Play interactive tour

Edit tour

Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Sample Name:	Quotation-4834898943949883.pdf.exe
Analysis ID:	383906
MD5:	57055ad7429ef21caca78a9428e8a332
SHA1:	4df1aae070d95c2fd6c40ba3070a2af53462f3e6
SHA256:	f15085a9037c117355a6b500780d5df0530a6c6724e4506622565b4c13582876
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Quotation-4834898943949883.pdf.exe (PID: 5956 cmdline: 'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe' MD5: 57055AD7429EF21CACA78A9428E8A332)

Quotation-4834898943949883.pdf.exe (PID: 4120 cmdline: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe MD5: 57055AD7429EF21CACA78A9428E8A332)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mcgeefamilychildcare.com/nc6m/"], "decoy": ["saltypar.com", "most.community", "johnmucollection.com", "houzzthings.net", "onemarketips.com", "legalmarketingtx.net", "criminalmindeddesign.com", "dtrinvesting.com", "millertaxpreparation.com", "wckfwwehmo.net", "begoodmeat.com", "tradefinance.fyi", "taxbizfunnels.com", "learnstartupdesign.com", "hxmdelights.com", "christiandantrust.faith", "dimensionshypnosis.com", "261391.com", "cancellednot.com", "paodanmeng.com", "thewayoutbooks.com", "halsdraincleaning.com", "jumlasx.xyz", "sutransformacion.com", "abisagne.com", "yingjiebj.com", "prodgra.com", "phone-review24.club", "weandvirus.com", "thelibertyhomeinspector.com", "fuckblarkie.com", "tappesupportservices.com", "marianiemorazzani.com", "skyybluchildkare.info", "diysecurityreview.com", "insuranceagentwilliams.com", "k-yahagigumi.com", "b3ourg.xyz", "mawhl.net", "billionartoffaith.com", "tech4thelolo.com", "vlvglobal.com", "positive-agenda-advisory.com", "sdzcsyy.com", "jxdiil.com", "craicing.com", "opinionesymodelos.com", "tulsaprintingcompany.com", "papaifotografo.com", "kalpavasi.com", "century21comingsoon.com", "bahiaprincipegrand.com", "tinwinsolar.ltd", "emprenviendo.com", "nineykal.com", "tam-rh.cat", "onlyfanscash.com", "florida-sunny.com", "workmone.online", "sastaafoods.com", "financiallyhealthy.life", "unudix.com", "wwwsumwater.com", "iparametricjobs.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x936b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9392a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc00d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc034a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9f44d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcbe6d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9ef39:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcb959:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9f54f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcbf6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9f6c7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xcc0e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x94342:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xc0d62:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9e1b4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xcabd4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9503b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xc1a5b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa52bf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd1cdf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa62c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa21e1:$sqlite3step: 68 34 1C 7B E1 0xa22f4:$sqlite3step: 68 34 1C 7B E1 0xcec01:$sqlite3step: 68 34 1C 7B E1 0xced14:$sqlite3step: 68 34 1C 7B E1 0xa2210:$sqlite3text: 68 38 2A 90 C5 0xa2335:$sqlite3text: 68 38 2A 90 C5 0xcec30:$sqlite3text: 68 38 2A 90 C5 0xced55:$sqlite3text: 68 38 2A 90 C5 0xa2223:$sqlite3blob: 68 53 D8 7F 8C 0xa234b:$sqlite3blob: 68 53 D8 7F 8C 0xcec43:$sqlite3blob: 68 53 D8 7F 8C 0xced6b:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Quotation-4834898943949883.pdf.exe PID: 5956	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: www.mcgeefamilychildcare.com/nc6m/

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.mcgeefamilychildcare.com/nc6m/"], "decoy": ["saltypar.com", "most.community", "johnmucollection.com", "houzzthings.net", "onemarketips.com", "legalmarketingtx.net", "criminalmindeddesign.com", "dtrinvesting.com", "millertaxpreparation.com", "wckfwwehmo.net", "begoodmeat.com", "tradefinance.fyi", "taxbizfunnels.com", "learnstartupdesign.com", "hxmdelights.com", "christiandantrust.faith", "dimensionshypnosis.com", "261391.com", "cancellednot.com", "paodanmeng.com", "thewayoutbooks.com", "halsdraincleaning.com", "jumlasx.xyz", "sutransformacion.com", "abisagne.com", "yingjiebj.com", "prodgra.com", "phone-review24.club", "weandvirus.com", "thelibertyhomeinspector.com", "fuckblarkie.com", "tappesupportservices.com", "marianiemorazzani.com", "skyybluchildkare.info", "diysecurityreview.com", "insuranceagentwilliams.com", "k-yahagigumi.com", "b3ourg.xyz", "mawhl.net", "billionartoffaith.com", "tech4thelolo.com", "vlvglobal.com", "positive-agenda-advisory.com", "sdzcsyy.com", "jxdiil.com", "craicing.com", "opinionesymodelos.com", "tulsaprintingcompany.com", "papaifotografo.com", "kalpavasi.com", "century21comingsoon.com", "bahiaprincipegrand.com", "tinwinsolar.ltd", "emprenviendo.com", "nineykal.com", "tam-rh.cat", "onlyfanscash.com", "florida-sunny.com", "workmone.online", "sastaafoods.com", "financiallyhealthy.life", "unudix.com", "wwwsumwater.com", "iparametricjobs.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Quotation-4834898943949883.pdf.exe	Virustotal: Detection: 26%			Perma Link
Source: Quotation-4834898943949883.pdf.exe	ReversingLabs: Detection: 22%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Quotation-4834898943949883.pdf.exe

Joe Sandbox ML: detected

Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Quotation-4834898943949883.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04D71B98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04D71BA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0771FBA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then pop ebx	4_2_00407AFB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.mcgeefamilychildcare.com/nc6m/

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240759928.0000000002D72000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000001.00000002.240654193.0000000002CE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240759928.0000000002D72000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe
Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716878 NtQueryInformationProcess,	1_2_07716878
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716873 NtQueryInformationProcess,	1_2_07716873
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A060 NtClose,	4_2_0041A060
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A110 NtAllocateVirtualMemory,	4_2_0041A110
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F30 NtCreateFile,	4_2_00419F30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419FE0 NtReadFile,	4_2_00419FE0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F2A NtCreateFile,	4_2_00419F2A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F82 NtCreateFile,	4_2_00419F82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01499860
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01499660
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014996E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_014996E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499950 NtQueueApcThread,	4_2_01499950
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499910 NtAdjustPrivilegesToken,	4_2_01499910
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014999D0 NtCreateProcessEx,	4_2_014999D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014999A0 NtCreateSection,	4_2_014999A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149B040 NtSuspendThread,	4_2_0149B040
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499840 NtDelayExecution,	4_2_01499840
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499820 NtEnumerateKey,	4_2_01499820
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014998F0 NtReadVirtualMemory,	4_2_014998F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014998A0 NtWriteVirtualMemory,	4_2_014998A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499B00 NtSetValueKey,	4_2_01499B00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149A3B0 NtGetContextThread,	4_2_0149A3B0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A50 NtCreateFile,	4_2_01499A50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A00 NtProtectVirtualMemory,	4_2_01499A00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A10 NtQuerySection,	4_2_01499A10
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A20 NtResumeThread,	4_2_01499A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A80 NtOpenDirectoryObject,	4_2_01499A80
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499540 NtReadFile,	4_2_01499540
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499560 NtWriteFile,	4_2_01499560
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499520 NtWaitForSingleObject,	4_2_01499520
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149AD30 NtSetContextThread,	4_2_0149AD30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014995D0 NtClose,	4_2_014995D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014995F0 NtQueryInformationFile,	4_2_014995F0

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094DCE7	1_2_0094DCE7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094A9EA	1_2_0094A9EA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_011BC2B0	1_2_011BC2B0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_011B9990	1_2_011B9990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_04D70448	1_2_04D70448
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_04D71770	1_2_04D71770
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07715520	1_2_07715520
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07710740	1_2_07710740
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711FA8	1_2_07711FA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711F99	1_2_07711F99
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711D60	1_2_07711D60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711D51	1_2_07711D51
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0771A550	1_2_0771A550
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07712D40	1_2_07712D40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0771A53F	1_2_0771A53F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07715510	1_2_07715510
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_077114E0	1_2_077114E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_077114D1	1_2_077114D1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711B58	1_2_07711B58
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711B48	1_2_07711B48
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07718BB0	1_2_07718BB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07718BA3	1_2_07718BA3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716A10	1_2_07716A10
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07712170	1_2_07712170
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07719170	1_2_07719170
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07712163	1_2_07712163
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07710938	1_2_07710938
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07710929	1_2_07710929
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07719180	1_2_07719180
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094AAC7	1_2_0094AAC7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401209	4_2_00401209
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041DAFA	4_2_0041DAFA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D378	4_2_0041D378
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409DFC	4_2_00409DFC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402D88	4_2_00402D88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D631	4_2_0041D631
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097A9EA	4_2_0097A9EA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097DCE7	4_2_0097DCE7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145F900	4_2_0145F900
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472990	4_2_01472990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01456800	4_2_01456800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511002	4_2_01511002
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152E824	4_2_0152E824
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015228EC	4_2_015228EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B090	4_2_0146B090
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015220A8	4_2_015220A8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FCB4F	4_2_014FCB4F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147AB40	4_2_0147AB40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01473360	4_2_01473360
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151231B	4_2_0151231B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01522B28	4_2_01522B28
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151DBD2	4_2_0151DBD2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015103DA	4_2_015103DA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148ABD8	4_2_0148ABD8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014A8BE8	4_2_014A8BE8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015023E3	4_2_015023E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148138B	4_2_0148138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147EB9A	4_2_0147EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148EBB0	4_2_0148EBB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150FA2B	4_2_0150FA2B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151E2C5	4_2_0151E2C5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015232A9	4_2_015232A9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015222AE	4_2_015222AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01521D55	4_2_01521D55
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472D50	4_2_01472D50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01522D07	4_2_01522D07
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01450D20	4_2_01450D20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015225DD	4_2_015225DD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146D5E0	4_2_0146D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014865A0	4_2_014865A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151D466	4_2_0151D466
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146841F	4_2_0146841F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472430	4_2_01472430
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097AAC7	4_2_0097AAC7

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 0145B150 appears 121 times
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 014E5720 appears 62 times

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilename vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245565115.0000000007680000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000000.217395296.0000000000942000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameReadBufferAsyncd97.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240654193.0000000002CE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245113568.0000000006E30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilename vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000000.238479725.0000000000972000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameReadBufferAsyncd97.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.241413507.000000000154F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilenameReadBufferAsyncd97.exe4 vs Quotation-4834898943949883.pdf.exe

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation-4834898943949883.pdf.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\uwviaTyAYnlyFJcXtcTQZZrdZh

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: Quotation-4834898943949883.pdf.exe	Virustotal: Detection: 26%
Source: Quotation-4834898943949883.pdf.exe	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe 'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe'
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Quotation-4834898943949883.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation-4834898943949883.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094D65F push es; retn 0001h	1_2_0094D6BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094DC4E push 00000000h; iretd	1_2_0094DC98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716E6F pushfd ; retf	1_2_07716E78
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0D2 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0DB push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D085 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D13C push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040B3F8 push ebx; iretd	4_2_0040B3FB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041766B push eax; ret	4_2_0041766E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040DF92 push ebp; retf	4_2_0040DF93
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041AFBA pushad ; retf	4_2_0041AFBE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097DC4E push 00000000h; iretd	4_2_0097DC98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097D65F push es; retn 0001h	4_2_0097D6BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014AD0D1 push ecx; ret	4_2_014AD0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.61748315782

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-4834898943949883.pdf.exe PID: 5956, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 5952	Thread sleep time: -100018s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 6028	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 100018			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Code function: 4_2_01499860 NtQuerySystemInformation,LdrInitializeThunk,

4_2_01499860

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511951 mov eax, dword ptr fs:[00000030h]	4_2_01511951
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B944 mov eax, dword ptr fs:[00000030h]	4_2_0147B944
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B944 mov eax, dword ptr fs:[00000030h]	4_2_0147B944
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145395E mov eax, dword ptr fs:[00000030h]	4_2_0145395E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145395E mov eax, dword ptr fs:[00000030h]	4_2_0145395E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145C962 mov eax, dword ptr fs:[00000030h]	4_2_0145C962
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151E962 mov eax, dword ptr fs:[00000030h]	4_2_0151E962
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B171 mov eax, dword ptr fs:[00000030h]	4_2_0145B171
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B171 mov eax, dword ptr fs:[00000030h]	4_2_0145B171
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528966 mov eax, dword ptr fs:[00000030h]	4_2_01528966
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459100 mov eax, dword ptr fs:[00000030h]	4_2_01459100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459100 mov eax, dword ptr fs:[00000030h]	4_2_01459100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459100 mov eax, dword ptr fs:[00000030h]	4_2_01459100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01460100 mov eax, dword ptr fs:[00000030h]	4_2_01460100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01460100 mov eax, dword ptr fs:[00000030h]	4_2_01460100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01460100 mov eax, dword ptr fs:[00000030h]	4_2_01460100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov eax, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov eax, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov eax, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov eax, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov ecx, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148513A mov eax, dword ptr fs:[00000030h]	4_2_0148513A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148513A mov eax, dword ptr fs:[00000030h]	4_2_0148513A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453138 mov ecx, dword ptr fs:[00000030h]	4_2_01453138
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014699C7 mov eax, dword ptr fs:[00000030h]	4_2_014699C7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014699C7 mov eax, dword ptr fs:[00000030h]	4_2_014699C7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014699C7 mov eax, dword ptr fs:[00000030h]	4_2_014699C7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014699C7 mov eax, dword ptr fs:[00000030h]	4_2_014699C7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015119D8 mov eax, dword ptr fs:[00000030h]	4_2_015119D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0145B1E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0145B1E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0145B1E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014531E0 mov eax, dword ptr fs:[00000030h]	4_2_014531E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E41E8 mov eax, dword ptr fs:[00000030h]	4_2_014E41E8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015289E7 mov eax, dword ptr fs:[00000030h]	4_2_015289E7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147C182 mov eax, dword ptr fs:[00000030h]	4_2_0147C182
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148A185 mov eax, dword ptr fs:[00000030h]	4_2_0148A185
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482990 mov eax, dword ptr fs:[00000030h]	4_2_01482990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484190 mov eax, dword ptr fs:[00000030h]	4_2_01484190
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151A189 mov eax, dword ptr fs:[00000030h]	4_2_0151A189
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151A189 mov ecx, dword ptr fs:[00000030h]	4_2_0151A189
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145519E mov eax, dword ptr fs:[00000030h]	4_2_0145519E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145519E mov ecx, dword ptr fs:[00000030h]	4_2_0145519E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152F1B5 mov eax, dword ptr fs:[00000030h]	4_2_0152F1B5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152F1B5 mov eax, dword ptr fs:[00000030h]	4_2_0152F1B5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014861A0 mov eax, dword ptr fs:[00000030h]	4_2_014861A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014861A0 mov eax, dword ptr fs:[00000030h]	4_2_014861A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D69A6 mov eax, dword ptr fs:[00000030h]	4_2_014D69A6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D51BE mov eax, dword ptr fs:[00000030h]	4_2_014D51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D51BE mov eax, dword ptr fs:[00000030h]	4_2_014D51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D51BE mov eax, dword ptr fs:[00000030h]	4_2_014D51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D51BE mov eax, dword ptr fs:[00000030h]	4_2_014D51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015149A4 mov eax, dword ptr fs:[00000030h]	4_2_015149A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015149A4 mov eax, dword ptr fs:[00000030h]	4_2_015149A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015149A4 mov eax, dword ptr fs:[00000030h]	4_2_015149A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015149A4 mov eax, dword ptr fs:[00000030h]	4_2_015149A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148C9BF mov eax, dword ptr fs:[00000030h]	4_2_0148C9BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148C9BF mov eax, dword ptr fs:[00000030h]	4_2_0148C9BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov eax, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov eax, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov eax, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov eax, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511843 mov eax, dword ptr fs:[00000030h]	4_2_01511843
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01457057 mov eax, dword ptr fs:[00000030h]	4_2_01457057
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455050 mov eax, dword ptr fs:[00000030h]	4_2_01455050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455050 mov eax, dword ptr fs:[00000030h]	4_2_01455050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455050 mov eax, dword ptr fs:[00000030h]	4_2_01455050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01470050 mov eax, dword ptr fs:[00000030h]	4_2_01470050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01470050 mov eax, dword ptr fs:[00000030h]	4_2_01470050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512073 mov eax, dword ptr fs:[00000030h]	4_2_01512073
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01521074 mov eax, dword ptr fs:[00000030h]	4_2_01521074
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147F86D mov eax, dword ptr fs:[00000030h]	4_2_0147F86D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01456800 mov eax, dword ptr fs:[00000030h]	4_2_01456800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01456800 mov eax, dword ptr fs:[00000030h]	4_2_01456800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01456800 mov eax, dword ptr fs:[00000030h]	4_2_01456800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01524015 mov eax, dword ptr fs:[00000030h]	4_2_01524015
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01524015 mov eax, dword ptr fs:[00000030h]	4_2_01524015
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D7016 mov eax, dword ptr fs:[00000030h]	4_2_014D7016
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D7016 mov eax, dword ptr fs:[00000030h]	4_2_014D7016
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D7016 mov eax, dword ptr fs:[00000030h]	4_2_014D7016
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484020 mov edi, dword ptr fs:[00000030h]	4_2_01484020
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B02A mov eax, dword ptr fs:[00000030h]	4_2_0146B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B02A mov eax, dword ptr fs:[00000030h]	4_2_0146B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B02A mov eax, dword ptr fs:[00000030h]	4_2_0146B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B02A mov eax, dword ptr fs:[00000030h]	4_2_0146B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830 mov eax, dword ptr fs:[00000030h]	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830 mov eax, dword ptr fs:[00000030h]	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830 mov eax, dword ptr fs:[00000030h]	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830 mov eax, dword ptr fs:[00000030h]	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014570C0 mov eax, dword ptr fs:[00000030h]	4_2_014570C0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014570C0 mov eax, dword ptr fs:[00000030h]	4_2_014570C0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015118CA mov eax, dword ptr fs:[00000030h]	4_2_015118CA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov ecx, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B8E4 mov eax, dword ptr fs:[00000030h]	4_2_0147B8E4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B8E4 mov eax, dword ptr fs:[00000030h]	4_2_0147B8E4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014540E1 mov eax, dword ptr fs:[00000030h]	4_2_014540E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014540E1 mov eax, dword ptr fs:[00000030h]	4_2_014540E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014540E1 mov eax, dword ptr fs:[00000030h]	4_2_014540E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014558EC mov eax, dword ptr fs:[00000030h]	4_2_014558EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628FD mov eax, dword ptr fs:[00000030h]	4_2_014628FD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628FD mov eax, dword ptr fs:[00000030h]	4_2_014628FD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628FD mov eax, dword ptr fs:[00000030h]	4_2_014628FD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459080 mov eax, dword ptr fs:[00000030h]	4_2_01459080
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453880 mov eax, dword ptr fs:[00000030h]	4_2_01453880
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453880 mov eax, dword ptr fs:[00000030h]	4_2_01453880
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D3884 mov eax, dword ptr fs:[00000030h]	4_2_014D3884
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D3884 mov eax, dword ptr fs:[00000030h]	4_2_014D3884
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014990AF mov eax, dword ptr fs:[00000030h]	4_2_014990AF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov ecx, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F0BF mov ecx, dword ptr fs:[00000030h]	4_2_0148F0BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F0BF mov eax, dword ptr fs:[00000030h]	4_2_0148F0BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F0BF mov eax, dword ptr fs:[00000030h]	4_2_0148F0BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145DB40 mov eax, dword ptr fs:[00000030h]	4_2_0145DB40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528B58 mov eax, dword ptr fs:[00000030h]	4_2_01528B58
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B5A mov eax, dword ptr fs:[00000030h]	4_2_01483B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B5A mov eax, dword ptr fs:[00000030h]	4_2_01483B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B5A mov eax, dword ptr fs:[00000030h]	4_2_01483B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B5A mov eax, dword ptr fs:[00000030h]	4_2_01483B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145F358 mov eax, dword ptr fs:[00000030h]	4_2_0145F358
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145DB60 mov ecx, dword ptr fs:[00000030h]	4_2_0145DB60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E6365 mov eax, dword ptr fs:[00000030h]	4_2_014E6365
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E6365 mov eax, dword ptr fs:[00000030h]	4_2_014E6365
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E6365 mov eax, dword ptr fs:[00000030h]	4_2_014E6365
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B7A mov eax, dword ptr fs:[00000030h]	4_2_01483B7A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B7A mov eax, dword ptr fs:[00000030h]	4_2_01483B7A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146F370 mov eax, dword ptr fs:[00000030h]	4_2_0146F370
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146F370 mov eax, dword ptr fs:[00000030h]	4_2_0146F370
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146F370 mov eax, dword ptr fs:[00000030h]	4_2_0146F370
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151131B mov eax, dword ptr fs:[00000030h]	4_2_0151131B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D53CA mov eax, dword ptr fs:[00000030h]	4_2_014D53CA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D53CA mov eax, dword ptr fs:[00000030h]	4_2_014D53CA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014853C5 mov eax, dword ptr fs:[00000030h]	4_2_014853C5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01451BE9 mov eax, dword ptr fs:[00000030h]	4_2_01451BE9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147DBE9 mov eax, dword ptr fs:[00000030h]	4_2_0147DBE9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015023E3 mov ecx, dword ptr fs:[00000030h]	4_2_015023E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015023E3 mov ecx, dword ptr fs:[00000030h]	4_2_015023E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015023E3 mov eax, dword ptr fs:[00000030h]	4_2_015023E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148138B mov eax, dword ptr fs:[00000030h]	4_2_0148138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148138B mov eax, dword ptr fs:[00000030h]	4_2_0148138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148138B mov eax, dword ptr fs:[00000030h]	4_2_0148138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A mov ecx, dword ptr fs:[00000030h]	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A mov eax, dword ptr fs:[00000030h]	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A mov eax, dword ptr fs:[00000030h]	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A mov eax, dword ptr fs:[00000030h]	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01461B8F mov eax, dword ptr fs:[00000030h]	4_2_01461B8F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01461B8F mov eax, dword ptr fs:[00000030h]	4_2_01461B8F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150D380 mov ecx, dword ptr fs:[00000030h]	4_2_0150D380
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01454B94 mov edi, dword ptr fs:[00000030h]	4_2_01454B94
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148B390 mov eax, dword ptr fs:[00000030h]	4_2_0148B390
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151138A mov eax, dword ptr fs:[00000030h]	4_2_0151138A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147EB9A mov eax, dword ptr fs:[00000030h]	4_2_0147EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147EB9A mov eax, dword ptr fs:[00000030h]	4_2_0147EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482397 mov eax, dword ptr fs:[00000030h]	4_2_01482397
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528BB6 mov eax, dword ptr fs:[00000030h]	4_2_01528BB6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484BAD mov eax, dword ptr fs:[00000030h]	4_2_01484BAD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484BAD mov eax, dword ptr fs:[00000030h]	4_2_01484BAD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484BAD mov eax, dword ptr fs:[00000030h]	4_2_01484BAD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01529BBE mov eax, dword ptr fs:[00000030h]	4_2_01529BBE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01525BA5 mov eax, dword ptr fs:[00000030h]	4_2_01525BA5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511BA8 mov eax, dword ptr fs:[00000030h]	4_2_01511BA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151EA55 mov eax, dword ptr fs:[00000030h]	4_2_0151EA55
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459240 mov eax, dword ptr fs:[00000030h]	4_2_01459240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459240 mov eax, dword ptr fs:[00000030h]	4_2_01459240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459240 mov eax, dword ptr fs:[00000030h]	4_2_01459240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459240 mov eax, dword ptr fs:[00000030h]	4_2_01459240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511A5F mov eax, dword ptr fs:[00000030h]	4_2_01511A5F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E4257 mov eax, dword ptr fs:[00000030h]	4_2_014E4257
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01495A69 mov eax, dword ptr fs:[00000030h]	4_2_01495A69
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01495A69 mov eax, dword ptr fs:[00000030h]	4_2_01495A69
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01495A69 mov eax, dword ptr fs:[00000030h]	4_2_01495A69
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150B260 mov eax, dword ptr fs:[00000030h]	4_2_0150B260
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150B260 mov eax, dword ptr fs:[00000030h]	4_2_0150B260
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528A62 mov eax, dword ptr fs:[00000030h]	4_2_01528A62
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149927A mov eax, dword ptr fs:[00000030h]	4_2_0149927A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151AA16 mov eax, dword ptr fs:[00000030h]	4_2_0151AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151AA16 mov eax, dword ptr fs:[00000030h]	4_2_0151AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01468A0A mov eax, dword ptr fs:[00000030h]	4_2_01468A0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145AA16 mov eax, dword ptr fs:[00000030h]	4_2_0145AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145AA16 mov eax, dword ptr fs:[00000030h]	4_2_0145AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455210 mov eax, dword ptr fs:[00000030h]	4_2_01455210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455210 mov ecx, dword ptr fs:[00000030h]	4_2_01455210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455210 mov eax, dword ptr fs:[00000030h]	4_2_01455210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455210 mov eax, dword ptr fs:[00000030h]	4_2_01455210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01473A1C mov eax, dword ptr fs:[00000030h]	4_2_01473A1C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01494A2C mov eax, dword ptr fs:[00000030h]	4_2_01494A2C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01494A2C mov eax, dword ptr fs:[00000030h]	4_2_01494A2C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01454A20 mov eax, dword ptr fs:[00000030h]	4_2_01454A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01454A20 mov eax, dword ptr fs:[00000030h]	4_2_01454A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511229 mov eax, dword ptr fs:[00000030h]	4_2_01511229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01458239 mov eax, dword ptr fs:[00000030h]	4_2_01458239
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01458239 mov eax, dword ptr fs:[00000030h]	4_2_01458239
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01458239 mov eax, dword ptr fs:[00000030h]	4_2_01458239
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482ACB mov eax, dword ptr fs:[00000030h]	4_2_01482ACB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455AC0 mov eax, dword ptr fs:[00000030h]	4_2_01455AC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455AC0 mov eax, dword ptr fs:[00000030h]	4_2_01455AC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455AC0 mov eax, dword ptr fs:[00000030h]	4_2_01455AC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453ACA mov eax, dword ptr fs:[00000030h]	4_2_01453ACA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528ADD mov eax, dword ptr fs:[00000030h]	4_2_01528ADD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014512D4 mov eax, dword ptr fs:[00000030h]	4_2_014512D4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482AE4 mov eax, dword ptr fs:[00000030h]	4_2_01482AE4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148DA88 mov eax, dword ptr fs:[00000030h]	4_2_0148DA88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148DA88 mov eax, dword ptr fs:[00000030h]	4_2_0148DA88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151129A mov eax, dword ptr fs:[00000030h]	4_2_0151129A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148D294 mov eax, dword ptr fs:[00000030h]	4_2_0148D294
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148D294 mov eax, dword ptr fs:[00000030h]	4_2_0148D294
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01451AA0 mov eax, dword ptr fs:[00000030h]	4_2_01451AA0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01485AA0 mov eax, dword ptr fs:[00000030h]	4_2_01485AA0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01485AA0 mov eax, dword ptr fs:[00000030h]	4_2_01485AA0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014812BD mov esi, dword ptr fs:[00000030h]	4_2_014812BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014812BD mov eax, dword ptr fs:[00000030h]	4_2_014812BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014812BD mov eax, dword ptr fs:[00000030h]	4_2_014812BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146AAB0 mov eax, dword ptr fs:[00000030h]	4_2_0146AAB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146AAB0 mov eax, dword ptr fs:[00000030h]	4_2_0146AAB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148FAB0 mov eax, dword ptr fs:[00000030h]	4_2_0148FAB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145354C mov eax, dword ptr fs:[00000030h]	4_2_0145354C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145354C mov eax, dword ptr fs:[00000030h]	4_2_0145354C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01493D43 mov eax, dword ptr fs:[00000030h]	4_2_01493D43
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D3540 mov eax, dword ptr fs:[00000030h]	4_2_014D3540
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01503D40 mov eax, dword ptr fs:[00000030h]	4_2_01503D40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01477D50 mov eax, dword ptr fs:[00000030h]	4_2_01477D50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01508D47 mov eax, dword ptr fs:[00000030h]	4_2_01508D47
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01494D51 mov eax, dword ptr fs:[00000030h]	4_2_01494D51
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01494D51 mov eax, dword ptr fs:[00000030h]	4_2_01494D51
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147C577 mov eax, dword ptr fs:[00000030h]	4_2_0147C577
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147C577 mov eax, dword ptr fs:[00000030h]	4_2_0147C577
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01513518 mov eax, dword ptr fs:[00000030h]	4_2_01513518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01513518 mov eax, dword ptr fs:[00000030h]	4_2_01513518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01513518 mov eax, dword ptr fs:[00000030h]	4_2_01513518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528D34 mov eax, dword ptr fs:[00000030h]	4_2_01528D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151E539 mov eax, dword ptr fs:[00000030h]	4_2_0151E539
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F527 mov eax, dword ptr fs:[00000030h]	4_2_0148F527
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F527 mov eax, dword ptr fs:[00000030h]	4_2_0148F527
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F527 mov eax, dword ptr fs:[00000030h]	4_2_0148F527
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484D3B mov eax, dword ptr fs:[00000030h]	4_2_01484D3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484D3B mov eax, dword ptr fs:[00000030h]	4_2_01484D3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484D3B mov eax, dword ptr fs:[00000030h]	4_2_01484D3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145AD30 mov eax, dword ptr fs:[00000030h]	4_2_0145AD30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014DA537 mov eax, dword ptr fs:[00000030h]	4_2_014DA537
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150FDD3 mov eax, dword ptr fs:[00000030h]	4_2_0150FDD3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov ecx, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014515C1 mov eax, dword ptr fs:[00000030h]	4_2_014515C1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01508DF1 mov eax, dword ptr fs:[00000030h]	4_2_01508DF1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014895EC mov eax, dword ptr fs:[00000030h]	4_2_014895EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146D5E0 mov eax, dword ptr fs:[00000030h]	4_2_0146D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146D5E0 mov eax, dword ptr fs:[00000030h]	4_2_0146D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0151FDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0151FDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0151FDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0151FDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014595F0 mov eax, dword ptr fs:[00000030h]	4_2_014595F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014595F0 mov ecx, dword ptr fs:[00000030h]	4_2_014595F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581 mov eax, dword ptr fs:[00000030h]	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581 mov eax, dword ptr fs:[00000030h]	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581 mov eax, dword ptr fs:[00000030h]	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581 mov eax, dword ptr fs:[00000030h]	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151B581 mov eax, dword ptr fs:[00000030h]	4_2_0151B581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151B581 mov eax, dword ptr fs:[00000030h]	4_2_0151B581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151B581 mov eax, dword ptr fs:[00000030h]	4_2_0151B581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151B581 mov eax, dword ptr fs:[00000030h]	4_2_0151B581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148FD9B mov eax, dword ptr fs:[00000030h]	4_2_0148FD9B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148FD9B mov eax, dword ptr fs:[00000030h]	4_2_0148FD9B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453591 mov eax, dword ptr fs:[00000030h]	4_2_01453591
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014865A0 mov eax, dword ptr fs:[00000030h]	4_2_014865A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014865A0 mov eax, dword ptr fs:[00000030h]	4_2_014865A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014865A0 mov eax, dword ptr fs:[00000030h]	4_2_014865A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014835A1 mov eax, dword ptr fs:[00000030h]	4_2_014835A1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01481DB5 mov eax, dword ptr fs:[00000030h]	4_2_01481DB5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01481DB5 mov eax, dword ptr fs:[00000030h]	4_2_01481DB5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01481DB5 mov eax, dword ptr fs:[00000030h]	4_2_01481DB5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015205AC mov eax, dword ptr fs:[00000030h]	4_2_015205AC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015205AC mov eax, dword ptr fs:[00000030h]	4_2_015205AC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528450 mov eax, dword ptr fs:[00000030h]	4_2_01528450
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148A44B mov eax, dword ptr fs:[00000030h]	4_2_0148A44B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EC450 mov eax, dword ptr fs:[00000030h]	4_2_014EC450
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EC450 mov eax, dword ptr fs:[00000030h]	4_2_014EC450
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528C75 mov eax, dword ptr fs:[00000030h]	4_2_01528C75
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147746D mov eax, dword ptr fs:[00000030h]	4_2_0147746D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Deskto

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging: