Loading ...

Play interactive tourEdit tour

Analysis Report PDFSLP232.exe

Overview

General Information

Sample Name:PDFSLP232.exe
Analysis ID:288022
MD5:9cabc06c47b82704fd1b7f2bc179a3a8
SHA1:83fe695a745fe1a0f81cf1ec71cde74a9d4b424d
SHA256:cb1b1d99cbf6d7bb1a30ec1c7ee31c36b8e19230751046688ad1a14b2fec4758
Tags:FormBook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PDFSLP232.exe (PID: 5772 cmdline: 'C:\Users\user\Desktop\PDFSLP232.exe' MD5: 9CABC06C47B82704FD1B7F2BC179A3A8)
    • PDFSLP232.exe (PID: 6528 cmdline: {path} MD5: 9CABC06C47B82704FD1B7F2BC179A3A8)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5164 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 6560 cmdline: /c del 'C:\Users\user\Desktop\PDFSLP232.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.402408933.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.402408933.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.402408933.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.623607545.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.623607545.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.PDFSLP232.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.PDFSLP232.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.PDFSLP232.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        2.2.PDFSLP232.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.PDFSLP232.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: http://www.regulars6.com/3iw/Virustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: PDFSLP232.exeVirustotal: Detection: 25%Perma Link
          Source: PDFSLP232.exeReversingLabs: Detection: 22%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.402408933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.623607545.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.624304420.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367851490.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.624353738.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.403183065.0000000001910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.405588630.0000000001C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.PDFSLP232.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PDFSLP232.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PDFSLP232.exeJoe Sandbox ML: detected
          Source: 2.2.PDFSLP232.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: explorer.exe, 00000003.00000003.548379876.0000000007E64000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.385654947.0000000007E2E000.00000004.00000001.sdmpString found in binary or memory: http://crl.mi
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.370198575.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.803manbetx.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.803manbetx.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.803manbetx.com/3iw/www.disypen.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.803manbetx.comReferer:
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.384798509.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.crypto-exch.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.crypto-exch.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.crypto-exch.com/3iw/www.starbuckranchtx.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.crypto-exch.comReferer:
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.disypen.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.disypen.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.disypen.com/3iw/www.xn--p5t311d5zvmga.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.disypen.comReferer:
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.dytt889.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.dytt889.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.dytt889.com/3iw/www.idreferensi.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.dytt889.comReferer:
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.fast-bank.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.fast-bank.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.fast-bank.comReferer:
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.focusopgeld.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.focusopgeld.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.focusopgeld.com/3iw/www.crypto-exch.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.focusopgeld.comReferer:
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.idreferensi.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.idreferensi.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.idreferensi.com/3iw/www.regulars6.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.idreferensi.comReferer:
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.libero-networks.net
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.libero-networks.net/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.libero-networks.net/3iw/www.focusopgeld.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.libero-networks.netReferer:
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.media0702.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.media0702.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.media0702.com/3iw/www.truckingtag.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.media0702.comReferer:
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars6.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars6.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars6.com/3iw/www.fast-bank.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars6.comReferer:
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.sacpropertysale.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.sacpropertysale.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.sacpropertysale.com/3iw/www.libero-networks.net
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.sacpropertysale.comReferer:
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.starbuckranchtx.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.starbuckranchtx.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.starbuckranchtx.com/3iw/www.technicalworld.online
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.starbuckranchtx.comReferer:
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.tag.loans
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.tag.loans/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.tag.loans/3iw/www.sacpropertysale.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.tag.loansReferer:
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.technicalworld.online
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.technicalworld.online/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.technicalworld.online/3iw/www.dytt889.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.technicalworld.onlineReferer:
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.truckingtag.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.truckingtag.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.truckingtag.com/3iw/www.tag.loans
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.truckingtag.comReferer:
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--p5t311d5zvmga.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--p5t311d5zvmga.com/3iw/
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--p5t311d5zvmga.com/3iw/www.media0702.com
          Source: explorer.exe, 00000003.00000003.548529877.000000000E20A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--p5t311d5zvmga.comReferer:
          Source: explorer.exe, 00000003.00000000.387105729.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.402408933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.623607545.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.624304420.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367851490.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.624353738.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.403183065.0000000001910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.405588630.0000000001C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.PDFSLP232.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.PDFSLP232.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.402408933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.402408933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.623607545.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.623607545.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.624304420.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.624304420.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.367851490.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.367851490.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.624353738.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.624353738.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.403183065.0000000001910000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.403183065.0000000001910000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.405588630.0000000001C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.405588630.0000000001C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PDFSLP232.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PDFSLP232.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.PDFSLP232.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.PDFSLP232.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00419830 NtCreateFile,2_2_00419830
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_004198E0 NtReadFile,2_2_004198E0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00419960 NtClose,2_2_00419960
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00419A10 NtAllocateVirtualMemory,2_2_00419A10
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041982D NtCreateFile,2_2_0041982D
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_004198DA NtReadFile,2_2_004198DA
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00419883 NtReadFile,2_2_00419883
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041995A NtClose,2_2_0041995A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00419A0B NtAllocateVirtualMemory,2_2_00419A0B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B99A0 NtCreateSection,LdrInitializeThunk,2_2_019B99A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_019B9910
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_019B98F0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9840 NtDelayExecution,LdrInitializeThunk,2_2_019B9840
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_019B9860
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_019B9A00
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9A20 NtResumeThread,LdrInitializeThunk,2_2_019B9A20
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9A50 NtCreateFile,LdrInitializeThunk,2_2_019B9A50
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B95D0 NtClose,LdrInitializeThunk,2_2_019B95D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9540 NtReadFile,LdrInitializeThunk,2_2_019B9540
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9780 NtMapViewOfSection,LdrInitializeThunk,2_2_019B9780
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_019B97A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9710 NtQueryInformationToken,LdrInitializeThunk,2_2_019B9710
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_019B96E0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_019B9660
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B99D0 NtCreateProcessEx,2_2_019B99D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9950 NtQueueApcThread,2_2_019B9950
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B98A0 NtWriteVirtualMemory,2_2_019B98A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9820 NtEnumerateKey,2_2_019B9820
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019BB040 NtSuspendThread,2_2_019BB040
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019BA3B0 NtGetContextThread,2_2_019BA3B0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9B00 NtSetValueKey,2_2_019B9B00
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9A80 NtOpenDirectoryObject,2_2_019B9A80
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9A10 NtQuerySection,2_2_019B9A10
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B95F0 NtQueryInformationFile,2_2_019B95F0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019BAD30 NtSetContextThread,2_2_019BAD30
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9520 NtWaitForSingleObject,2_2_019B9520
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9560 NtWriteFile,2_2_019B9560
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9FE0 NtCreateMutant,2_2_019B9FE0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019BA710 NtOpenProcessToken,2_2_019BA710
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9730 NtQueryVirtualMemory,2_2_019B9730
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019BA770 NtOpenThread,2_2_019BA770
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9770 NtSetInformationFile,2_2_019B9770
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9760 NtOpenProcess,2_2_019B9760
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B96D0 NtCreateKey,2_2_019B96D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9610 NtEnumerateValueKey,2_2_019B9610
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9650 NtQueryValueKey,2_2_019B9650
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B9670 NtQueryInformationProcess,2_2_019B9670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599540 NtReadFile,LdrInitializeThunk,5_2_04599540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045995D0 NtClose,LdrInitializeThunk,5_2_045995D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599650 NtQueryValueKey,LdrInitializeThunk,5_2_04599650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04599660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045996D0 NtCreateKey,LdrInitializeThunk,5_2_045996D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045996E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_045996E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599710 NtQueryInformationToken,LdrInitializeThunk,5_2_04599710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599FE0 NtCreateMutant,LdrInitializeThunk,5_2_04599FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599780 NtMapViewOfSection,LdrInitializeThunk,5_2_04599780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599840 NtDelayExecution,LdrInitializeThunk,5_2_04599840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599860 NtQuerySystemInformation,LdrInitializeThunk,5_2_04599860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_04599910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045999A0 NtCreateSection,LdrInitializeThunk,5_2_045999A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599A50 NtCreateFile,LdrInitializeThunk,5_2_04599A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599560 NtWriteFile,5_2_04599560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0459AD30 NtSetContextThread,5_2_0459AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599520 NtWaitForSingleObject,5_2_04599520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045995F0 NtQueryInformationFile,5_2_045995F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599670 NtQueryInformationProcess,5_2_04599670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599610 NtEnumerateValueKey,5_2_04599610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0459A770 NtOpenThread,5_2_0459A770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599770 NtSetInformationFile,5_2_04599770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599760 NtOpenProcess,5_2_04599760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0459A710 NtOpenProcessToken,5_2_0459A710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599730 NtQueryVirtualMemory,5_2_04599730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045997A0 NtUnmapViewOfSection,5_2_045997A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0459B040 NtSuspendThread,5_2_0459B040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599820 NtEnumerateKey,5_2_04599820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045998F0 NtReadVirtualMemory,5_2_045998F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045998A0 NtWriteVirtualMemory,5_2_045998A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599950 NtQueueApcThread,5_2_04599950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045999D0 NtCreateProcessEx,5_2_045999D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599A10 NtQuerySection,5_2_04599A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599A00 NtProtectVirtualMemory,5_2_04599A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599A20 NtResumeThread,5_2_04599A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599A80 NtOpenDirectoryObject,5_2_04599A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04599B00 NtSetValueKey,5_2_04599B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0459A3B0 NtGetContextThread,5_2_0459A3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00419830 NtCreateFile,5_2_00419830
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_004198E0 NtReadFile,5_2_004198E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00419960 NtClose,5_2_00419960
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00419A10 NtAllocateVirtualMemory,5_2_00419A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041982D NtCreateFile,5_2_0041982D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_004198DA NtReadFile,5_2_004198DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00419883 NtReadFile,5_2_00419883
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041995A NtClose,5_2_0041995A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00419A0B NtAllocateVirtualMemory,5_2_00419A0B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_0090D20F1_2_0090D20F
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_012CC9001_2_012CC900
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_012CEBB81_2_012CEBB8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_012CF3D81_2_012CF3D8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_012CB3D81_2_012CB3D8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_012CADE01_2_012CADE0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_012CADD11_2_012CADD1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_012CF8901_2_012CF890
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_012CDBF01_2_012CDBF0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053100401_2_05310040
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053190D81_2_053190D8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053168701_2_05316870
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05318A701_2_05318A70
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053165591_2_05316559
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053135F01_2_053135F0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053135E01_2_053135E0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053164ED1_2_053164ED
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053167011_2_05316701
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_0531C6981_2_0531C698
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053141001_2_05314100
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053131701_2_05313170
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053171741_2_05317174
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053131801_2_05313180
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053171D01_2_053171D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053100071_2_05310007
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053140F21_2_053140F2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053190C91_2_053190C9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053133F81_2_053133F8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053133E81_2_053133E8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_0531C2081_2_0531C208
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05319D131_2_05319D13
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05319D181_2_05319D18
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05311DF01_2_05311DF0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05311DE91_2_05311DE9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05312F901_2_05312F90
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05312F821_2_05312F82
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05318E531_2_05318E53
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053168601_2_05316860
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053128E81_2_053128E8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_053128DA1_2_053128DA
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05312BE81_2_05312BE8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05312BD81_2_05312BD8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05318A631_2_05318A63
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05319AB01_2_05319AB0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05319AAB1_2_05319AAB
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041D9F92_2_0041D9F9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041C9812_2_0041C981
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041DA6F2_2_0041DA6F
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041CAB72_2_0041CAB7
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041DB432_2_0041DB43
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041DDC92_2_0041DDC9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041D5AD2_2_0041D5AD
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00409F5E2_2_00409F5E
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00409F602_2_00409F60
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041CFCE2_2_0041CFCE
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00EED20F2_2_00EED20F
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197F9002_2_0197F900
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019941202_2_01994120
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198B0902_2_0198B090
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A420A82_2_01A420A8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A20A02_2_019A20A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A428EC2_2_01A428EC
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A4E8242_2_01A4E824
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A310022_2_01A31002
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A8302_2_0199A830
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199EB9A2_2_0199EB9A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A138B2_2_019A138B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AEBB02_2_019AEBB0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A223E32_2_01A223E3
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AABD82_2_019AABD8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3DBD22_2_01A3DBD2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A303DA2_2_01A303DA
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A42B282_2_01A42B28
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A3092_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199AB402_2_0199AB40
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A1CB4F2_2_01A1CB4F
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A422AE2_2_01A422AE
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A2FA2B2_2_01A2FA2B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B2362_2_0199B236
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A25812_2_019A2581
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A32D822_2_01A32D82
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198D5E02_2_0198D5E0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A425DD2_2_01A425DD
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A42D072_2_01A42D07
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01970D202_2_01970D20
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A41D552_2_01A41D55
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A344962_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198841F2_2_0198841F
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3D4662_2_01A3D466
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B4772_2_0199B477
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A41FF12_2_01A41FF1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A4DFCE2_2_01A4DFCE
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A21EB62_2_01A21EB6
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A42EF72_2_01A42EF7
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019956002_2_01995600
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01996E302_2_01996E30
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3D6162_2_01A3D616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0461D4665_2_0461D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0456841F5_2_0456841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_046144965_2_04614496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04621D555_2_04621D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04622D075_2_04622D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04550D205_2_04550D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0456D5E05_2_0456D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_046225DD5_2_046225DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045825815_2_04582581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04612D825_2_04612D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04576E305_2_04576E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0461D6165_2_0461D616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04622EF75_2_04622EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04621FF15_2_04621FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0462DFCE5_2_0462DFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0462E8245_2_0462E824
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_046110025_2_04611002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0457A8305_2_0457A830
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_046228EC5_2_046228EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0456B0905_2_0456B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_046220A85_2_046220A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045820A05_2_045820A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0455F9005_2_0455F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045741205_2_04574120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045799BF5_2_045799BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0460FA2B5_2_0460FA2B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04614AEF5_2_04614AEF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_046222AE5_2_046222AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0457AB405_2_0457AB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_04622B285_2_04622B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0457A3095_2_0457A309
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0458ABD85_2_0458ABD8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_046023E35_2_046023E3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0461DBD25_2_0461DBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_046103DA5_2_046103DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0458EBB05_2_0458EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041D9F95_2_0041D9F9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041C9815_2_0041C981
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041DA6F5_2_0041DA6F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041CAB75_2_0041CAB7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041DB435_2_0041DB43
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041DDC95_2_0041DDC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00409F5E5_2_00409F5E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00409F605_2_00409F60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041CFCE5_2_0041CFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0455B150 appears 133 times
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: String function: 0197B150 appears 145 times
          Source: PDFSLP232.exeBinary or memory string: OriginalFilename vs PDFSLP232.exe
          Source: PDFSLP232.exe, 00000001.00000002.366244777.0000000002C31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHutaba.dll, vs PDFSLP232.exe
          Source: PDFSLP232.exe, 00000001.00000002.367851490.0000000003C59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs PDFSLP232.exe
          Source: PDFSLP232.exe, 00000001.00000000.357422642.0000000000902000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamempN.exe: vs PDFSLP232.exe
          Source: PDFSLP232.exeBinary or memory string: OriginalFilename vs PDFSLP232.exe
          Source: PDFSLP232.exe, 00000002.00000000.364114450.0000000000EE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamempN.exe: vs PDFSLP232.exe
          Source: PDFSLP232.exe, 00000002.00000002.404044057.0000000001A6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PDFSLP232.exe
          Source: PDFSLP232.exe, 00000002.00000002.405711392.0000000001D90000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs PDFSLP232.exe
          Source: PDFSLP232.exeBinary or memory string: OriginalFilenamempN.exe: vs PDFSLP232.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000002.00000002.402408933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.402408933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.623607545.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.623607545.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.624304420.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.624304420.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.367851490.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.367851490.0000000003C59000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.624353738.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.624353738.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.403183065.0000000001910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.403183065.0000000001910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.405588630.0000000001C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.405588630.0000000001C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.PDFSLP232.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.PDFSLP232.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.PDFSLP232.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.PDFSLP232.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: PDFSLP232.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@0/0
          Source: C:\Users\user\Desktop\PDFSLP232.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PDFSLP232.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
          Source: C:\Users\user\Desktop\PDFSLP232.exeMutant created: \Sessions\1\BaseNamedObjects\XRVbQjsEkJUlqieAoI
          Source: PDFSLP232.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PDFSLP232.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PDFSLP232.exeVirustotal: Detection: 25%
          Source: PDFSLP232.exeReversingLabs: Detection: 22%
          Source: unknownProcess created: C:\Users\user\Desktop\PDFSLP232.exe 'C:\Users\user\Desktop\PDFSLP232.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\PDFSLP232.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PDFSLP232.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess created: C:\Users\user\Desktop\PDFSLP232.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PDFSLP232.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PDFSLP232.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PDFSLP232.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: PDFSLP232.exe, 00000002.00000002.405711392.0000000001D90000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.383697796.0000000007640000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PDFSLP232.exe, 00000002.00000002.403385385.0000000001950000.00000040.00000001.sdmp, cmstp.exe, 00000005.00000002.625133455.000000000464F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PDFSLP232.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: PDFSLP232.exe, 00000002.00000002.405711392.0000000001D90000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.383697796.0000000007640000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: PDFSLP232.exe, Library/Books.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.PDFSLP232.exe.900000.0.unpack, Library/Books.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.PDFSLP232.exe.900000.0.unpack, Library/Books.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.PDFSLP232.exe.ee0000.1.unpack, Library/Books.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.PDFSLP232.exe.ee0000.0.unpack, Library/Books.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_00909FF2 push es; retf 0000h1_2_00909FEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_0090A06A push es; iretd 1_2_0090A067
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_05316002 push ebp; retf 1_2_05316018
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00408047 push FFFFFF9Fh; iretd 2_2_0040804A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_004182EB push ds; retf 2_2_004182EE
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041DC8C push ebx; ret 2_2_0041DD55
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041DD56 push ebx; ret 2_2_0041DD55
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_004165F7 push BC1E6DA9h; retf 2_2_004165FC
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041CE19 push edx; ret 2_2_0041CF3C
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041C6F2 push eax; ret 2_2_0041C6F8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041C6FB push eax; ret 2_2_0041C762
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041C6A5 push eax; ret 2_2_0041C6F8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0041C75C push eax; ret 2_2_0041C762
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00EEA06A push es; iretd 2_2_00EEA067
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00EE9FF2 push es; retf 0000h2_2_00EE9FEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019CD0D1 push ecx; ret 2_2_019CD0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_045AD0D1 push ecx; ret 5_2_045AD0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_00408047 push FFFFFF9Fh; iretd 5_2_0040804A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_004182EB push ds; retf 5_2_004182EE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041DC8C push ebx; ret 5_2_0041DD55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041DD56 push ebx; ret 5_2_0041DD55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_004165F7 push BC1E6DA9h; retf 5_2_004165FC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041CE19 push edx; ret 5_2_0041CF3C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041C6F2 push eax; ret 5_2_0041C6F8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041C6FB push eax; ret 5_2_0041C762
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041C6A5 push eax; ret 5_2_0041C6F8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 5_2_0041C75C push eax; ret 5_2_0041C762
          Source: initial sampleStatic PE information: section name: .text entropy: 7.42664687377

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xC3 0x36
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: PDFSLP232.exe PID: 5772, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PDFSLP232.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PDFSLP232.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00409A50 rdtsc 2_2_00409A50
          Source: C:\Users\user\Desktop\PDFSLP232.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exe TID: 2612Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exe TID: 160Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6420Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6420Thread sleep time: -68000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 1408Thread sleep time: -80000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000003.00000000.384309329.0000000007BBC000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.384183143.0000000007B29000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.384405088.0000000007C3C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00$
          Source: explorer.exe, 00000003.00000000.385839438.0000000007F40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000003.00000000.384405088.0000000007C3C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0s_
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000003.00000000.379127562.00000000044B1000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lo
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000003.00000000.384309329.0000000007BBC000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.384183143.0000000007B29000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}T7
          Source: explorer.exe, 00000003.00000000.385839438.0000000007F40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.385839438.0000000007F40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.384183143.0000000007B29000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}6B
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: PDFSLP232.exe, 00000001.00000002.367448412.0000000003427000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000003.00000000.384309329.0000000007BBC000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.385839438.0000000007F40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 1_2_012CDA50 CheckRemoteDebuggerPresent,1_2_012CDA50
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_00409A50 rdtsc 2_2_00409A50
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0040ADF0 LdrLoadDll,2_2_0040ADF0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A349A4 mov eax, dword ptr fs:[00000030h]2_2_01A349A4
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A349A4 mov eax, dword ptr fs:[00000030h]2_2_01A349A4
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A349A4 mov eax, dword ptr fs:[00000030h]2_2_01A349A4
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A349A4 mov eax, dword ptr fs:[00000030h]2_2_01A349A4
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A2990 mov eax, dword ptr fs:[00000030h]2_2_019A2990
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A4190 mov eax, dword ptr fs:[00000030h]2_2_019A4190
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199C182 mov eax, dword ptr fs:[00000030h]2_2_0199C182
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AA185 mov eax, dword ptr fs:[00000030h]2_2_019AA185
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F51BE mov eax, dword ptr fs:[00000030h]2_2_019F51BE
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F51BE mov eax, dword ptr fs:[00000030h]2_2_019F51BE
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F51BE mov eax, dword ptr fs:[00000030h]2_2_019F51BE
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F51BE mov eax, dword ptr fs:[00000030h]2_2_019F51BE
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov ecx, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov ecx, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov eax, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov ecx, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov ecx, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov eax, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov ecx, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov ecx, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov eax, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov ecx, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov ecx, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019999BF mov eax, dword ptr fs:[00000030h]2_2_019999BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F69A6 mov eax, dword ptr fs:[00000030h]2_2_019F69A6
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A61A0 mov eax, dword ptr fs:[00000030h]2_2_019A61A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A61A0 mov eax, dword ptr fs:[00000030h]2_2_019A61A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A041E8 mov eax, dword ptr fs:[00000030h]2_2_01A041E8
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197B1E1 mov eax, dword ptr fs:[00000030h]2_2_0197B1E1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197B1E1 mov eax, dword ptr fs:[00000030h]2_2_0197B1E1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197B1E1 mov eax, dword ptr fs:[00000030h]2_2_0197B1E1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01979100 mov eax, dword ptr fs:[00000030h]2_2_01979100
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01979100 mov eax, dword ptr fs:[00000030h]2_2_01979100
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01979100 mov eax, dword ptr fs:[00000030h]2_2_01979100
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A513A mov eax, dword ptr fs:[00000030h]2_2_019A513A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A513A mov eax, dword ptr fs:[00000030h]2_2_019A513A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01994120 mov eax, dword ptr fs:[00000030h]2_2_01994120
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01994120 mov eax, dword ptr fs:[00000030h]2_2_01994120
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01994120 mov eax, dword ptr fs:[00000030h]2_2_01994120
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01994120 mov eax, dword ptr fs:[00000030h]2_2_01994120
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01994120 mov ecx, dword ptr fs:[00000030h]2_2_01994120
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B944 mov eax, dword ptr fs:[00000030h]2_2_0199B944
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B944 mov eax, dword ptr fs:[00000030h]2_2_0199B944
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197B171 mov eax, dword ptr fs:[00000030h]2_2_0197B171
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197B171 mov eax, dword ptr fs:[00000030h]2_2_0197B171
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197C962 mov eax, dword ptr fs:[00000030h]2_2_0197C962
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01979080 mov eax, dword ptr fs:[00000030h]2_2_01979080
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F3884 mov eax, dword ptr fs:[00000030h]2_2_019F3884
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F3884 mov eax, dword ptr fs:[00000030h]2_2_019F3884
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AF0BF mov ecx, dword ptr fs:[00000030h]2_2_019AF0BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AF0BF mov eax, dword ptr fs:[00000030h]2_2_019AF0BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AF0BF mov eax, dword ptr fs:[00000030h]2_2_019AF0BF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B90AF mov eax, dword ptr fs:[00000030h]2_2_019B90AF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A20A0 mov eax, dword ptr fs:[00000030h]2_2_019A20A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A20A0 mov eax, dword ptr fs:[00000030h]2_2_019A20A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A20A0 mov eax, dword ptr fs:[00000030h]2_2_019A20A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A20A0 mov eax, dword ptr fs:[00000030h]2_2_019A20A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A20A0 mov eax, dword ptr fs:[00000030h]2_2_019A20A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A20A0 mov eax, dword ptr fs:[00000030h]2_2_019A20A0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A318CA mov eax, dword ptr fs:[00000030h]2_2_01A318CA
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]2_2_01A0B8D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A0B8D0 mov ecx, dword ptr fs:[00000030h]2_2_01A0B8D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]2_2_01A0B8D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]2_2_01A0B8D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]2_2_01A0B8D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]2_2_01A0B8D0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019740E1 mov eax, dword ptr fs:[00000030h]2_2_019740E1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019740E1 mov eax, dword ptr fs:[00000030h]2_2_019740E1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019740E1 mov eax, dword ptr fs:[00000030h]2_2_019740E1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019758EC mov eax, dword ptr fs:[00000030h]2_2_019758EC
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B8E4 mov eax, dword ptr fs:[00000030h]2_2_0199B8E4
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B8E4 mov eax, dword ptr fs:[00000030h]2_2_0199B8E4
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F7016 mov eax, dword ptr fs:[00000030h]2_2_019F7016
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F7016 mov eax, dword ptr fs:[00000030h]2_2_019F7016
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F7016 mov eax, dword ptr fs:[00000030h]2_2_019F7016
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A830 mov eax, dword ptr fs:[00000030h]2_2_0199A830
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A830 mov eax, dword ptr fs:[00000030h]2_2_0199A830
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A830 mov eax, dword ptr fs:[00000030h]2_2_0199A830
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A830 mov eax, dword ptr fs:[00000030h]2_2_0199A830
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A44015 mov eax, dword ptr fs:[00000030h]2_2_01A44015
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A44015 mov eax, dword ptr fs:[00000030h]2_2_01A44015
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198B02A mov eax, dword ptr fs:[00000030h]2_2_0198B02A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198B02A mov eax, dword ptr fs:[00000030h]2_2_0198B02A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198B02A mov eax, dword ptr fs:[00000030h]2_2_0198B02A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198B02A mov eax, dword ptr fs:[00000030h]2_2_0198B02A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A002D mov eax, dword ptr fs:[00000030h]2_2_019A002D
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A002D mov eax, dword ptr fs:[00000030h]2_2_019A002D
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A002D mov eax, dword ptr fs:[00000030h]2_2_019A002D
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A002D mov eax, dword ptr fs:[00000030h]2_2_019A002D
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A002D mov eax, dword ptr fs:[00000030h]2_2_019A002D
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01990050 mov eax, dword ptr fs:[00000030h]2_2_01990050
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01990050 mov eax, dword ptr fs:[00000030h]2_2_01990050
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A32073 mov eax, dword ptr fs:[00000030h]2_2_01A32073
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A41074 mov eax, dword ptr fs:[00000030h]2_2_01A41074
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A31843 mov eax, dword ptr fs:[00000030h]2_2_01A31843
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A45BA5 mov eax, dword ptr fs:[00000030h]2_2_01A45BA5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199EB9A mov eax, dword ptr fs:[00000030h]2_2_0199EB9A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199EB9A mov eax, dword ptr fs:[00000030h]2_2_0199EB9A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AB390 mov eax, dword ptr fs:[00000030h]2_2_019AB390
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A2397 mov eax, dword ptr fs:[00000030h]2_2_019A2397
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A138B mov eax, dword ptr fs:[00000030h]2_2_019A138B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A138B mov eax, dword ptr fs:[00000030h]2_2_019A138B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A138B mov eax, dword ptr fs:[00000030h]2_2_019A138B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01981B8F mov eax, dword ptr fs:[00000030h]2_2_01981B8F
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01981B8F mov eax, dword ptr fs:[00000030h]2_2_01981B8F
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A2D380 mov ecx, dword ptr fs:[00000030h]2_2_01A2D380
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3138A mov eax, dword ptr fs:[00000030h]2_2_01A3138A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A4BAD mov eax, dword ptr fs:[00000030h]2_2_019A4BAD
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A4BAD mov eax, dword ptr fs:[00000030h]2_2_019A4BAD
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A4BAD mov eax, dword ptr fs:[00000030h]2_2_019A4BAD
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A223E3 mov ecx, dword ptr fs:[00000030h]2_2_01A223E3
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A223E3 mov ecx, dword ptr fs:[00000030h]2_2_01A223E3
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A223E3 mov eax, dword ptr fs:[00000030h]2_2_01A223E3
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F53CA mov eax, dword ptr fs:[00000030h]2_2_019F53CA
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F53CA mov eax, dword ptr fs:[00000030h]2_2_019F53CA
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A53C5 mov eax, dword ptr fs:[00000030h]2_2_019A53C5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199DBE9 mov eax, dword ptr fs:[00000030h]2_2_0199DBE9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A03E2 mov eax, dword ptr fs:[00000030h]2_2_019A03E2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A03E2 mov eax, dword ptr fs:[00000030h]2_2_019A03E2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A03E2 mov eax, dword ptr fs:[00000030h]2_2_019A03E2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A03E2 mov eax, dword ptr fs:[00000030h]2_2_019A03E2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A03E2 mov eax, dword ptr fs:[00000030h]2_2_019A03E2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A03E2 mov eax, dword ptr fs:[00000030h]2_2_019A03E2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A309 mov eax, dword ptr fs:[00000030h]2_2_0199A309
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3131B mov eax, dword ptr fs:[00000030h]2_2_01A3131B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197F358 mov eax, dword ptr fs:[00000030h]2_2_0197F358
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197DB40 mov eax, dword ptr fs:[00000030h]2_2_0197DB40
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A3B7A mov eax, dword ptr fs:[00000030h]2_2_019A3B7A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A3B7A mov eax, dword ptr fs:[00000030h]2_2_019A3B7A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198F370 mov eax, dword ptr fs:[00000030h]2_2_0198F370
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198F370 mov eax, dword ptr fs:[00000030h]2_2_0198F370
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198F370 mov eax, dword ptr fs:[00000030h]2_2_0198F370
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197DB60 mov ecx, dword ptr fs:[00000030h]2_2_0197DB60
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A48B58 mov eax, dword ptr fs:[00000030h]2_2_01A48B58
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AD294 mov eax, dword ptr fs:[00000030h]2_2_019AD294
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AD294 mov eax, dword ptr fs:[00000030h]2_2_019AD294
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198AAB0 mov eax, dword ptr fs:[00000030h]2_2_0198AAB0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198AAB0 mov eax, dword ptr fs:[00000030h]2_2_0198AAB0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AFAB0 mov eax, dword ptr fs:[00000030h]2_2_019AFAB0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019752A5 mov eax, dword ptr fs:[00000030h]2_2_019752A5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019752A5 mov eax, dword ptr fs:[00000030h]2_2_019752A5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019752A5 mov eax, dword ptr fs:[00000030h]2_2_019752A5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019752A5 mov eax, dword ptr fs:[00000030h]2_2_019752A5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019752A5 mov eax, dword ptr fs:[00000030h]2_2_019752A5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34AEF mov eax, dword ptr fs:[00000030h]2_2_01A34AEF
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A2ACB mov eax, dword ptr fs:[00000030h]2_2_019A2ACB
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A2AE4 mov eax, dword ptr fs:[00000030h]2_2_019A2AE4
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197AA16 mov eax, dword ptr fs:[00000030h]2_2_0197AA16
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197AA16 mov eax, dword ptr fs:[00000030h]2_2_0197AA16
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01993A1C mov eax, dword ptr fs:[00000030h]2_2_01993A1C
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01975210 mov eax, dword ptr fs:[00000030h]2_2_01975210
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01975210 mov ecx, dword ptr fs:[00000030h]2_2_01975210
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01975210 mov eax, dword ptr fs:[00000030h]2_2_01975210
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01975210 mov eax, dword ptr fs:[00000030h]2_2_01975210
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A31229 mov eax, dword ptr fs:[00000030h]2_2_01A31229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01988A0A mov eax, dword ptr fs:[00000030h]2_2_01988A0A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B236 mov eax, dword ptr fs:[00000030h]2_2_0199B236
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B236 mov eax, dword ptr fs:[00000030h]2_2_0199B236
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B236 mov eax, dword ptr fs:[00000030h]2_2_0199B236
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B236 mov eax, dword ptr fs:[00000030h]2_2_0199B236
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B236 mov eax, dword ptr fs:[00000030h]2_2_0199B236
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199B236 mov eax, dword ptr fs:[00000030h]2_2_0199B236
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A229 mov eax, dword ptr fs:[00000030h]2_2_0199A229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A229 mov eax, dword ptr fs:[00000030h]2_2_0199A229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A229 mov eax, dword ptr fs:[00000030h]2_2_0199A229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A229 mov eax, dword ptr fs:[00000030h]2_2_0199A229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A229 mov eax, dword ptr fs:[00000030h]2_2_0199A229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A229 mov eax, dword ptr fs:[00000030h]2_2_0199A229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A229 mov eax, dword ptr fs:[00000030h]2_2_0199A229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A229 mov eax, dword ptr fs:[00000030h]2_2_0199A229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199A229 mov eax, dword ptr fs:[00000030h]2_2_0199A229
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3AA16 mov eax, dword ptr fs:[00000030h]2_2_01A3AA16
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3AA16 mov eax, dword ptr fs:[00000030h]2_2_01A3AA16
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B4A2C mov eax, dword ptr fs:[00000030h]2_2_019B4A2C
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B4A2C mov eax, dword ptr fs:[00000030h]2_2_019B4A2C
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A2B260 mov eax, dword ptr fs:[00000030h]2_2_01A2B260
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A2B260 mov eax, dword ptr fs:[00000030h]2_2_01A2B260
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A48A62 mov eax, dword ptr fs:[00000030h]2_2_01A48A62
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01979240 mov eax, dword ptr fs:[00000030h]2_2_01979240
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01979240 mov eax, dword ptr fs:[00000030h]2_2_01979240
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01979240 mov eax, dword ptr fs:[00000030h]2_2_01979240
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01979240 mov eax, dword ptr fs:[00000030h]2_2_01979240
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B927A mov eax, dword ptr fs:[00000030h]2_2_019B927A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B5A69 mov eax, dword ptr fs:[00000030h]2_2_019B5A69
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B5A69 mov eax, dword ptr fs:[00000030h]2_2_019B5A69
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B5A69 mov eax, dword ptr fs:[00000030h]2_2_019B5A69
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3EA55 mov eax, dword ptr fs:[00000030h]2_2_01A3EA55
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A04257 mov eax, dword ptr fs:[00000030h]2_2_01A04257
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AFD9B mov eax, dword ptr fs:[00000030h]2_2_019AFD9B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AFD9B mov eax, dword ptr fs:[00000030h]2_2_019AFD9B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A405AC mov eax, dword ptr fs:[00000030h]2_2_01A405AC
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A405AC mov eax, dword ptr fs:[00000030h]2_2_01A405AC
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A2581 mov eax, dword ptr fs:[00000030h]2_2_019A2581
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A2581 mov eax, dword ptr fs:[00000030h]2_2_019A2581
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A2581 mov eax, dword ptr fs:[00000030h]2_2_019A2581
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A2581 mov eax, dword ptr fs:[00000030h]2_2_019A2581
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01972D8A mov eax, dword ptr fs:[00000030h]2_2_01972D8A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01972D8A mov eax, dword ptr fs:[00000030h]2_2_01972D8A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01972D8A mov eax, dword ptr fs:[00000030h]2_2_01972D8A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01972D8A mov eax, dword ptr fs:[00000030h]2_2_01972D8A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01972D8A mov eax, dword ptr fs:[00000030h]2_2_01972D8A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A32D82 mov eax, dword ptr fs:[00000030h]2_2_01A32D82
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A32D82 mov eax, dword ptr fs:[00000030h]2_2_01A32D82
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A32D82 mov eax, dword ptr fs:[00000030h]2_2_01A32D82
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A32D82 mov eax, dword ptr fs:[00000030h]2_2_01A32D82
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A32D82 mov eax, dword ptr fs:[00000030h]2_2_01A32D82
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A32D82 mov eax, dword ptr fs:[00000030h]2_2_01A32D82
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A32D82 mov eax, dword ptr fs:[00000030h]2_2_01A32D82
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A1DB5 mov eax, dword ptr fs:[00000030h]2_2_019A1DB5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A1DB5 mov eax, dword ptr fs:[00000030h]2_2_019A1DB5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A1DB5 mov eax, dword ptr fs:[00000030h]2_2_019A1DB5
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A35A1 mov eax, dword ptr fs:[00000030h]2_2_019A35A1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3FDE2 mov eax, dword ptr fs:[00000030h]2_2_01A3FDE2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3FDE2 mov eax, dword ptr fs:[00000030h]2_2_01A3FDE2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3FDE2 mov eax, dword ptr fs:[00000030h]2_2_01A3FDE2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3FDE2 mov eax, dword ptr fs:[00000030h]2_2_01A3FDE2
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A28DF1 mov eax, dword ptr fs:[00000030h]2_2_01A28DF1
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6DC9 mov eax, dword ptr fs:[00000030h]2_2_019F6DC9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6DC9 mov eax, dword ptr fs:[00000030h]2_2_019F6DC9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6DC9 mov eax, dword ptr fs:[00000030h]2_2_019F6DC9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6DC9 mov ecx, dword ptr fs:[00000030h]2_2_019F6DC9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6DC9 mov eax, dword ptr fs:[00000030h]2_2_019F6DC9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6DC9 mov eax, dword ptr fs:[00000030h]2_2_019F6DC9
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198D5E0 mov eax, dword ptr fs:[00000030h]2_2_0198D5E0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198D5E0 mov eax, dword ptr fs:[00000030h]2_2_0198D5E0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A48D34 mov eax, dword ptr fs:[00000030h]2_2_01A48D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A3E539 mov eax, dword ptr fs:[00000030h]2_2_01A3E539
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A4D3B mov eax, dword ptr fs:[00000030h]2_2_019A4D3B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A4D3B mov eax, dword ptr fs:[00000030h]2_2_019A4D3B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A4D3B mov eax, dword ptr fs:[00000030h]2_2_019A4D3B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0197AD30 mov eax, dword ptr fs:[00000030h]2_2_0197AD30
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019FA537 mov eax, dword ptr fs:[00000030h]2_2_019FA537
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01983D34 mov eax, dword ptr fs:[00000030h]2_2_01983D34
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AF527 mov eax, dword ptr fs:[00000030h]2_2_019AF527
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AF527 mov eax, dword ptr fs:[00000030h]2_2_019AF527
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019AF527 mov eax, dword ptr fs:[00000030h]2_2_019AF527
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01997D50 mov eax, dword ptr fs:[00000030h]2_2_01997D50
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019B3D43 mov eax, dword ptr fs:[00000030h]2_2_019B3D43
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F3540 mov eax, dword ptr fs:[00000030h]2_2_019F3540
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A23D40 mov eax, dword ptr fs:[00000030h]2_2_01A23D40
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199C577 mov eax, dword ptr fs:[00000030h]2_2_0199C577
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0199C577 mov eax, dword ptr fs:[00000030h]2_2_0199C577
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01998D76 mov eax, dword ptr fs:[00000030h]2_2_01998D76
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01998D76 mov eax, dword ptr fs:[00000030h]2_2_01998D76
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01998D76 mov eax, dword ptr fs:[00000030h]2_2_01998D76
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01998D76 mov eax, dword ptr fs:[00000030h]2_2_01998D76
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01998D76 mov eax, dword ptr fs:[00000030h]2_2_01998D76
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_0198849B mov eax, dword ptr fs:[00000030h]2_2_0198849B
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A34496 mov eax, dword ptr fs:[00000030h]2_2_01A34496
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A314FB mov eax, dword ptr fs:[00000030h]2_2_01A314FB
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6CF0 mov eax, dword ptr fs:[00000030h]2_2_019F6CF0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6CF0 mov eax, dword ptr fs:[00000030h]2_2_019F6CF0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6CF0 mov eax, dword ptr fs:[00000030h]2_2_019F6CF0
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_01A48CD6 mov eax, dword ptr fs:[00000030h]2_2_01A48CD6
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6C0A mov eax, dword ptr fs:[00000030h]2_2_019F6C0A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6C0A mov eax, dword ptr fs:[00000030h]2_2_019F6C0A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6C0A mov eax, dword ptr fs:[00000030h]2_2_019F6C0A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019F6C0A mov eax, dword ptr fs:[00000030h]2_2_019F6C0A
          Source: C:\Users\user\Desktop\PDFSLP232.exeCode function: 2_2_019A3C3E mov ea