Analysis Report Shipping Documents (INV,PL,BL)_pdf.exe

Overview

General Information

Sample Name:	Shipping Documents (INV,PL,BL)_pdf.exe
Analysis ID:	320999
MD5:	aed402d9a5675f5796265e5170ada7cb
SHA1:	d2e2087f83c1ef3d10cbe60acb721745d19306b3
SHA256:	44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
Tags:	DHLexeGuLoader
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://lifeandhealth.com.mx/)	Avira URL Cloud: Label: malware
Source: https://lifeandhealth.com.mx/x	Avira URL Cloud: Label: malware
Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bind	Avira URL Cloud: Label: malware
Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Shipping Documents (INV,PL,BL)_pdf.exe

Virustotal: Detection: 21%

Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop esi		11_2_00C672B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi		11_2_00C66BC7

Networking:

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NETSOURCEUS NETSOURCEUS
Source: Joe Sandbox View	ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Windows\explorer.exe

Code function: 3_2_061F5782 getaddrinfo,setsockopt,recv,

3_2_061F5782

Source: global traffic	HTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: lifeandhealth.com.mx

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 07:55:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://cert.i
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: explorer.exe, 00000003.00000000.297520534.000000000F6D4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.84streetchamber.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.84streetchamber.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.84streetchamber.com/icm9/www.verifyinstagram-help.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.84streetchamber.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cannahavedessert.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cannahavedessert.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cannahavedessert.com/icm9/www.kalcio.site
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cannahavedessert.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.drinksandfruits.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.drinksandfruits.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.drinksandfruits.com/icm9/www.iatlet.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.drinksandfruits.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.faithinfitness.net
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.faithinfitness.net/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.faithinfitness.net/icm9/www.hunexhq.icu
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.faithinfitness.netReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.frontierautoglasswheatfield.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/M
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.frontierautoglasswheatfield.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.gcsisgreen.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.gcsisgreen.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.gcsisgreen.com/icm9/www.smartbulk.store
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.gcsisgreen.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hunexhq.icu
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hunexhq.icu/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hunexhq.icu/icm9/www.frontierautoglasswheatfield.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hunexhq.icuReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.iatlet.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.iatlet.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.iatlet.com/icm9/www.leepl.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.iatlet.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.images77.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.images77.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.images77.com/icm9/www.gcsisgreen.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.images77.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kalcio.site
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kalcio.site/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kalcio.site/icm9/www.mademoisellepierre.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kalcio.siteReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.leepl.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.leepl.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.leepl.com/icm9/www.nationalcanopies.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.leepl.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.machevate.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.machevate.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.machevate.com/icm9/www.84streetchamber.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.machevate.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.mademoisellepierre.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.mademoisellepierre.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.mademoisellepierre.com/icm9/www.images77.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.mademoisellepierre.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nationalcanopies.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nationalcanopies.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nationalcanopies.com/icm9/www.cannahavedessert.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nationalcanopies.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartbulk.store
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartbulk.store/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartbulk.store/icm9/www.machevate.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartbulk.storeReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.verifyinstagram-help.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.verifyinstagram-help.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.verifyinstagram-help.com/icm9/www.faithinfitness.net
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.verifyinstagram-help.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/)
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bind
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/x

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241695926.00000000006BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Source: Shipping Documents (INV,PL,BL)_pdf.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping Documents (INV,PL,BL)_pdf.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F7FAA NtWriteVirtualMemory,	0_2_020F7FAA
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F97D3 NtResumeThread,	0_2_020F97D3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F086A EnumWindows,NtSetInformationThread,	0_2_020F086A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,	0_2_020F0D0F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F91CF NtProtectVirtualMemory,	0_2_020F91CF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F89EB NtSetInformationThread,	0_2_020F89EB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3A46 NtWriteVirtualMemory,	0_2_020F3A46
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0A5C NtSetInformationThread,	0_2_020F0A5C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9A7A NtResumeThread,	0_2_020F9A7A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3A82 NtWriteVirtualMemory,	0_2_020F3A82
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3AAE NtWriteVirtualMemory,	0_2_020F3AAE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9AB1 NtResumeThread,	0_2_020F9AB1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3AEC NtWriteVirtualMemory,	0_2_020F3AEC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9AE5 NtResumeThread,	0_2_020F9AE5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F36F7 NtWriteVirtualMemory,	0_2_020F36F7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9B0D NtResumeThread,	0_2_020F9B0D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3B08 NtWriteVirtualMemory,	0_2_020F3B08
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9B4B NtResumeThread,	0_2_020F9B4B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3744 NtWriteVirtualMemory,	0_2_020F3744
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3B40 NtWriteVirtualMemory,	0_2_020F3B40
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2FAB NtWriteVirtualMemory,	0_2_020F2FAB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F37A1 NtWriteVirtualMemory,	0_2_020F37A1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9BB3 NtResumeThread,	0_2_020F9BB3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3BCE NtWriteVirtualMemory,	0_2_020F3BCE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F97DC NtResumeThread,	0_2_020F97DC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9BEE NtResumeThread,	0_2_020F9BEE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F37EC NtWriteVirtualMemory,	0_2_020F37EC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3C06 NtWriteVirtualMemory,	0_2_020F3C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9804 NtResumeThread,	0_2_020F9804
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F982F NtResumeThread,	0_2_020F982F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9C2E NtResumeThread,	0_2_020F9C2E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3828 NtWriteVirtualMemory,	0_2_020F3828
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3C6F NtWriteVirtualMemory,	0_2_020F3C6F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F988A NtResumeThread,	0_2_020F988A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F989B NtResumeThread,	0_2_020F989B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9C99 NtResumeThread,	0_2_020F9C99
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3CC8 NtWriteVirtualMemory,	0_2_020F3CC8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9CDC NtResumeThread,	0_2_020F9CDC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F98D4 NtResumeThread,	0_2_020F98D4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F38E4 NtWriteVirtualMemory,	0_2_020F38E4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F24E2 NtWriteVirtualMemory,	0_2_020F24E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F38F0 NtWriteVirtualMemory,	0_2_020F38F0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F090E NtSetInformationThread,	0_2_020F090E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F990D NtResumeThread,	0_2_020F990D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9D09 NtResumeThread,	0_2_020F9D09
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0905 NtSetInformationThread,	0_2_020F0905
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F451B NtSetInformationThread,	0_2_020F451B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0517 NtSetInformationThread,NtWriteVirtualMemory,	0_2_020F0517
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3D3C NtWriteVirtualMemory,	0_2_020F3D3C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9941 NtResumeThread,	0_2_020F9941
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F395C NtWriteVirtualMemory,	0_2_020F395C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F996B NtResumeThread,	0_2_020F996B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F097E NtSetInformationThread,	0_2_020F097E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9D74 NtResumeThread,	0_2_020F9D74
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3D8C NtWriteVirtualMemory,	0_2_020F3D8C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9998 NtResumeThread,	0_2_020F9998
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3191 NtWriteVirtualMemory,	0_2_020F3191
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F39A2 NtWriteVirtualMemory,	0_2_020F39A2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F55B8 NtWriteVirtualMemory,	0_2_020F55B8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9DB7 NtResumeThread,	0_2_020F9DB7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F09CD NtSetInformationThread,	0_2_020F09CD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F99D3 NtResumeThread,	0_2_020F99D3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9DEB NtResumeThread,	0_2_020F9DEB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3DE9 NtWriteVirtualMemory,	0_2_020F3DE9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F79FD NtWriteVirtualMemory,	0_2_020F79FD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F41FB NtSetInformationThread,	0_2_020F41FB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,	1_2_1E3E9A20
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_1E3E9A00
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_1E3E9660
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,	1_2_1E3E9A50
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_1E3E96E0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_1E3E9710
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_1E3E97A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_1E3E9780
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_1E3E9860
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,	1_2_1E3E9840
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_1E3E98F0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_1E3E9910
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9540 NtReadFile,LdrInitializeThunk,	1_2_1E3E9540
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,	1_2_1E3E99A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E95D0 NtClose,LdrInitializeThunk,	1_2_1E3E95D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9610 NtEnumerateValueKey,	1_2_1E3E9610
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A10 NtQuerySection,	1_2_1E3E9A10
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9670 NtQueryInformationProcess,	1_2_1E3E9670
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9650 NtQueryValueKey,	1_2_1E3E9650
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A80 NtOpenDirectoryObject,	1_2_1E3E9A80
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E96D0 NtCreateKey,	1_2_1E3E96D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9730 NtQueryVirtualMemory,	1_2_1E3E9730
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EA710 NtOpenProcessToken,	1_2_1E3EA710
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9B00 NtSetValueKey,	1_2_1E3E9B00
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9770 NtSetInformationFile,	1_2_1E3E9770
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EA770 NtOpenThread,	1_2_1E3EA770
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9760 NtOpenProcess,	1_2_1E3E9760
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EA3B0 NtGetContextThread,	1_2_1E3EA3B0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9FE0 NtCreateMutant,	1_2_1E3E9FE0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9820 NtEnumerateKey,	1_2_1E3E9820
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EB040 NtSuspendThread,	1_2_1E3EB040
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E98A0 NtWriteVirtualMemory,	1_2_1E3E98A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EAD30 NtSetContextThread,	1_2_1E3EAD30
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9520 NtWaitForSingleObject,	1_2_1E3E9520
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9560 NtWriteFile,	1_2_1E3E9560
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9950 NtQueueApcThread,	1_2_1E3E9950
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E95F0 NtQueryInformationFile,	1_2_1E3E95F0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E99D0 NtCreateProcessEx,	1_2_1E3E99D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056451B LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056451B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005691CF NtProtectVirtualMemory,	1_2_005691CF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056322E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056322E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632C6 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_005632C6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005697D3 NtQueryInformationProcess,	1_2_005697D3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564395 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00564395
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564441 NtProtectVirtualMemory,	1_2_00564441
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569804 NtQueryInformationProcess,	1_2_00569804
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056443B LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056443B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569C2E NtQueryInformationProcess,	1_2_00569C2E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056982F NtQueryInformationProcess,	1_2_0056982F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005698D4 NtQueryInformationProcess,	1_2_005698D4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569CDC NtQueryInformationProcess,	1_2_00569CDC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005644EE LdrInitializeThunk,NtProtectVirtualMemory,	1_2_005644EE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564490 NtProtectVirtualMemory,	1_2_00564490
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056989B NtQueryInformationProcess,	1_2_0056989B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569C99 NtQueryInformationProcess,	1_2_00569C99
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056988A NtQueryInformationProcess,	1_2_0056988A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569941 NtQueryInformationProcess,	1_2_00569941
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569D74 NtQueryInformationProcess,	1_2_00569D74
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056456E LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056456E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056996B NtQueryInformationProcess,	1_2_0056996B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056450E LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056450E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056990D NtQueryInformationProcess,	1_2_0056990D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569D09 NtQueryInformationProcess,	1_2_00569D09
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564522 NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00564522
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005699D3 NtQueryInformationProcess,	1_2_005699D3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569DEB NtQueryInformationProcess,	1_2_00569DEB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00563191 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00563191
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569998 NtQueryInformationProcess,	1_2_00569998
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569DB7 NtQueryInformationProcess,	1_2_00569DB7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564654 NtProtectVirtualMemory,	1_2_00564654
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00563246 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00563246
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569A7A NtQueryInformationProcess,	1_2_00569A7A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056462E LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056462E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_005632D1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569AE5 NtQueryInformationProcess,	1_2_00569AE5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632E9 LdrInitializeThunk,NtProtectVirtualMemory,	1_2_005632E9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00563288 LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00563288
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569AB1 NtQueryInformationProcess,	1_2_00569AB1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569B4B NtQueryInformationProcess,	1_2_00569B4B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00563349 LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00563349
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569B0D NtQueryInformationProcess,	1_2_00569B0D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005697DC NtQueryInformationProcess,	1_2_005697DC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569BEE NtQueryInformationProcess,	1_2_00569BEE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569BB3 NtQueryInformationProcess,	1_2_00569BB3
Source: C:\Windows\explorer.exe	Code function: 3_2_061F4A32 NtCreateFile,	3_2_061F4A32
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A50 NtCreateFile,LdrInitializeThunk,	11_2_03549A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549910 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_03549910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035499A0 NtCreateSection,LdrInitializeThunk,	11_2_035499A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549840 NtDelayExecution,LdrInitializeThunk,	11_2_03549840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549860 NtQuerySystemInformation,LdrInitializeThunk,	11_2_03549860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549710 NtQueryInformationToken,LdrInitializeThunk,	11_2_03549710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549FE0 NtCreateMutant,LdrInitializeThunk,	11_2_03549FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549780 NtMapViewOfSection,LdrInitializeThunk,	11_2_03549780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549650 NtQueryValueKey,LdrInitializeThunk,	11_2_03549650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549660 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_03549660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035496D0 NtCreateKey,LdrInitializeThunk,	11_2_035496D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035496E0 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_035496E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549540 NtReadFile,LdrInitializeThunk,	11_2_03549540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035495D0 NtClose,LdrInitializeThunk,	11_2_035495D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549B00 NtSetValueKey,	11_2_03549B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354A3B0 NtGetContextThread,	11_2_0354A3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A10 NtQuerySection,	11_2_03549A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A00 NtProtectVirtualMemory,	11_2_03549A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A20 NtResumeThread,	11_2_03549A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A80 NtOpenDirectoryObject,	11_2_03549A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549950 NtQueueApcThread,	11_2_03549950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035499D0 NtCreateProcessEx,	11_2_035499D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354B040 NtSuspendThread,	11_2_0354B040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549820 NtEnumerateKey,	11_2_03549820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035498F0 NtReadVirtualMemory,	11_2_035498F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035498A0 NtWriteVirtualMemory,	11_2_035498A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354A770 NtOpenThread,	11_2_0354A770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549770 NtSetInformationFile,	11_2_03549770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549760 NtOpenProcess,	11_2_03549760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354A710 NtOpenProcessToken,	11_2_0354A710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549730 NtQueryVirtualMemory,	11_2_03549730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035497A0 NtUnmapViewOfSection,	11_2_035497A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549670 NtQueryInformationProcess,	11_2_03549670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549610 NtEnumerateValueKey,	11_2_03549610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549560 NtWriteFile,	11_2_03549560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354AD30 NtSetContextThread,	11_2_0354AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549520 NtWaitForSingleObject,	11_2_03549520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035495F0 NtQueryInformationFile,	11_2_035495F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69DF0 NtReadFile,	11_2_00C69DF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69D40 NtCreateFile,	11_2_00C69D40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69E70 NtClose,	11_2_00C69E70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69F20 NtAllocateVirtualMemory,	11_2_00C69F20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69D3B NtCreateFile,	11_2_00C69D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69E6A NtClose,	11_2_00C69E6A

Detected potential crypto function

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C6E30	1_2_1E3C6E30
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E472EF7	1_2_1E472EF7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4722AE	1_2_1E4722AE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E472B28	1_2_1E472B28
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DEBB0	1_2_1E3DEBB0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46DBD2	1_2_1E46DBD2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E471FF1	1_2_1E471FF1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B841F	1_2_1E3B841F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461002	1_2_1E461002
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB090	1_2_1E3BB090
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4720A8	1_2_1E4720A8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E471D55	1_2_1E471D55
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A0D20	1_2_1E3A0D20
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AF900	1_2_1E3AF900
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E472D07	1_2_1E472D07
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4725DD	1_2_1E4725DD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BD5E0	1_2_1E3BD5E0
Source: C:\Windows\explorer.exe	Code function: 3_2_061F4A32	3_2_061F4A32
Source: C:\Windows\explorer.exe	Code function: 3_2_061EB072	3_2_061EB072
Source: C:\Windows\explorer.exe	Code function: 3_2_061F7A6F	3_2_061F7A6F
Source: C:\Windows\explorer.exe	Code function: 3_2_061EB069	3_2_061EB069
Source: C:\Windows\explorer.exe	Code function: 3_2_061F3862	3_2_061F3862
Source: C:\Windows\explorer.exe	Code function: 3_2_061ECCF2	3_2_061ECCF2
Source: C:\Windows\explorer.exe	Code function: 3_2_061ECCEC	3_2_061ECCEC
Source: C:\Windows\explorer.exe	Code function: 3_2_061EFB1F	3_2_061EFB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_061F7B0E	3_2_061F7B0E
Source: C:\Windows\explorer.exe	Code function: 3_2_061F2132	3_2_061F2132
Source: C:\Windows\explorer.exe	Code function: 3_2_061EFB22	3_2_061EFB22
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AB40	11_2_0352AB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D2B28	11_2_035D2B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C03DA	11_2_035C03DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CDBD2	11_2_035CDBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353EBB0	11_2_0353EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BFA2B	11_2_035BFA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D22AE	11_2_035D22AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350F900	11_2_0350F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C1002	11_2_035C1002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035DE824	11_2_035DE824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D28EC	11_2_035D28EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B090	11_2_0351B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D20A8	11_2_035D20A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035DDFCE	11_2_035DDFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D1FF1	11_2_035D1FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CD616	11_2_035CD616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03526E30	11_2_03526E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D2EF7	11_2_035D2EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D1D55	11_2_035D1D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D2D07	11_2_035D2D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03500D20	11_2_03500D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D25DD	11_2_035D25DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351D5E0	11_2_0351D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532581	11_2_03532581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CD466	11_2_035CD466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351841F	11_2_0351841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6DB7D	11_2_00C6DB7D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C52D89	11_2_00C52D89
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C52D90	11_2_00C52D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C59E40	11_2_00C59E40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C59E3B	11_2_00C59E3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6DFC9	11_2_00C6DFC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C52FB0	11_2_00C52FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 0350B150 appears 48 times
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: String function: 1E3AB150 appears 35 times

Sample file is different than original file name gathered from version info

Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241735598.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.318768141.000000001E62F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312668816.0000000002590000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000000.240728958.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312648510.0000000002540000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe

Yara signature match

Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/0@4/3

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCBA05B85C1CFCA00.TMP

Jump to behavior

Source: Shipping Documents (INV,PL,BL)_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Shipping Documents (INV,PL,BL)_pdf.exe

Virustotal: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'	Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp, wlanext.exe, 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F8356 push ds; iretd	0_2_020F8363
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F8365 push ds; iretd	0_2_020F8380
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F07CD pushad ; retf	0_2_020F07CF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F07EE pushad ; retf	0_2_020F07F0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3FD0D1 push ecx; ret	1_2_1E3FD0E4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00568355 push ds; iretd	1_2_00568363
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00568365 push ds; iretd	1_2_00568380
Source: C:\Windows\explorer.exe	Code function: 3_2_061F83E6 pushad ; ret	3_2_061F83E7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0355D0D1 push ecx; ret	11_2_0355D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6705B push esi; ret	11_2_00C6705C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C66989 push edi; retf	11_2_00C6698F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C67C5E push esi; iretd	11_2_00C67C5F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C67D40 push eax; ret	11_2_00C67D41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6CEE2 push eax; ret	11_2_00C6CEE8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6CEEB push eax; ret	11_2_00C6CF52
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6CE95 push eax; ret	11_2_00C6CEE8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69666 push ss; iretd	11_2_00C6966B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C66679 push ebp; retf	11_2_00C6667A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6AE79 push ebx; ret	11_2_00C6AE7D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6BE12 push ebp; ret	11_2_00C6BE15
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6CF4C push eax; ret	11_2_00C6CF52

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xED

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,	0_2_020F0D0F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0E46 TerminateProcess,	0_2_020F0E46
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0E55 TerminateProcess,	0_2_020F0E55
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0EB1 TerminateProcess,	0_2_020F0EB1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0EF6 TerminateProcess,	0_2_020F0EF6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0F55 TerminateProcess,	0_2_020F0F55
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0FA7 TerminateProcess,	0_2_020F0FA7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0FEC TerminateProcess,	0_2_020F0FEC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F1039 TerminateProcess,	0_2_020F1039
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F1083 TerminateProcess,	0_2_020F1083
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F10D7 TerminateProcess,	0_2_020F10D7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F117A TerminateProcess,	0_2_020F117A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0D81 TerminateProcess,	0_2_020F0D81
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0DE0 TerminateProcess,	0_2_020F0DE0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F11F6 TerminateProcess,	0_2_020F11F6

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

RDTSC instruction interceptor: First address: 00000000020F8088 second address: 00000000020F8088 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0E14EF96D8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f jmp 00007F0E14EF96F6h 0x00000021 test cx, cx 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 pushad 0x00000029 mov ah, 87h 0x0000002b cmp ah, FFFFFF87h 0x0000002e jne 00007F0E14EF4D8Ch 0x00000034 popad 0x00000035 dec dword ptr [ebp+000000F8h] 0x0000003b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000042 jne 00007F0E14EF967Fh 0x00000044 cmp ax, cx 0x00000047 cmp dh, dh 0x00000049 call 00007F0E14EF975Bh 0x0000004e call 00007F0E14EF96EAh 0x00000053 lfence 0x00000056 mov edx, dword ptr [7FFE0014h] 0x0000005c lfence 0x0000005f ret 0x00000060 mov esi, edx 0x00000062 pushad 0x00000063 rdtsc

Tries to detect Any.run

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 00000000020F8088 second address: 00000000020F8088 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0E14EF96D8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f jmp 00007F0E14EF96F6h 0x00000021 test cx, cx 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 pushad 0x00000029 mov ah, 87h 0x0000002b cmp ah, FFFFFF87h 0x0000002e jne 00007F0E14EF4D8Ch 0x00000034 popad 0x00000035 dec dword ptr [ebp+000000F8h] 0x0000003b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000042 jne 00007F0E14EF967Fh 0x00000044 cmp ax, cx 0x00000047 cmp dh, dh 0x00000049 call 00007F0E14EF975Bh 0x0000004e call 00007F0E14EF96EAh 0x00000053 lfence 0x00000056 mov edx, dword ptr [7FFE0014h] 0x0000005c lfence 0x0000005f ret 0x00000060 mov esi, edx 0x00000062 pushad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 00000000020F80AA second address: 00000000020F80AA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0E1437EC20h 0x0000001f popad 0x00000020 call 00007F0E1437E629h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 00000000005680AA second address: 00000000005680AA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0E14EF9E30h 0x0000001f popad 0x00000020 call 00007F0E14EF9839h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000C598E4 second address: 0000000000C598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000C59B5E second address: 0000000000C59B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F086A rdtsc

0_2_020F086A

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe TID: 5736	Thread sleep count: 190 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1320	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5848	Thread sleep time: -45000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.291283717.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.497929772.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.292196573.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000003.00000000.285586778.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&v
Source: explorer.exe, 00000003.00000002.498066885.0000000005603000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F086A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000

0_2_020F086A

Hides threads from debuggers

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F086A rdtsc

0_2_020F086A

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F4A77 LdrInitializeThunk,

0_2_020F4A77

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F89EB mov eax, dword ptr fs:[00000030h]	0_2_020F89EB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F421E mov eax, dword ptr fs:[00000030h]	0_2_020F421E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F8A85 mov eax, dword ptr fs:[00000030h]	0_2_020F8A85
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2FAB mov eax, dword ptr fs:[00000030h]	0_2_020F2FAB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2FB8 mov eax, dword ptr fs:[00000030h]	0_2_020F2FB8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2FFD mov eax, dword ptr fs:[00000030h]	0_2_020F2FFD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F7C4F mov eax, dword ptr fs:[00000030h]	0_2_020F7C4F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2C7F mov eax, dword ptr fs:[00000030h]	0_2_020F2C7F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F24E2 mov eax, dword ptr fs:[00000030h]	0_2_020F24E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F6CF0 mov eax, dword ptr fs:[00000030h]	0_2_020F6CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F89EE mov eax, dword ptr fs:[00000030h]	0_2_020F89EE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	1_2_1E46AE44
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	1_2_1E46AE44
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	1_2_1E3E4A2C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	1_2_1E3E4A2C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46EA55 mov eax, dword ptr fs:[00000030h]	1_2_1E46EA55
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E434257 mov eax, dword ptr fs:[00000030h]	1_2_1E434257
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AE620 mov eax, dword ptr fs:[00000030h]	1_2_1E3AE620
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]	1_2_1E3C3A1C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	1_2_1E3DA61C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	1_2_1E3DA61C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]	1_2_1E45B260
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]	1_2_1E45B260
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478A62 mov eax, dword ptr fs:[00000030h]	1_2_1E478A62
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAA16
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAA16
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]	1_2_1E3B8A0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]	1_2_1E3D8E00
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E927A mov eax, dword ptr fs:[00000030h]	1_2_1E3E927A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461608 mov eax, dword ptr fs:[00000030h]	1_2_1E461608
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B766D mov eax, dword ptr fs:[00000030h]	1_2_1E3B766D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45FE3F mov eax, dword ptr fs:[00000030h]	1_2_1E45FE3F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]	1_2_1E45FEC0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BAAB0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BAAB0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3DFAB0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478ED6 mov eax, dword ptr fs:[00000030h]	1_2_1E478ED6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	1_2_1E3DD294
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	1_2_1E3DD294
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43FE87 mov eax, dword ptr fs:[00000030h]	1_2_1E43FE87
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3B76E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2AE4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]	1_2_1E3D16E0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4246A7 mov eax, dword ptr fs:[00000030h]	1_2_1E4246A7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D36CC mov eax, dword ptr fs:[00000030h]	1_2_1E3D36CC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]	1_2_1E3D2ACB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]	1_2_1E3E8EC7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DE730 mov eax, dword ptr fs:[00000030h]	1_2_1E3DE730
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	1_2_1E3A4F2E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	1_2_1E3A4F2E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478B58 mov eax, dword ptr fs:[00000030h]	1_2_1E478B58
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CF716 mov eax, dword ptr fs:[00000030h]	1_2_1E3CF716
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478F6A mov eax, dword ptr fs:[00000030h]	1_2_1E478F6A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	1_2_1E3DA70E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	1_2_1E3DA70E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	1_2_1E3D3B7A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	1_2_1E3D3B7A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]	1_2_1E47070D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]	1_2_1E47070D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	1_2_1E43FF10
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	1_2_1E43FF10
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]	1_2_1E3ADB60
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]	1_2_1E3BFF60
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46131B mov eax, dword ptr fs:[00000030h]	1_2_1E46131B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AF358 mov eax, dword ptr fs:[00000030h]	1_2_1E3AF358
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]	1_2_1E3ADB40
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]	1_2_1E3BEF40
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]	1_2_1E4253CA
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]	1_2_1E4253CA
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2397 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2397
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DB390 mov eax, dword ptr fs:[00000030h]	1_2_1E3DB390
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B8794 mov eax, dword ptr fs:[00000030h]	1_2_1E3B8794
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	1_2_1E3B1B8F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	1_2_1E3B1B8F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45D380 mov ecx, dword ptr fs:[00000030h]	1_2_1E45D380
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]	1_2_1E3E37F5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46138A mov eax, dword ptr fs:[00000030h]	1_2_1E46138A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]	1_2_1E3CDBE9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E475BA5 mov eax, dword ptr fs:[00000030h]	1_2_1E475BA5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]	1_2_1E3DBC2C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]	1_2_1E43C450
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]	1_2_1E43C450
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E471074 mov eax, dword ptr fs:[00000030h]	1_2_1E471074
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E462073 mov eax, dword ptr fs:[00000030h]	1_2_1E462073
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C746D mov eax, dword ptr fs:[00000030h]	1_2_1E3C746D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]	1_2_1E474015
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]	1_2_1E474015
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	1_2_1E3C0050
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	1_2_1E3C0050
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA44B mov eax, dword ptr fs:[00000030h]	1_2_1E3DA44B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478CD6 mov eax, dword ptr fs:[00000030h]	1_2_1E478CD6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E90AF mov eax, dword ptr fs:[00000030h]	1_2_1E3E90AF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B849B mov eax, dword ptr fs:[00000030h]	1_2_1E3B849B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9080 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9080
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4614FB mov eax, dword ptr fs:[00000030h]	1_2_1E4614FB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]	1_2_1E423884
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]	1_2_1E423884
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A58EC mov eax, dword ptr fs:[00000030h]	1_2_1E3A58EC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E423540 mov eax, dword ptr fs:[00000030h]	1_2_1E423540
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]	1_2_1E3D513A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]	1_2_1E3D513A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAD30
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB171
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB171
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC577
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC577
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AC962 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC962
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]	1_2_1E3C7D50
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478D34 mov eax, dword ptr fs:[00000030h]	1_2_1E478D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E42A537 mov eax, dword ptr fs:[00000030h]	1_2_1E42A537
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	1_2_1E3CB944
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	1_2_1E3CB944
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]	1_2_1E3E3D43
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46E539 mov eax, dword ptr fs:[00000030h]	1_2_1E46E539
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]	1_2_1E3D35A1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D61A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D61A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	1_2_1E3DFD9B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	1_2_1E3DFD9B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4341E8 mov eax, dword ptr fs:[00000030h]	1_2_1E4341E8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2990 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2990
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E458DF1 mov eax, dword ptr fs:[00000030h]	1_2_1E458DF1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA185 mov eax, dword ptr fs:[00000030h]	1_2_1E3DA185
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CC182 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC182
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4269A6 mov eax, dword ptr fs:[00000030h]	1_2_1E4269A6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]	1_2_1E4705AC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]	1_2_1E4705AC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00567C4F mov eax, dword ptr fs:[00000030h]	1_2_00567C4F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00566CF0 mov eax, dword ptr fs:[00000030h]	1_2_00566CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005641FB mov eax, dword ptr fs:[00000030h]	1_2_005641FB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005689EE mov eax, dword ptr fs:[00000030h]	1_2_005689EE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005689EB mov eax, dword ptr fs:[00000030h]	1_2_005689EB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00568A85 mov eax, dword ptr fs:[00000030h]	1_2_00568A85
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D8B58 mov eax, dword ptr fs:[00000030h]	11_2_035D8B58
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350F358 mov eax, dword ptr fs:[00000030h]	11_2_0350F358
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350DB40 mov eax, dword ptr fs:[00000030h]	11_2_0350DB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03533B7A mov eax, dword ptr fs:[00000030h]	11_2_03533B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03533B7A mov eax, dword ptr fs:[00000030h]	11_2_03533B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350DB60 mov ecx, dword ptr fs:[00000030h]	11_2_0350DB60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C131B mov eax, dword ptr fs:[00000030h]	11_2_035C131B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035853CA mov eax, dword ptr fs:[00000030h]	11_2_035853CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035853CA mov eax, dword ptr fs:[00000030h]	11_2_035853CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352DBE9 mov eax, dword ptr fs:[00000030h]	11_2_0352DBE9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353B390 mov eax, dword ptr fs:[00000030h]	11_2_0353B390
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532397 mov eax, dword ptr fs:[00000030h]	11_2_03532397
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C138A mov eax, dword ptr fs:[00000030h]	11_2_035C138A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BD380 mov ecx, dword ptr fs:[00000030h]	11_2_035BD380
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03511B8F mov eax, dword ptr fs:[00000030h]	11_2_03511B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03511B8F mov eax, dword ptr fs:[00000030h]	11_2_03511B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D5BA5 mov eax, dword ptr fs:[00000030h]	11_2_035D5BA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]	11_2_03534BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]	11_2_03534BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]	11_2_03534BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CEA55 mov eax, dword ptr fs:[00000030h]	11_2_035CEA55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03594257 mov eax, dword ptr fs:[00000030h]	11_2_03594257
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]	11_2_03509240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]	11_2_03509240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]	11_2_03509240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]	11_2_03509240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354927A mov eax, dword ptr fs:[00000030h]	11_2_0354927A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BB260 mov eax, dword ptr fs:[00000030h]	11_2_035BB260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BB260 mov eax, dword ptr fs:[00000030h]	11_2_035BB260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D8A62 mov eax, dword ptr fs:[00000030h]	11_2_035D8A62
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]	11_2_03505210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03505210 mov ecx, dword ptr fs:[00000030h]	11_2_03505210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]	11_2_03505210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]	11_2_03505210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350AA16 mov eax, dword ptr fs:[00000030h]	11_2_0350AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350AA16 mov eax, dword ptr fs:[00000030h]	11_2_0350AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CAA16 mov eax, dword ptr fs:[00000030h]	11_2_035CAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CAA16 mov eax, dword ptr fs:[00000030h]	11_2_035CAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03523A1C mov eax, dword ptr fs:[00000030h]	11_2_03523A1C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03518A0A mov eax, dword ptr fs:[00000030h]	11_2_03518A0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03544A2C mov eax, dword ptr fs:[00000030h]	11_2_03544A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03544A2C mov eax, dword ptr fs:[00000030h]	11_2_03544A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532ACB mov eax, dword ptr fs:[00000030h]	11_2_03532ACB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532AE4 mov eax, dword ptr fs:[00000030h]	11_2_03532AE4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353D294 mov eax, dword ptr fs:[00000030h]	11_2_0353D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353D294 mov eax, dword ptr fs:[00000030h]	11_2_0353D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351AAB0 mov eax, dword ptr fs:[00000030h]	11_2_0351AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351AAB0 mov eax, dword ptr fs:[00000030h]	11_2_0351AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353FAB0 mov eax, dword ptr fs:[00000030h]	11_2_0353FAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352B944 mov eax, dword ptr fs:[00000030h]	11_2_0352B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352B944 mov eax, dword ptr fs:[00000030h]	11_2_0352B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B171 mov eax, dword ptr fs:[00000030h]	11_2_0350B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B171 mov eax, dword ptr fs:[00000030h]	11_2_0350B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350C962 mov eax, dword ptr fs:[00000030h]	11_2_0350C962
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]	11_2_03509100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]	11_2_03509100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]	11_2_03509100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353513A mov eax, dword ptr fs:[00000030h]	11_2_0353513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353513A mov eax, dword ptr fs:[00000030h]	11_2_0353513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov ecx, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035941E8 mov eax, dword ptr fs:[00000030h]	11_2_035941E8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]	11_2_0350B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]	11_2_0350B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]	11_2_0350B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532990 mov eax, dword ptr fs:[00000030h]	11_2_03532990
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352C182 mov eax, dword ptr fs:[00000030h]	11_2_0352C182
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A185 mov eax, dword ptr fs:[00000030h]	11_2_0353A185
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]	11_2_035851BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]	11_2_035851BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]	11_2_035851BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]	11_2_035851BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035361A0 mov eax, dword ptr fs:[00000030h]	11_2_035361A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035361A0 mov eax, dword ptr fs:[00000030h]	11_2_035361A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]	11_2_035C49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]	11_2_035C49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]	11_2_035C49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]	11_2_035C49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035869A6 mov eax, dword ptr fs:[00000030h]	11_2_035869A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03520050 mov eax, dword ptr fs:[00000030h]	11_2_03520050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03520050 mov eax, dword ptr fs:[00000030h]	11_2_03520050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D1074 mov eax, dword ptr fs:[00000030h]	11_2_035D1074
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C2073 mov eax, dword ptr fs:[00000030h]	11_2_035C2073
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D4015 mov eax, dword ptr fs:[00000030h]	11_2_035D4015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D4015 mov eax, dword ptr fs:[00000030h]	11_2_035D4015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]	11_2_03587016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]	11_2_03587016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]	11_2_03587016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]	11_2_0351B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]	11_2_0351B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]	11_2_0351B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]	11_2_0351B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov ecx, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]	11_2_035040E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]	11_2_035040E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]	11_2_035040E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035058EC mov eax, dword ptr fs:[00000030h]	11_2_035058EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509080 mov eax, dword ptr fs:[00000030h]	11_2_03509080
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03583884 mov eax, dword ptr fs:[00000030h]	11_2_03583884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03583884 mov eax, dword ptr fs:[00000030h]	11_2_03583884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353F0BF mov ecx, dword ptr fs:[00000030h]	11_2_0353F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353F0BF mov eax, dword ptr fs:[00000030h]	11_2_0353F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353F0BF mov eax, dword ptr fs:[00000030h]	11_2_0353F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035490AF mov eax, dword ptr fs:[00000030h]	11_2_035490AF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351EF40 mov eax, dword ptr fs:[00000030h]	11_2_0351EF40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351FF60 mov eax, dword ptr fs:[00000030h]	11_2_0351FF60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D8F6A mov eax, dword ptr fs:[00000030h]	11_2_035D8F6A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352F716 mov eax, dword ptr fs:[00000030h]	11_2_0352F716
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359FF10 mov eax, dword ptr fs:[00000030h]	11_2_0359FF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359FF10 mov eax, dword ptr fs:[00000030h]	11_2_0359FF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D070D mov eax, dword ptr fs:[00000030h]	11_2_035D070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D070D mov eax, dword ptr fs:[00000030h]	11_2_035D070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A70E mov eax, dword ptr fs:[00000030h]	11_2_0353A70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A70E mov eax, dword ptr fs:[00000030h]	11_2_0353A70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353E730 mov eax, dword ptr fs:[00000030h]	11_2_0353E730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03504F2E mov eax, dword ptr fs:[00000030h]	11_2_03504F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03504F2E mov eax, dword ptr fs:[00000030h]	11_2_03504F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035437F5 mov eax, dword ptr fs:[00000030h]	11_2_035437F5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03518794 mov eax, dword ptr fs:[00000030h]	11_2_03518794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]	11_2_03587794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]	11_2_03587794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]	11_2_03587794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CAE44 mov eax, dword ptr fs:[00000030h]	11_2_035CAE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CAE44 mov eax, dword ptr fs:[00000030h]	11_2_035CAE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351766D mov eax, dword ptr fs:[00000030h]	11_2_0351766D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A61C mov eax, dword ptr fs:[00000030h]	11_2_0353A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A61C mov eax, dword ptr fs:[00000030h]	11_2_0353A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]	11_2_0350C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]	11_2_0350C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]	11_2_0350C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03538E00 mov eax, dword ptr fs:[00000030h]	11_2_03538E00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C1608 mov eax, dword ptr fs:[00000030h]	11_2_035C1608
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BFE3F mov eax, dword ptr fs:[00000030h]	11_2_035BFE3F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350E620 mov eax, dword ptr fs:[00000030h]	11_2_0350E620
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D8ED6 mov eax, dword ptr fs:[00000030h]	11_2_035D8ED6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03548EC7 mov eax, dword ptr fs:[00000030h]	11_2_03548EC7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BFEC0 mov eax, dword ptr fs:[00000030h]	11_2_035BFEC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035336CC mov eax, dword ptr fs:[00000030h]	11_2_035336CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035316E0 mov ecx, dword ptr fs:[00000030h]	11_2_035316E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035176E2 mov eax, dword ptr fs:[00000030h]	11_2_035176E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359FE87 mov eax, dword ptr fs:[00000030h]	11_2_0359FE87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]	11_2_035D0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]	11_2_035D0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]	11_2_035D0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035846A7 mov eax, dword ptr fs:[00000030h]	11_2_035846A7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03527D50 mov eax, dword ptr fs:[00000030h]	11_2_03527D50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03543D43 mov eax, dword ptr fs:[00000030h]	11_2_03543D43
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03583540 mov eax, dword ptr fs:[00000030h]	11_2_03583540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035B3D40 mov eax, dword ptr fs:[00000030h]	11_2_035B3D40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352C577 mov eax, dword ptr fs:[00000030h]	11_2_0352C577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352C577 mov eax, dword ptr fs:[00000030h]	11_2_0352C577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350AD30 mov eax, dword ptr fs:[00000030h]	11_2_0350AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CE539 mov eax, dword ptr fs:[00000030h]	11_2_035CE539
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]	11_2_03534D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]	11_2_03534D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]	11_2_03534D3B

Enables debug privileges

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632C6 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,		1_2_005632C6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,		1_2_005632D1

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 68.70.163.36 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.224.66.93 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: C90000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'			Jump to behavior

Source: explorer.exe, 00000003.00000002.485221215.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000002.500202278.0000000006860000.00000004.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F1083 cpuid

0_2_020F1083

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
Source: Yara match	File source: Process Memory Space: wlanext.exe PID: 5896, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
68.70.163.36	unknown	United States	22458	NETSOURCEUS	true
156.224.66.93	unknown	Seychelles	136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true
192.185.170.106	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
lifeandhealth.com.mx	192.185.170.106	true
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com	3.223.115.185	true
drinksandfruits.com	68.70.163.36	true
www.iatlet.com	156.224.66.93	true
www.drinksandfruits.com	unknown	unknown
www.leepl.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iatlet.com/icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr	true	Avira URL Cloud: safe	unknown
http://www.drinksandfruits.com/icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus detection for URL or domain

Source: https://lifeandhealth.com.mx/)	Avira URL Cloud: Label: malware
Source: https://lifeandhealth.com.mx/x	Avira URL Cloud: Label: malware
Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bind	Avira URL Cloud: Label: malware
Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Shipping Documents (INV,PL,BL)_pdf.exe

Virustotal: Detection: 21%

Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop esi		11_2_00C672B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi		11_2_00C66BC7

Networking:

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NETSOURCEUS NETSOURCEUS
Source: Joe Sandbox View	ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Windows\explorer.exe

Code function: 3_2_061F5782 getaddrinfo,setsockopt,recv,

3_2_061F5782

Source: global traffic	HTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: lifeandhealth.com.mx

Source: global traffic

Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://cert.i
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: explorer.exe, 00000003.00000000.297520534.000000000F6D4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.84streetchamber.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.84streetchamber.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.84streetchamber.com/icm9/www.verifyinstagram-help.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.84streetchamber.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cannahavedessert.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cannahavedessert.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cannahavedessert.com/icm9/www.kalcio.site
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cannahavedessert.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.drinksandfruits.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.drinksandfruits.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.drinksandfruits.com/icm9/www.iatlet.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.drinksandfruits.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.faithinfitness.net
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.faithinfitness.net/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.faithinfitness.net/icm9/www.hunexhq.icu
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.faithinfitness.netReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.frontierautoglasswheatfield.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/M
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.frontierautoglasswheatfield.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.gcsisgreen.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.gcsisgreen.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.gcsisgreen.com/icm9/www.smartbulk.store
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.gcsisgreen.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hunexhq.icu
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hunexhq.icu/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hunexhq.icu/icm9/www.frontierautoglasswheatfield.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hunexhq.icuReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.iatlet.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.iatlet.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.iatlet.com/icm9/www.leepl.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.iatlet.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.images77.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.images77.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.images77.com/icm9/www.gcsisgreen.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.images77.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kalcio.site
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kalcio.site/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kalcio.site/icm9/www.mademoisellepierre.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kalcio.siteReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.leepl.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.leepl.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.leepl.com/icm9/www.nationalcanopies.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.leepl.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.machevate.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.machevate.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.machevate.com/icm9/www.84streetchamber.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.machevate.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.mademoisellepierre.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.mademoisellepierre.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.mademoisellepierre.com/icm9/www.images77.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.mademoisellepierre.comReferer:
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nationalcanopies.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nationalcanopies.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nationalcanopies.com/icm9/www.cannahavedessert.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nationalcanopies.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartbulk.store
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartbulk.store/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartbulk.store/icm9/www.machevate.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartbulk.storeReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.verifyinstagram-help.com
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.verifyinstagram-help.com/icm9/
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.verifyinstagram-help.com/icm9/www.faithinfitness.net
Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.verifyinstagram-help.comReferer:
Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/)
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bind
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://lifeandhealth.com.mx/x

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241695926.00000000006BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Source: Shipping Documents (INV,PL,BL)_pdf.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping Documents (INV,PL,BL)_pdf.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F7FAA NtWriteVirtualMemory,	0_2_020F7FAA
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F97D3 NtResumeThread,	0_2_020F97D3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F086A EnumWindows,NtSetInformationThread,	0_2_020F086A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,	0_2_020F0D0F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F91CF NtProtectVirtualMemory,	0_2_020F91CF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F89EB NtSetInformationThread,	0_2_020F89EB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3A46 NtWriteVirtualMemory,	0_2_020F3A46
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0A5C NtSetInformationThread,	0_2_020F0A5C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9A7A NtResumeThread,	0_2_020F9A7A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3A82 NtWriteVirtualMemory,	0_2_020F3A82
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3AAE NtWriteVirtualMemory,	0_2_020F3AAE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9AB1 NtResumeThread,	0_2_020F9AB1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3AEC NtWriteVirtualMemory,	0_2_020F3AEC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9AE5 NtResumeThread,	0_2_020F9AE5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F36F7 NtWriteVirtualMemory,	0_2_020F36F7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9B0D NtResumeThread,	0_2_020F9B0D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3B08 NtWriteVirtualMemory,	0_2_020F3B08
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9B4B NtResumeThread,	0_2_020F9B4B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3744 NtWriteVirtualMemory,	0_2_020F3744
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3B40 NtWriteVirtualMemory,	0_2_020F3B40
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2FAB NtWriteVirtualMemory,	0_2_020F2FAB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F37A1 NtWriteVirtualMemory,	0_2_020F37A1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9BB3 NtResumeThread,	0_2_020F9BB3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3BCE NtWriteVirtualMemory,	0_2_020F3BCE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F97DC NtResumeThread,	0_2_020F97DC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9BEE NtResumeThread,	0_2_020F9BEE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F37EC NtWriteVirtualMemory,	0_2_020F37EC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3C06 NtWriteVirtualMemory,	0_2_020F3C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9804 NtResumeThread,	0_2_020F9804
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F982F NtResumeThread,	0_2_020F982F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9C2E NtResumeThread,	0_2_020F9C2E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3828 NtWriteVirtualMemory,	0_2_020F3828
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3C6F NtWriteVirtualMemory,	0_2_020F3C6F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F988A NtResumeThread,	0_2_020F988A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F989B NtResumeThread,	0_2_020F989B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9C99 NtResumeThread,	0_2_020F9C99
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3CC8 NtWriteVirtualMemory,	0_2_020F3CC8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9CDC NtResumeThread,	0_2_020F9CDC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F98D4 NtResumeThread,	0_2_020F98D4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F38E4 NtWriteVirtualMemory,	0_2_020F38E4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F24E2 NtWriteVirtualMemory,	0_2_020F24E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F38F0 NtWriteVirtualMemory,	0_2_020F38F0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F090E NtSetInformationThread,	0_2_020F090E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F990D NtResumeThread,	0_2_020F990D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9D09 NtResumeThread,	0_2_020F9D09
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0905 NtSetInformationThread,	0_2_020F0905
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F451B NtSetInformationThread,	0_2_020F451B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0517 NtSetInformationThread,NtWriteVirtualMemory,	0_2_020F0517
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3D3C NtWriteVirtualMemory,	0_2_020F3D3C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9941 NtResumeThread,	0_2_020F9941
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F395C NtWriteVirtualMemory,	0_2_020F395C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F996B NtResumeThread,	0_2_020F996B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F097E NtSetInformationThread,	0_2_020F097E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9D74 NtResumeThread,	0_2_020F9D74
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3D8C NtWriteVirtualMemory,	0_2_020F3D8C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9998 NtResumeThread,	0_2_020F9998
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3191 NtWriteVirtualMemory,	0_2_020F3191
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F39A2 NtWriteVirtualMemory,	0_2_020F39A2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F55B8 NtWriteVirtualMemory,	0_2_020F55B8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9DB7 NtResumeThread,	0_2_020F9DB7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F09CD NtSetInformationThread,	0_2_020F09CD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F99D3 NtResumeThread,	0_2_020F99D3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F9DEB NtResumeThread,	0_2_020F9DEB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F3DE9 NtWriteVirtualMemory,	0_2_020F3DE9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F79FD NtWriteVirtualMemory,	0_2_020F79FD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F41FB NtSetInformationThread,	0_2_020F41FB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,	1_2_1E3E9A20
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_1E3E9A00
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_1E3E9660
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,	1_2_1E3E9A50
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_1E3E96E0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_1E3E9710
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_1E3E97A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_1E3E9780
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_1E3E9860
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,	1_2_1E3E9840
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_1E3E98F0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_1E3E9910
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9540 NtReadFile,LdrInitializeThunk,	1_2_1E3E9540
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,	1_2_1E3E99A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E95D0 NtClose,LdrInitializeThunk,	1_2_1E3E95D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9610 NtEnumerateValueKey,	1_2_1E3E9610
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A10 NtQuerySection,	1_2_1E3E9A10
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9670 NtQueryInformationProcess,	1_2_1E3E9670
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9650 NtQueryValueKey,	1_2_1E3E9650
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9A80 NtOpenDirectoryObject,	1_2_1E3E9A80
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E96D0 NtCreateKey,	1_2_1E3E96D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9730 NtQueryVirtualMemory,	1_2_1E3E9730
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EA710 NtOpenProcessToken,	1_2_1E3EA710
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9B00 NtSetValueKey,	1_2_1E3E9B00
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9770 NtSetInformationFile,	1_2_1E3E9770
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EA770 NtOpenThread,	1_2_1E3EA770
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9760 NtOpenProcess,	1_2_1E3E9760
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EA3B0 NtGetContextThread,	1_2_1E3EA3B0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9FE0 NtCreateMutant,	1_2_1E3E9FE0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9820 NtEnumerateKey,	1_2_1E3E9820
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EB040 NtSuspendThread,	1_2_1E3EB040
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E98A0 NtWriteVirtualMemory,	1_2_1E3E98A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3EAD30 NtSetContextThread,	1_2_1E3EAD30
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9520 NtWaitForSingleObject,	1_2_1E3E9520
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9560 NtWriteFile,	1_2_1E3E9560
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E9950 NtQueueApcThread,	1_2_1E3E9950
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E95F0 NtQueryInformationFile,	1_2_1E3E95F0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E99D0 NtCreateProcessEx,	1_2_1E3E99D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056451B LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056451B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005691CF NtProtectVirtualMemory,	1_2_005691CF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056322E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056322E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632C6 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_005632C6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005697D3 NtQueryInformationProcess,	1_2_005697D3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564395 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00564395
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564441 NtProtectVirtualMemory,	1_2_00564441
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569804 NtQueryInformationProcess,	1_2_00569804
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056443B LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056443B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569C2E NtQueryInformationProcess,	1_2_00569C2E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056982F NtQueryInformationProcess,	1_2_0056982F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005698D4 NtQueryInformationProcess,	1_2_005698D4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569CDC NtQueryInformationProcess,	1_2_00569CDC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005644EE LdrInitializeThunk,NtProtectVirtualMemory,	1_2_005644EE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564490 NtProtectVirtualMemory,	1_2_00564490
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056989B NtQueryInformationProcess,	1_2_0056989B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569C99 NtQueryInformationProcess,	1_2_00569C99
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056988A NtQueryInformationProcess,	1_2_0056988A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569941 NtQueryInformationProcess,	1_2_00569941
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569D74 NtQueryInformationProcess,	1_2_00569D74
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056456E LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056456E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056996B NtQueryInformationProcess,	1_2_0056996B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056450E LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056450E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056990D NtQueryInformationProcess,	1_2_0056990D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569D09 NtQueryInformationProcess,	1_2_00569D09
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564522 NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00564522
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005699D3 NtQueryInformationProcess,	1_2_005699D3
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569DEB NtQueryInformationProcess,	1_2_00569DEB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00563191 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00563191
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569998 NtQueryInformationProcess,	1_2_00569998
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569DB7 NtQueryInformationProcess,	1_2_00569DB7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00564654 NtProtectVirtualMemory,	1_2_00564654
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00563246 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00563246
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569A7A NtQueryInformationProcess,	1_2_00569A7A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_0056462E LdrInitializeThunk,NtProtectVirtualMemory,	1_2_0056462E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,	1_2_005632D1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569AE5 NtQueryInformationProcess,	1_2_00569AE5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632E9 LdrInitializeThunk,NtProtectVirtualMemory,	1_2_005632E9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00563288 LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00563288
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569AB1 NtQueryInformationProcess,	1_2_00569AB1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569B4B NtQueryInformationProcess,	1_2_00569B4B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00563349 LdrInitializeThunk,NtProtectVirtualMemory,	1_2_00563349
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569B0D NtQueryInformationProcess,	1_2_00569B0D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005697DC NtQueryInformationProcess,	1_2_005697DC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569BEE NtQueryInformationProcess,	1_2_00569BEE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00569BB3 NtQueryInformationProcess,	1_2_00569BB3
Source: C:\Windows\explorer.exe	Code function: 3_2_061F4A32 NtCreateFile,	3_2_061F4A32
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A50 NtCreateFile,LdrInitializeThunk,	11_2_03549A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549910 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_03549910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035499A0 NtCreateSection,LdrInitializeThunk,	11_2_035499A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549840 NtDelayExecution,LdrInitializeThunk,	11_2_03549840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549860 NtQuerySystemInformation,LdrInitializeThunk,	11_2_03549860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549710 NtQueryInformationToken,LdrInitializeThunk,	11_2_03549710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549FE0 NtCreateMutant,LdrInitializeThunk,	11_2_03549FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549780 NtMapViewOfSection,LdrInitializeThunk,	11_2_03549780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549650 NtQueryValueKey,LdrInitializeThunk,	11_2_03549650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549660 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_03549660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035496D0 NtCreateKey,LdrInitializeThunk,	11_2_035496D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035496E0 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_035496E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549540 NtReadFile,LdrInitializeThunk,	11_2_03549540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035495D0 NtClose,LdrInitializeThunk,	11_2_035495D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549B00 NtSetValueKey,	11_2_03549B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354A3B0 NtGetContextThread,	11_2_0354A3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A10 NtQuerySection,	11_2_03549A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A00 NtProtectVirtualMemory,	11_2_03549A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A20 NtResumeThread,	11_2_03549A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549A80 NtOpenDirectoryObject,	11_2_03549A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549950 NtQueueApcThread,	11_2_03549950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035499D0 NtCreateProcessEx,	11_2_035499D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354B040 NtSuspendThread,	11_2_0354B040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549820 NtEnumerateKey,	11_2_03549820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035498F0 NtReadVirtualMemory,	11_2_035498F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035498A0 NtWriteVirtualMemory,	11_2_035498A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354A770 NtOpenThread,	11_2_0354A770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549770 NtSetInformationFile,	11_2_03549770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549760 NtOpenProcess,	11_2_03549760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354A710 NtOpenProcessToken,	11_2_0354A710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549730 NtQueryVirtualMemory,	11_2_03549730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035497A0 NtUnmapViewOfSection,	11_2_035497A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549670 NtQueryInformationProcess,	11_2_03549670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549610 NtEnumerateValueKey,	11_2_03549610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549560 NtWriteFile,	11_2_03549560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354AD30 NtSetContextThread,	11_2_0354AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03549520 NtWaitForSingleObject,	11_2_03549520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035495F0 NtQueryInformationFile,	11_2_035495F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69DF0 NtReadFile,	11_2_00C69DF0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69D40 NtCreateFile,	11_2_00C69D40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69E70 NtClose,	11_2_00C69E70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69F20 NtAllocateVirtualMemory,	11_2_00C69F20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69D3B NtCreateFile,	11_2_00C69D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69E6A NtClose,	11_2_00C69E6A

Detected potential crypto function

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C6E30	1_2_1E3C6E30
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E472EF7	1_2_1E472EF7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4722AE	1_2_1E4722AE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E472B28	1_2_1E472B28
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DEBB0	1_2_1E3DEBB0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46DBD2	1_2_1E46DBD2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E471FF1	1_2_1E471FF1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B841F	1_2_1E3B841F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461002	1_2_1E461002
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB090	1_2_1E3BB090
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4720A8	1_2_1E4720A8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E471D55	1_2_1E471D55
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A0D20	1_2_1E3A0D20
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AF900	1_2_1E3AF900
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E472D07	1_2_1E472D07
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4725DD	1_2_1E4725DD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BD5E0	1_2_1E3BD5E0
Source: C:\Windows\explorer.exe	Code function: 3_2_061F4A32	3_2_061F4A32
Source: C:\Windows\explorer.exe	Code function: 3_2_061EB072	3_2_061EB072
Source: C:\Windows\explorer.exe	Code function: 3_2_061F7A6F	3_2_061F7A6F
Source: C:\Windows\explorer.exe	Code function: 3_2_061EB069	3_2_061EB069
Source: C:\Windows\explorer.exe	Code function: 3_2_061F3862	3_2_061F3862
Source: C:\Windows\explorer.exe	Code function: 3_2_061ECCF2	3_2_061ECCF2
Source: C:\Windows\explorer.exe	Code function: 3_2_061ECCEC	3_2_061ECCEC
Source: C:\Windows\explorer.exe	Code function: 3_2_061EFB1F	3_2_061EFB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_061F7B0E	3_2_061F7B0E
Source: C:\Windows\explorer.exe	Code function: 3_2_061F2132	3_2_061F2132
Source: C:\Windows\explorer.exe	Code function: 3_2_061EFB22	3_2_061EFB22
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AB40	11_2_0352AB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D2B28	11_2_035D2B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C03DA	11_2_035C03DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CDBD2	11_2_035CDBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353EBB0	11_2_0353EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BFA2B	11_2_035BFA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D22AE	11_2_035D22AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350F900	11_2_0350F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C1002	11_2_035C1002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035DE824	11_2_035DE824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D28EC	11_2_035D28EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B090	11_2_0351B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D20A8	11_2_035D20A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035DDFCE	11_2_035DDFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D1FF1	11_2_035D1FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CD616	11_2_035CD616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03526E30	11_2_03526E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D2EF7	11_2_035D2EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D1D55	11_2_035D1D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D2D07	11_2_035D2D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03500D20	11_2_03500D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D25DD	11_2_035D25DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351D5E0	11_2_0351D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532581	11_2_03532581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CD466	11_2_035CD466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351841F	11_2_0351841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6DB7D	11_2_00C6DB7D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C52D89	11_2_00C52D89
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C52D90	11_2_00C52D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C59E40	11_2_00C59E40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C59E3B	11_2_00C59E3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6DFC9	11_2_00C6DFC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C52FB0	11_2_00C52FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 0350B150 appears 48 times
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: String function: 1E3AB150 appears 35 times

Sample file is different than original file name gathered from version info

Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241735598.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.318768141.000000001E62F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312668816.0000000002590000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000000.240728958.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312648510.0000000002540000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping Documents (INV,PL,BL)_pdf.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe

Yara signature match

Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/0@4/3

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCBA05B85C1CFCA00.TMP

Jump to behavior

Source: Shipping Documents (INV,PL,BL)_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Shipping Documents (INV,PL,BL)_pdf.exe

Virustotal: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'	Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp, wlanext.exe, 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F8356 push ds; iretd	0_2_020F8363
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F8365 push ds; iretd	0_2_020F8380
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F07CD pushad ; retf	0_2_020F07CF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F07EE pushad ; retf	0_2_020F07F0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3FD0D1 push ecx; ret	1_2_1E3FD0E4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00568355 push ds; iretd	1_2_00568363
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00568365 push ds; iretd	1_2_00568380
Source: C:\Windows\explorer.exe	Code function: 3_2_061F83E6 pushad ; ret	3_2_061F83E7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0355D0D1 push ecx; ret	11_2_0355D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6705B push esi; ret	11_2_00C6705C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C66989 push edi; retf	11_2_00C6698F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C67C5E push esi; iretd	11_2_00C67C5F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C67D40 push eax; ret	11_2_00C67D41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6CEE2 push eax; ret	11_2_00C6CEE8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6CEEB push eax; ret	11_2_00C6CF52
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6CE95 push eax; ret	11_2_00C6CEE8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C69666 push ss; iretd	11_2_00C6966B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C66679 push ebp; retf	11_2_00C6667A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6AE79 push ebx; ret	11_2_00C6AE7D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6BE12 push ebp; ret	11_2_00C6BE15
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_00C6CF4C push eax; ret	11_2_00C6CF52

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xED

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,	0_2_020F0D0F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0E46 TerminateProcess,	0_2_020F0E46
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0E55 TerminateProcess,	0_2_020F0E55
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0EB1 TerminateProcess,	0_2_020F0EB1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0EF6 TerminateProcess,	0_2_020F0EF6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0F55 TerminateProcess,	0_2_020F0F55
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0FA7 TerminateProcess,	0_2_020F0FA7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0FEC TerminateProcess,	0_2_020F0FEC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F1039 TerminateProcess,	0_2_020F1039
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F1083 TerminateProcess,	0_2_020F1083
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F10D7 TerminateProcess,	0_2_020F10D7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F117A TerminateProcess,	0_2_020F117A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0D81 TerminateProcess,	0_2_020F0D81
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F0DE0 TerminateProcess,	0_2_020F0DE0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F11F6 TerminateProcess,	0_2_020F11F6

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Tries to detect Any.run

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 00000000020F8088 second address: 00000000020F8088 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0E14EF96D8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f jmp 00007F0E14EF96F6h 0x00000021 test cx, cx 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 pushad 0x00000029 mov ah, 87h 0x0000002b cmp ah, FFFFFF87h 0x0000002e jne 00007F0E14EF4D8Ch 0x00000034 popad 0x00000035 dec dword ptr [ebp+000000F8h] 0x0000003b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000042 jne 00007F0E14EF967Fh 0x00000044 cmp ax, cx 0x00000047 cmp dh, dh 0x00000049 call 00007F0E14EF975Bh 0x0000004e call 00007F0E14EF96EAh 0x00000053 lfence 0x00000056 mov edx, dword ptr [7FFE0014h] 0x0000005c lfence 0x0000005f ret 0x00000060 mov esi, edx 0x00000062 pushad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 00000000020F80AA second address: 00000000020F80AA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0E1437EC20h 0x0000001f popad 0x00000020 call 00007F0E1437E629h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 00000000005680AA second address: 00000000005680AA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0E14EF9E30h 0x0000001f popad 0x00000020 call 00007F0E14EF9839h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000C598E4 second address: 0000000000C598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000C59B5E second address: 0000000000C59B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F086A rdtsc

0_2_020F086A

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe TID: 5736	Thread sleep count: 190 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1320	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5848	Thread sleep time: -45000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.291283717.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000002.497929772.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.292196573.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000003.00000000.285586778.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Shipping Documents (INV,PL,BL)_pdf.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&v
Source: explorer.exe, 00000003.00000002.498066885.0000000005603000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F086A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000

0_2_020F086A

Hides threads from debuggers

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F086A rdtsc

0_2_020F086A

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F4A77 LdrInitializeThunk,

0_2_020F4A77

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F89EB mov eax, dword ptr fs:[00000030h]	0_2_020F89EB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F421E mov eax, dword ptr fs:[00000030h]	0_2_020F421E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F8A85 mov eax, dword ptr fs:[00000030h]	0_2_020F8A85
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2FAB mov eax, dword ptr fs:[00000030h]	0_2_020F2FAB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2FB8 mov eax, dword ptr fs:[00000030h]	0_2_020F2FB8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2FFD mov eax, dword ptr fs:[00000030h]	0_2_020F2FFD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F7C4F mov eax, dword ptr fs:[00000030h]	0_2_020F7C4F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F2C7F mov eax, dword ptr fs:[00000030h]	0_2_020F2C7F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F24E2 mov eax, dword ptr fs:[00000030h]	0_2_020F24E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F6CF0 mov eax, dword ptr fs:[00000030h]	0_2_020F6CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 0_2_020F89EE mov eax, dword ptr fs:[00000030h]	0_2_020F89EE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	1_2_1E46AE44
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	1_2_1E46AE44
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	1_2_1E3E4A2C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	1_2_1E3E4A2C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46EA55 mov eax, dword ptr fs:[00000030h]	1_2_1E46EA55
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E434257 mov eax, dword ptr fs:[00000030h]	1_2_1E434257
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AE620 mov eax, dword ptr fs:[00000030h]	1_2_1E3AE620
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]	1_2_1E3C3A1C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	1_2_1E3DA61C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	1_2_1E3DA61C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]	1_2_1E45B260
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]	1_2_1E45B260
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478A62 mov eax, dword ptr fs:[00000030h]	1_2_1E478A62
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	1_2_1E3A5210
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAA16
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAA16
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]	1_2_1E3B8A0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC600
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]	1_2_1E3D8E00
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E927A mov eax, dword ptr fs:[00000030h]	1_2_1E3E927A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461608 mov eax, dword ptr fs:[00000030h]	1_2_1E461608
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	1_2_1E3CAE73
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B766D mov eax, dword ptr fs:[00000030h]	1_2_1E3B766D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9240
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45FE3F mov eax, dword ptr fs:[00000030h]	1_2_1E45FE3F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	1_2_1E3B7E41
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]	1_2_1E45FEC0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BAAB0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BAAB0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]	1_2_1E3DFAB0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478ED6 mov eax, dword ptr fs:[00000030h]	1_2_1E478ED6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	1_2_1E3A52A5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	1_2_1E3DD294
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	1_2_1E3DD294
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43FE87 mov eax, dword ptr fs:[00000030h]	1_2_1E43FE87
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3B76E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2AE4
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]	1_2_1E3D16E0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	1_2_1E470EA5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4246A7 mov eax, dword ptr fs:[00000030h]	1_2_1E4246A7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D36CC mov eax, dword ptr fs:[00000030h]	1_2_1E3D36CC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]	1_2_1E3D2ACB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]	1_2_1E3E8EC7
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DE730 mov eax, dword ptr fs:[00000030h]	1_2_1E3DE730
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	1_2_1E3A4F2E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	1_2_1E3A4F2E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478B58 mov eax, dword ptr fs:[00000030h]	1_2_1E478B58
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CF716 mov eax, dword ptr fs:[00000030h]	1_2_1E3CF716
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478F6A mov eax, dword ptr fs:[00000030h]	1_2_1E478F6A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	1_2_1E3DA70E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	1_2_1E3DA70E
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	1_2_1E3D3B7A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	1_2_1E3D3B7A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]	1_2_1E47070D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]	1_2_1E47070D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	1_2_1E43FF10
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	1_2_1E43FF10
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]	1_2_1E3ADB60
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]	1_2_1E3BFF60
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46131B mov eax, dword ptr fs:[00000030h]	1_2_1E46131B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AF358 mov eax, dword ptr fs:[00000030h]	1_2_1E3AF358
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]	1_2_1E3ADB40
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]	1_2_1E3BEF40
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]	1_2_1E4253CA
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]	1_2_1E4253CA
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	1_2_1E3D4BAD
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2397 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2397
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DB390 mov eax, dword ptr fs:[00000030h]	1_2_1E3DB390
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B8794 mov eax, dword ptr fs:[00000030h]	1_2_1E3B8794
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	1_2_1E3B1B8F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	1_2_1E3B1B8F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E45D380 mov ecx, dword ptr fs:[00000030h]	1_2_1E45D380
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]	1_2_1E3E37F5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46138A mov eax, dword ptr fs:[00000030h]	1_2_1E46138A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]	1_2_1E3CDBE9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]	1_2_1E427794
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	1_2_1E3D03E2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E475BA5 mov eax, dword ptr fs:[00000030h]	1_2_1E475BA5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]	1_2_1E3D002D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	1_2_1E3BB02A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]	1_2_1E3DBC2C
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]	1_2_1E43C450
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]	1_2_1E43C450
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E471074 mov eax, dword ptr fs:[00000030h]	1_2_1E471074
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E462073 mov eax, dword ptr fs:[00000030h]	1_2_1E462073
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]	1_2_1E461C06
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]	1_2_1E426C0A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]	1_2_1E47740D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C746D mov eax, dword ptr fs:[00000030h]	1_2_1E3C746D
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]	1_2_1E474015
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]	1_2_1E474015
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]	1_2_1E427016
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	1_2_1E3C0050
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	1_2_1E3C0050
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA44B mov eax, dword ptr fs:[00000030h]	1_2_1E3DA44B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	1_2_1E3DF0BF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478CD6 mov eax, dword ptr fs:[00000030h]	1_2_1E478CD6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E90AF mov eax, dword ptr fs:[00000030h]	1_2_1E3E90AF
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	1_2_1E43B8D0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D20A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B849B mov eax, dword ptr fs:[00000030h]	1_2_1E3B849B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	1_2_1E426CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9080 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9080
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4614FB mov eax, dword ptr fs:[00000030h]	1_2_1E4614FB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]	1_2_1E423884
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]	1_2_1E423884
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A58EC mov eax, dword ptr fs:[00000030h]	1_2_1E3A58EC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E423540 mov eax, dword ptr fs:[00000030h]	1_2_1E423540
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	1_2_1E3D4D3B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]	1_2_1E3D513A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]	1_2_1E3D513A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]	1_2_1E3AAD30
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	1_2_1E3B3D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]	1_2_1E3C4120
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	1_2_1E3A9100
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB171
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB171
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC577
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC577
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AC962 mov eax, dword ptr fs:[00000030h]	1_2_1E3AC962
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]	1_2_1E3C7D50
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E478D34 mov eax, dword ptr fs:[00000030h]	1_2_1E478D34
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E42A537 mov eax, dword ptr fs:[00000030h]	1_2_1E42A537
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	1_2_1E3CB944
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	1_2_1E3CB944
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]	1_2_1E3E3D43
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46E539 mov eax, dword ptr fs:[00000030h]	1_2_1E46E539
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	1_2_1E3D1DB5
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	1_2_1E426DC9
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]	1_2_1E3D35A1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D61A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	1_2_1E3D61A0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	1_2_1E46FDE2
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	1_2_1E3DFD9B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	1_2_1E3DFD9B
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4341E8 mov eax, dword ptr fs:[00000030h]	1_2_1E4341E8
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2990 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2990
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	1_2_1E3A2D8A
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E458DF1 mov eax, dword ptr fs:[00000030h]	1_2_1E458DF1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3DA185 mov eax, dword ptr fs:[00000030h]	1_2_1E3DA185
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	1_2_1E3D2581
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3CC182 mov eax, dword ptr fs:[00000030h]	1_2_1E3CC182
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	1_2_1E3AB1E1
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	1_2_1E3BD5E0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4269A6 mov eax, dword ptr fs:[00000030h]	1_2_1E4269A6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]	1_2_1E4705AC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]	1_2_1E4705AC
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]	1_2_1E4251BE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00567C4F mov eax, dword ptr fs:[00000030h]	1_2_00567C4F
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00566CF0 mov eax, dword ptr fs:[00000030h]	1_2_00566CF0
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005641FB mov eax, dword ptr fs:[00000030h]	1_2_005641FB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005689EE mov eax, dword ptr fs:[00000030h]	1_2_005689EE
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005689EB mov eax, dword ptr fs:[00000030h]	1_2_005689EB
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_00568A85 mov eax, dword ptr fs:[00000030h]	1_2_00568A85
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D8B58 mov eax, dword ptr fs:[00000030h]	11_2_035D8B58
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350F358 mov eax, dword ptr fs:[00000030h]	11_2_0350F358
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350DB40 mov eax, dword ptr fs:[00000030h]	11_2_0350DB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03533B7A mov eax, dword ptr fs:[00000030h]	11_2_03533B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03533B7A mov eax, dword ptr fs:[00000030h]	11_2_03533B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350DB60 mov ecx, dword ptr fs:[00000030h]	11_2_0350DB60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C131B mov eax, dword ptr fs:[00000030h]	11_2_035C131B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035853CA mov eax, dword ptr fs:[00000030h]	11_2_035853CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035853CA mov eax, dword ptr fs:[00000030h]	11_2_035853CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]	11_2_035303E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352DBE9 mov eax, dword ptr fs:[00000030h]	11_2_0352DBE9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353B390 mov eax, dword ptr fs:[00000030h]	11_2_0353B390
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532397 mov eax, dword ptr fs:[00000030h]	11_2_03532397
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C138A mov eax, dword ptr fs:[00000030h]	11_2_035C138A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BD380 mov ecx, dword ptr fs:[00000030h]	11_2_035BD380
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03511B8F mov eax, dword ptr fs:[00000030h]	11_2_03511B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03511B8F mov eax, dword ptr fs:[00000030h]	11_2_03511B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D5BA5 mov eax, dword ptr fs:[00000030h]	11_2_035D5BA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]	11_2_03534BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]	11_2_03534BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]	11_2_03534BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CEA55 mov eax, dword ptr fs:[00000030h]	11_2_035CEA55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03594257 mov eax, dword ptr fs:[00000030h]	11_2_03594257
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]	11_2_03509240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]	11_2_03509240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]	11_2_03509240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]	11_2_03509240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0354927A mov eax, dword ptr fs:[00000030h]	11_2_0354927A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BB260 mov eax, dword ptr fs:[00000030h]	11_2_035BB260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BB260 mov eax, dword ptr fs:[00000030h]	11_2_035BB260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D8A62 mov eax, dword ptr fs:[00000030h]	11_2_035D8A62
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]	11_2_03505210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03505210 mov ecx, dword ptr fs:[00000030h]	11_2_03505210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]	11_2_03505210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]	11_2_03505210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350AA16 mov eax, dword ptr fs:[00000030h]	11_2_0350AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350AA16 mov eax, dword ptr fs:[00000030h]	11_2_0350AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CAA16 mov eax, dword ptr fs:[00000030h]	11_2_035CAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CAA16 mov eax, dword ptr fs:[00000030h]	11_2_035CAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03523A1C mov eax, dword ptr fs:[00000030h]	11_2_03523A1C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03518A0A mov eax, dword ptr fs:[00000030h]	11_2_03518A0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03544A2C mov eax, dword ptr fs:[00000030h]	11_2_03544A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03544A2C mov eax, dword ptr fs:[00000030h]	11_2_03544A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]	11_2_0352A229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532ACB mov eax, dword ptr fs:[00000030h]	11_2_03532ACB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532AE4 mov eax, dword ptr fs:[00000030h]	11_2_03532AE4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353D294 mov eax, dword ptr fs:[00000030h]	11_2_0353D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353D294 mov eax, dword ptr fs:[00000030h]	11_2_0353D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351AAB0 mov eax, dword ptr fs:[00000030h]	11_2_0351AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351AAB0 mov eax, dword ptr fs:[00000030h]	11_2_0351AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353FAB0 mov eax, dword ptr fs:[00000030h]	11_2_0353FAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]	11_2_035052A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352B944 mov eax, dword ptr fs:[00000030h]	11_2_0352B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352B944 mov eax, dword ptr fs:[00000030h]	11_2_0352B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B171 mov eax, dword ptr fs:[00000030h]	11_2_0350B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B171 mov eax, dword ptr fs:[00000030h]	11_2_0350B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350C962 mov eax, dword ptr fs:[00000030h]	11_2_0350C962
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]	11_2_03509100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]	11_2_03509100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]	11_2_03509100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353513A mov eax, dword ptr fs:[00000030h]	11_2_0353513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353513A mov eax, dword ptr fs:[00000030h]	11_2_0353513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03524120 mov ecx, dword ptr fs:[00000030h]	11_2_03524120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035941E8 mov eax, dword ptr fs:[00000030h]	11_2_035941E8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]	11_2_0350B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]	11_2_0350B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]	11_2_0350B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03532990 mov eax, dword ptr fs:[00000030h]	11_2_03532990
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352C182 mov eax, dword ptr fs:[00000030h]	11_2_0352C182
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A185 mov eax, dword ptr fs:[00000030h]	11_2_0353A185
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]	11_2_035851BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]	11_2_035851BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]	11_2_035851BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]	11_2_035851BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035361A0 mov eax, dword ptr fs:[00000030h]	11_2_035361A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035361A0 mov eax, dword ptr fs:[00000030h]	11_2_035361A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]	11_2_035C49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]	11_2_035C49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]	11_2_035C49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]	11_2_035C49A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035869A6 mov eax, dword ptr fs:[00000030h]	11_2_035869A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03520050 mov eax, dword ptr fs:[00000030h]	11_2_03520050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03520050 mov eax, dword ptr fs:[00000030h]	11_2_03520050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D1074 mov eax, dword ptr fs:[00000030h]	11_2_035D1074
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C2073 mov eax, dword ptr fs:[00000030h]	11_2_035C2073
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D4015 mov eax, dword ptr fs:[00000030h]	11_2_035D4015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D4015 mov eax, dword ptr fs:[00000030h]	11_2_035D4015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]	11_2_03587016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]	11_2_03587016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]	11_2_03587016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]	11_2_0351B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]	11_2_0351B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]	11_2_0351B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]	11_2_0351B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]	11_2_0353002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov ecx, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]	11_2_0359B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]	11_2_035040E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]	11_2_035040E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]	11_2_035040E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035058EC mov eax, dword ptr fs:[00000030h]	11_2_035058EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03509080 mov eax, dword ptr fs:[00000030h]	11_2_03509080
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03583884 mov eax, dword ptr fs:[00000030h]	11_2_03583884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03583884 mov eax, dword ptr fs:[00000030h]	11_2_03583884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353F0BF mov ecx, dword ptr fs:[00000030h]	11_2_0353F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353F0BF mov eax, dword ptr fs:[00000030h]	11_2_0353F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353F0BF mov eax, dword ptr fs:[00000030h]	11_2_0353F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]	11_2_035320A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035490AF mov eax, dword ptr fs:[00000030h]	11_2_035490AF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351EF40 mov eax, dword ptr fs:[00000030h]	11_2_0351EF40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351FF60 mov eax, dword ptr fs:[00000030h]	11_2_0351FF60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D8F6A mov eax, dword ptr fs:[00000030h]	11_2_035D8F6A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352F716 mov eax, dword ptr fs:[00000030h]	11_2_0352F716
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359FF10 mov eax, dword ptr fs:[00000030h]	11_2_0359FF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359FF10 mov eax, dword ptr fs:[00000030h]	11_2_0359FF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D070D mov eax, dword ptr fs:[00000030h]	11_2_035D070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D070D mov eax, dword ptr fs:[00000030h]	11_2_035D070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A70E mov eax, dword ptr fs:[00000030h]	11_2_0353A70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A70E mov eax, dword ptr fs:[00000030h]	11_2_0353A70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353E730 mov eax, dword ptr fs:[00000030h]	11_2_0353E730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03504F2E mov eax, dword ptr fs:[00000030h]	11_2_03504F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03504F2E mov eax, dword ptr fs:[00000030h]	11_2_03504F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035437F5 mov eax, dword ptr fs:[00000030h]	11_2_035437F5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03518794 mov eax, dword ptr fs:[00000030h]	11_2_03518794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]	11_2_03587794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]	11_2_03587794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]	11_2_03587794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]	11_2_03517E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CAE44 mov eax, dword ptr fs:[00000030h]	11_2_035CAE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CAE44 mov eax, dword ptr fs:[00000030h]	11_2_035CAE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]	11_2_0352AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0351766D mov eax, dword ptr fs:[00000030h]	11_2_0351766D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A61C mov eax, dword ptr fs:[00000030h]	11_2_0353A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0353A61C mov eax, dword ptr fs:[00000030h]	11_2_0353A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]	11_2_0350C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]	11_2_0350C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]	11_2_0350C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03538E00 mov eax, dword ptr fs:[00000030h]	11_2_03538E00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035C1608 mov eax, dword ptr fs:[00000030h]	11_2_035C1608
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BFE3F mov eax, dword ptr fs:[00000030h]	11_2_035BFE3F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350E620 mov eax, dword ptr fs:[00000030h]	11_2_0350E620
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D8ED6 mov eax, dword ptr fs:[00000030h]	11_2_035D8ED6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03548EC7 mov eax, dword ptr fs:[00000030h]	11_2_03548EC7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035BFEC0 mov eax, dword ptr fs:[00000030h]	11_2_035BFEC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035336CC mov eax, dword ptr fs:[00000030h]	11_2_035336CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035316E0 mov ecx, dword ptr fs:[00000030h]	11_2_035316E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035176E2 mov eax, dword ptr fs:[00000030h]	11_2_035176E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0359FE87 mov eax, dword ptr fs:[00000030h]	11_2_0359FE87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]	11_2_035D0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]	11_2_035D0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]	11_2_035D0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035846A7 mov eax, dword ptr fs:[00000030h]	11_2_035846A7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03527D50 mov eax, dword ptr fs:[00000030h]	11_2_03527D50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03543D43 mov eax, dword ptr fs:[00000030h]	11_2_03543D43
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03583540 mov eax, dword ptr fs:[00000030h]	11_2_03583540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035B3D40 mov eax, dword ptr fs:[00000030h]	11_2_035B3D40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352C577 mov eax, dword ptr fs:[00000030h]	11_2_0352C577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0352C577 mov eax, dword ptr fs:[00000030h]	11_2_0352C577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_0350AD30 mov eax, dword ptr fs:[00000030h]	11_2_0350AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]	11_2_03513D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_035CE539 mov eax, dword ptr fs:[00000030h]	11_2_035CE539
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]	11_2_03534D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]	11_2_03534D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]	11_2_03534D3B

Enables debug privileges

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632C6 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,		1_2_005632C6
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Code function: 1_2_005632D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,		1_2_005632D1

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 68.70.163.36 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.224.66.93 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: C90000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe	Process created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'			Jump to behavior

Source: explorer.exe, 00000003.00000002.485221215.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000002.500202278.0000000006860000.00000004.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Code function: 0_2_020F1083 cpuid

0_2_020F1083

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
Source: Yara match	File source: Process Memory Space: wlanext.exe PID: 5896, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

ID:	320999
Product:	CloudBasic
Start time:	08:52:42
Start date:	20.11.2020
Sample:	Shipping Documents (INV,PL,BL)_pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	aed402d9a5675f5796265e5170ada7cb
SHA1:	d2e2087f83c1ef3d10cbe60acb721745d19306b3
SHA256:	44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Shipping Documents (INV,PL,BL)_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs