xq6wvZGaTVWwNOiLc
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .`.................$...b.......B... ...`....@.. ....................................@................................

                          File Icon

                          Icon Hash:70d8ccd2d6ccf071

                          Static PE Info

                          General

                          Entrypoint:0x4c42de
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x60F92017 [Thu Jul 22 07:36:55 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc42900x4b.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x35db8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xc22e40xc2400False0.7730252574data7.55884475799IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .sdata0xc60000x180x200False0.060546875data0.456640975135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .rsrc0xc80000x35db80x35e00False0.368383845708data5.19543119017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xfe0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0xc82e00x94a9PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                          RT_ICON0xd178c0x4872PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                          RT_ICON0xd60000x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                          RT_ICON0xe68280x94a8data
                          RT_ICON0xefcd00x5488data
                          RT_ICON0xf51580x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294909696
                          RT_ICON0xf93800x25a8data
                          RT_ICON0xfb9280x10a8data
                          RT_ICON0xfc9d00x988data
                          RT_ICON0xfd3580x468GLS_BINARY_LSB_FIRST
                          RT_GROUP_ICON0xfd7c00x92data
                          RT_VERSION0xfd8540x376data
                          RT_MANIFEST0xfdbcc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyright(c) 2019 Riot Games, Inc.
                          Assembly Version2.0.26.9
                          InternalNameNullableMarshal.exe
                          FileVersion2.0.26.9
                          CompanyNameRiot Games, Inc.
                          LegalTrademarks
                          Comments
                          ProductNameRiot Client
                          ProductVersion2.0.26.9
                          FileDescriptionRiot Client
                          OriginalFilenameNullableMarshal.exe

                          Network Behavior

                          No network behavior found

                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Start time:18:57:58
                          Start date:22/07/2021
                          Path:C:\Users\user\Desktop\Pedido_73580523.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\Pedido_73580523.exe'
                          Imagebase:0xcb0000
                          File size:1018368 bytes
                          MD5 hash:FACF53403056E3D7529FC8A5CE8BE77F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:low

                          General

                          Start time:18:58:27
                          Start date:22/07/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\AsJOyfF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE123.tmp'
                          Imagebase:0xb10000
                          File size:185856 bytes
                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Start time:18:58:28
                          Start date:22/07/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6b2800000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Start time:18:58:28
                          Start date:22/07/2021
                          Path:C:\Users\user\Desktop\Pedido_73580523.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\Pedido_73580523.exe
                          Imagebase:0x7b0000
                          File size:1018368 bytes
                          MD5 hash:FACF53403056E3D7529FC8A5CE8BE77F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.477029833.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.482206356.0000000002CF1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.483335897.0000000002D9E000.00000004.00000001.sdmp, Author: Joe Security
                          Reputation:low

                          Disassembly

                          Code Analysis

                          Reset < >

                            Executed Functions

                            Memory Dump Source
                            • Source File: 0000000A.00000002.479965547.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38a3f33ebbee87b655e2fb9487dc9aa04b48644169d332058dfbdde827d18d26
                            • Instruction ID: 7ae5c7f42360a551b717ecbdcd0c5a64dde1fc34bd236fb288abc545c0be46fa
                            • Opcode Fuzzy Hash: 38a3f33ebbee87b655e2fb9487dc9aa04b48644169d332058dfbdde827d18d26
                            • Instruction Fuzzy Hash: FF836D71D007198FCB51DF68C8846EAB7F1FF95310F56D69AE488AB211EB30AAC5CB41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000A.00000002.479965547.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: System
                            • String ID:
                            • API String ID: 3470857405-0
                            • Opcode ID: 58fe3bc4c40c61f63c06b50e641fee0d3352f40195eebc7df6867085182208f6
                            • Instruction ID: 7b2b74166ec5ccfd6bff48435097e948684409b1836a81ad58a9f3988e59066a
                            • Opcode Fuzzy Hash: 58fe3bc4c40c61f63c06b50e641fee0d3352f40195eebc7df6867085182208f6
                            • Instruction Fuzzy Hash: A762D030B002489FDB55DBB8C854BAEBBF2AF88304F558469E945EB392DB31DC45CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3351af44b8165ebd8eab9652a6fe0ba0dc920c51009be66b9370b70403e4feb
                            • Instruction ID: e1eb36c0fcf4616677fc2dd895ae3483fa6b434476199585657027aee7bd5d81
                            • Opcode Fuzzy Hash: a3351af44b8165ebd8eab9652a6fe0ba0dc920c51009be66b9370b70403e4feb
                            • Instruction Fuzzy Hash: 3F127FB08177568BE730CF69F94C18D3BA1F745728B50420AD2612B6EDDBF9119ACF84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a0c8c234eebaedb47a658950c567f6e43dd569a0f4d455dce818fd7b412a1dbc
                            • Instruction ID: 35c93b95567f2a91b6257dd1d15ae56d44730a64d9f8a4301134459aeba06848
                            • Opcode Fuzzy Hash: a0c8c234eebaedb47a658950c567f6e43dd569a0f4d455dce818fd7b412a1dbc
                            • Instruction Fuzzy Hash: 2EE149B18167858FD731CF64F84C18D3BB1FB86328B25421BD2616B2E9DBB9148ACF44
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a30581a10b5cbd263599c401053b3173c03b0283e157721cc823bdbe06449d7a
                            • Instruction ID: be57e8b22e14e7e6b29fc206bfa77918c62aff411df07ede2445abe5bcad9b05
                            • Opcode Fuzzy Hash: a30581a10b5cbd263599c401053b3173c03b0283e157721cc823bdbe06449d7a
                            • Instruction Fuzzy Hash: D0E147B18167958FD731CF64F84C18D3BB1BB86328F15421AD2616B2EADBB9148ACF44
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 01106BB0
                            • GetCurrentThread.KERNEL32 ref: 01106BED
                            • GetCurrentProcess.KERNEL32 ref: 01106C2A
                            • GetCurrentThreadId.KERNEL32 ref: 01106C83
                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: ba2f90ef69f6329ccca4b9086de7825e931878cdeab8b8eda59842bc9c46e801
                            • Instruction ID: cce1c3511e12e15e44fc015512a073fbcb8c45e16c08c4e80bfd3aaa6d016d63
                            • Opcode Fuzzy Hash: ba2f90ef69f6329ccca4b9086de7825e931878cdeab8b8eda59842bc9c46e801
                            • Instruction Fuzzy Hash: D85133B0E006498FDB18CFAAD648BDEBBF1FF88314F24805AE519A7390D7746944CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • GetDpiForSystem.USER32(00000000,?,00000000,00000000), ref: 01054333
                            Memory Dump Source
                            • Source File: 0000000A.00000002.479965547.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: System
                            • String ID:
                            • API String ID: 3470857405-0
                            • Opcode ID: 52c35961bb33accb0cfe3465aef2620351eeaebc201c60fa3f50aaf71ae25793
                            • Instruction ID: d76eb3165d7c6cf1b92a9af84f33252c4472da5a75b2f0896e31b20d762a2f2b
                            • Opcode Fuzzy Hash: 52c35961bb33accb0cfe3465aef2620351eeaebc201c60fa3f50aaf71ae25793
                            • Instruction Fuzzy Hash: 171232F7D823484BC3874A988C893E477B3FBE12E07DF6079C19946A49FA3995935708
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011052A2
                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 8cef3ea8f537bfdada7fef13f5f8b27f60909dbd2c58d4600697f45858b5dbb9
                            • Instruction ID: 2707c2d22d82ba743d8305ca1e5a990e7d00e7698f947c1668f6d8a792369b8b
                            • Opcode Fuzzy Hash: 8cef3ea8f537bfdada7fef13f5f8b27f60909dbd2c58d4600697f45858b5dbb9
                            • Instruction Fuzzy Hash: EF51B3B1D00309DFDB15CFAAC884ADEBFB6BF58314F24812AE415AB250D7B59845CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011052A2
                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 38888d63fae7ab76ae2bc152114ae3a784097e6a25b177712207919077e80362
                            • Instruction ID: 41e55df3a9f07b85d3db0d91b88006af57ce9a79b7e25cfd8e365d9675c470d8
                            • Opcode Fuzzy Hash: 38888d63fae7ab76ae2bc152114ae3a784097e6a25b177712207919077e80362
                            • Instruction Fuzzy Hash: A341B3B1D10309DFDF15CF9AC884ADEBBB6BF58314F24812AE815AB250D7B49845CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 01107D09
                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID: CallProcWindow
                            • String ID:
                            • API String ID: 2714655100-0
                            • Opcode ID: a024f7acf1d9acc5647438625b786547ae53902f525a05b3a4e239318e87fd18
                            • Instruction ID: 7ba0d76529e45909782ed461906d8da34a7f57171827774f48a701a822291377
                            • Opcode Fuzzy Hash: a024f7acf1d9acc5647438625b786547ae53902f525a05b3a4e239318e87fd18
                            • Instruction Fuzzy Hash: AA415B75E00205CFCB19CF99C488AAEBBF5FF88314F258449E519AB3A1D774A841CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01106DFF
                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 7377b4440dc0d8798064df472983179ea2a9ba6f8e49af7cc9f0a4854a8965a4
                            • Instruction ID: 55f0f57d36dbb0baa991ba424913e7a560c9ae7aa00467797d378bd9ee23671f
                            • Opcode Fuzzy Hash: 7377b4440dc0d8798064df472983179ea2a9ba6f8e49af7cc9f0a4854a8965a4
                            • Instruction Fuzzy Hash: 3221E3B5D002489FDB10CFAAD484ADEBBF4EB48324F14851AE954A7350D378A954CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01106DFF
                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 86e7a014b2eae6be977391b8ff6101c6b3f0257a63a0d41eed49d38fdbb97540
                            • Instruction ID: a746007496a9c1f4d38606775142342660c95286318c06155dfbbe607c326622
                            • Opcode Fuzzy Hash: 86e7a014b2eae6be977391b8ff6101c6b3f0257a63a0d41eed49d38fdbb97540
                            • Instruction Fuzzy Hash: B721C2B5D00219DFDB10CFAAD984ADEBBF8EB48324F14841AE914A7350D778A954CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • RtlEncodePointer.NTDLL(00000000), ref: 0110BE02
                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID: EncodePointer
                            • String ID:
                            • API String ID: 2118026453-0
                            • Opcode ID: 4cb2b1d775c2bd6b3ab167dad98b3b6e58914cd329d3481d35144b1955c7a9ca
                            • Instruction ID: f2f2d367b46f91da4e851571b147c3ba829810f3504f07a93b3d804308d34e2b
                            • Opcode Fuzzy Hash: 4cb2b1d775c2bd6b3ab167dad98b3b6e58914cd329d3481d35144b1955c7a9ca
                            • Instruction Fuzzy Hash: A321B8B29043858FDB21EFAAD80839EBFF4FB05328F60846AD144A7241C7796404CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • RtlEncodePointer.NTDLL(00000000), ref: 0110BE02
                            Memory Dump Source
                            • Source File: 0000000A.00000002.480040954.0000000001100000.00000040.00000001.sdmp, Offset: 01100000, based on PE: false
                            Similarity
                            • API ID: EncodePointer
                            • String ID:
                            • API String ID: 2118026453-0
                            • Opcode ID: 6e83baf89c850f73daaed9ced5529800452917929f425d7a6fad87f3e08f0cda
                            • Instruction ID: f8437a60e825e3972abff5c6d5d3435fb60828dd8cbba867dfc9d2580e373e01
                            • Opcode Fuzzy Hash: 6e83baf89c850f73daaed9ced5529800452917929f425d7a6fad87f3e08f0cda
                            • Instruction Fuzzy Hash: 1911ACB1D003498FDB20EFAAD5087DEBBF8FB44324F60802AD504A7640CB796944CFA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            APIs
                            • GetDpiForSystem.USER32(00000000,?,00000000,00000000), ref: 01054333
                            Memory Dump Source
                            • Source File: 0000000A.00000002.479965547.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID: System
                            • String ID:
                            • API String ID: 3470857405-0
                            • Opcode ID: f7b280985b76eb7dcdb325697a210febd787f5a991f500e07b8da3b36d50fa58
                            • Instruction ID: 3ce42a11e2d59e7553dab05b25e17492ebb83e8cb7f33993510a469e6b005455
                            • Opcode Fuzzy Hash: f7b280985b76eb7dcdb325697a210febd787f5a991f500e07b8da3b36d50fa58
                            • Instruction Fuzzy Hash: BCF0C2313091481BC719617A5C656FFF5CF9FCA220F54883AFA0ADB386DD298C4243A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Memory Dump Source
                            • Source File: 0000000A.00000002.479965547.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: da8ec0972f469de2b9bbecfc038754dd8303e9fe8b31795b52e49a1706d6bbc8
                            • Instruction ID: d68852407d3fab5557b6d3c02580ea66ddfc44e2ef2670d76dc5dfba6b6358e1
                            • Opcode Fuzzy Hash: da8ec0972f469de2b9bbecfc038754dd8303e9fe8b31795b52e49a1706d6bbc8
                            • Instruction Fuzzy Hash: 70131C70D106198ECB55EF68C8546EEF7B1BF89300F15C69AE549BB211EB30AAC5CF41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Memory Dump Source
                            • Source File: 0000000A.00000002.477729365.00000000007B2000.00000002.00020000.sdmp, Offset: 007B0000, based on PE: true
                            • Associated: 0000000A.00000002.477695991.00000000007B0000.00000002.00020000.sdmp Download File
                            • Associated: 0000000A.00000002.478133368.0000000000878000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7ab9e420dab610c51a7c1d9d29950fa53b0e87d0f84fa51af601f60896ec211d
                            • Instruction ID: 30188cfd16b7352d40fbd6aa66416527ac89b25f8e32e58e994758c47fb76a7a
                            • Opcode Fuzzy Hash: 7ab9e420dab610c51a7c1d9d29950fa53b0e87d0f84fa51af601f60896ec211d
                            • Instruction Fuzzy Hash: 8B12802554E3C29FC7138B789CB55917FB4AE4B25431E09DBD4C0CF0B3D25869A9EB22
                            Uniqueness

                            Uniqueness Score: -1.00%