Play interactive tour

Edit tour

Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Sample Name:	Quotation-4834898943949883.pdf.exe
Analysis ID:	383906
MD5:	57055ad7429ef21caca78a9428e8a332
SHA1:	4df1aae070d95c2fd6c40ba3070a2af53462f3e6
SHA256:	f15085a9037c117355a6b500780d5df0530a6c6724e4506622565b4c13582876
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Quotation-4834898943949883.pdf.exe (PID: 5956 cmdline: 'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe' MD5: 57055AD7429EF21CACA78A9428E8A332)

Quotation-4834898943949883.pdf.exe (PID: 4120 cmdline: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe MD5: 57055AD7429EF21CACA78A9428E8A332)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mcgeefamilychildcare.com/nc6m/"], "decoy": ["saltypar.com", "most.community", "johnmucollection.com", "houzzthings.net", "onemarketips.com", "legalmarketingtx.net", "criminalmindeddesign.com", "dtrinvesting.com", "millertaxpreparation.com", "wckfwwehmo.net", "begoodmeat.com", "tradefinance.fyi", "taxbizfunnels.com", "learnstartupdesign.com", "hxmdelights.com", "christiandantrust.faith", "dimensionshypnosis.com", "261391.com", "cancellednot.com", "paodanmeng.com", "thewayoutbooks.com", "halsdraincleaning.com", "jumlasx.xyz", "sutransformacion.com", "abisagne.com", "yingjiebj.com", "prodgra.com", "phone-review24.club", "weandvirus.com", "thelibertyhomeinspector.com", "fuckblarkie.com", "tappesupportservices.com", "marianiemorazzani.com", "skyybluchildkare.info", "diysecurityreview.com", "insuranceagentwilliams.com", "k-yahagigumi.com", "b3ourg.xyz", "mawhl.net", "billionartoffaith.com", "tech4thelolo.com", "vlvglobal.com", "positive-agenda-advisory.com", "sdzcsyy.com", "jxdiil.com", "craicing.com", "opinionesymodelos.com", "tulsaprintingcompany.com", "papaifotografo.com", "kalpavasi.com", "century21comingsoon.com", "bahiaprincipegrand.com", "tinwinsolar.ltd", "emprenviendo.com", "nineykal.com", "tam-rh.cat", "onlyfanscash.com", "florida-sunny.com", "workmone.online", "sastaafoods.com", "financiallyhealthy.life", "unudix.com", "wwwsumwater.com", "iparametricjobs.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x936b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9392a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc00d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc034a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9f44d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcbe6d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9ef39:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcb959:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9f54f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcbf6f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9f6c7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xcc0e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x94342:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xc0d62:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9e1b4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xcabd4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9503b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xc1a5b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa52bf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd1cdf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa62c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa21e1:$sqlite3step: 68 34 1C 7B E1 0xa22f4:$sqlite3step: 68 34 1C 7B E1 0xcec01:$sqlite3step: 68 34 1C 7B E1 0xced14:$sqlite3step: 68 34 1C 7B E1 0xa2210:$sqlite3text: 68 38 2A 90 C5 0xa2335:$sqlite3text: 68 38 2A 90 C5 0xcec30:$sqlite3text: 68 38 2A 90 C5 0xced55:$sqlite3text: 68 38 2A 90 C5 0xa2223:$sqlite3blob: 68 53 D8 7F 8C 0xa234b:$sqlite3blob: 68 53 D8 7F 8C 0xcec43:$sqlite3blob: 68 53 D8 7F 8C 0xced6b:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Quotation-4834898943949883.pdf.exe PID: 5956	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: www.mcgeefamilychildcare.com/nc6m/

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.mcgeefamilychildcare.com/nc6m/"], "decoy": ["saltypar.com", "most.community", "johnmucollection.com", "houzzthings.net", "onemarketips.com", "legalmarketingtx.net", "criminalmindeddesign.com", "dtrinvesting.com", "millertaxpreparation.com", "wckfwwehmo.net", "begoodmeat.com", "tradefinance.fyi", "taxbizfunnels.com", "learnstartupdesign.com", "hxmdelights.com", "christiandantrust.faith", "dimensionshypnosis.com", "261391.com", "cancellednot.com", "paodanmeng.com", "thewayoutbooks.com", "halsdraincleaning.com", "jumlasx.xyz", "sutransformacion.com", "abisagne.com", "yingjiebj.com", "prodgra.com", "phone-review24.club", "weandvirus.com", "thelibertyhomeinspector.com", "fuckblarkie.com", "tappesupportservices.com", "marianiemorazzani.com", "skyybluchildkare.info", "diysecurityreview.com", "insuranceagentwilliams.com", "k-yahagigumi.com", "b3ourg.xyz", "mawhl.net", "billionartoffaith.com", "tech4thelolo.com", "vlvglobal.com", "positive-agenda-advisory.com", "sdzcsyy.com", "jxdiil.com", "craicing.com", "opinionesymodelos.com", "tulsaprintingcompany.com", "papaifotografo.com", "kalpavasi.com", "century21comingsoon.com", "bahiaprincipegrand.com", "tinwinsolar.ltd", "emprenviendo.com", "nineykal.com", "tam-rh.cat", "onlyfanscash.com", "florida-sunny.com", "workmone.online", "sastaafoods.com", "financiallyhealthy.life", "unudix.com", "wwwsumwater.com", "iparametricjobs.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Quotation-4834898943949883.pdf.exe	Virustotal: Detection: 26%			Perma Link
Source: Quotation-4834898943949883.pdf.exe	ReversingLabs: Detection: 22%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Quotation-4834898943949883.pdf.exe

Joe Sandbox ML: detected

Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Quotation-4834898943949883.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04D71B98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04D71BA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0771FBA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then pop ebx	4_2_00407AFB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.mcgeefamilychildcare.com/nc6m/

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240759928.0000000002D72000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000001.00000002.240654193.0000000002CE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240759928.0000000002D72000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe
Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716878 NtQueryInformationProcess,	1_2_07716878
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716873 NtQueryInformationProcess,	1_2_07716873
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A060 NtClose,	4_2_0041A060
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A110 NtAllocateVirtualMemory,	4_2_0041A110
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F30 NtCreateFile,	4_2_00419F30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419FE0 NtReadFile,	4_2_00419FE0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F2A NtCreateFile,	4_2_00419F2A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F82 NtCreateFile,	4_2_00419F82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01499860
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01499660
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014996E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_014996E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499950 NtQueueApcThread,	4_2_01499950
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499910 NtAdjustPrivilegesToken,	4_2_01499910
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014999D0 NtCreateProcessEx,	4_2_014999D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014999A0 NtCreateSection,	4_2_014999A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149B040 NtSuspendThread,	4_2_0149B040
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499840 NtDelayExecution,	4_2_01499840
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499820 NtEnumerateKey,	4_2_01499820
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014998F0 NtReadVirtualMemory,	4_2_014998F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014998A0 NtWriteVirtualMemory,	4_2_014998A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499B00 NtSetValueKey,	4_2_01499B00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149A3B0 NtGetContextThread,	4_2_0149A3B0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A50 NtCreateFile,	4_2_01499A50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A00 NtProtectVirtualMemory,	4_2_01499A00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A10 NtQuerySection,	4_2_01499A10
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A20 NtResumeThread,	4_2_01499A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A80 NtOpenDirectoryObject,	4_2_01499A80
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499540 NtReadFile,	4_2_01499540
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499560 NtWriteFile,	4_2_01499560
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499520 NtWaitForSingleObject,	4_2_01499520
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149AD30 NtSetContextThread,	4_2_0149AD30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014995D0 NtClose,	4_2_014995D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014995F0 NtQueryInformationFile,	4_2_014995F0

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094DCE7	1_2_0094DCE7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094A9EA	1_2_0094A9EA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_011BC2B0	1_2_011BC2B0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_011B9990	1_2_011B9990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_04D70448	1_2_04D70448
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_04D71770	1_2_04D71770
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07715520	1_2_07715520
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07710740	1_2_07710740
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711FA8	1_2_07711FA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711F99	1_2_07711F99
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711D60	1_2_07711D60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711D51	1_2_07711D51
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0771A550	1_2_0771A550
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07712D40	1_2_07712D40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0771A53F	1_2_0771A53F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07715510	1_2_07715510
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_077114E0	1_2_077114E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_077114D1	1_2_077114D1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711B58	1_2_07711B58
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711B48	1_2_07711B48
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07718BB0	1_2_07718BB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07718BA3	1_2_07718BA3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716A10	1_2_07716A10
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07712170	1_2_07712170
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07719170	1_2_07719170
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07712163	1_2_07712163
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07710938	1_2_07710938
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07710929	1_2_07710929
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07719180	1_2_07719180
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094AAC7	1_2_0094AAC7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401209	4_2_00401209
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041DAFA	4_2_0041DAFA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D378	4_2_0041D378
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409DFC	4_2_00409DFC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402D88	4_2_00402D88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D631	4_2_0041D631
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097A9EA	4_2_0097A9EA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097DCE7	4_2_0097DCE7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145F900	4_2_0145F900
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472990	4_2_01472990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01456800	4_2_01456800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511002	4_2_01511002
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152E824	4_2_0152E824
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015228EC	4_2_015228EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B090	4_2_0146B090
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015220A8	4_2_015220A8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FCB4F	4_2_014FCB4F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147AB40	4_2_0147AB40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01473360	4_2_01473360
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151231B	4_2_0151231B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01522B28	4_2_01522B28
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151DBD2	4_2_0151DBD2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015103DA	4_2_015103DA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148ABD8	4_2_0148ABD8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014A8BE8	4_2_014A8BE8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015023E3	4_2_015023E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148138B	4_2_0148138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147EB9A	4_2_0147EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148EBB0	4_2_0148EBB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150FA2B	4_2_0150FA2B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151E2C5	4_2_0151E2C5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015232A9	4_2_015232A9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015222AE	4_2_015222AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01521D55	4_2_01521D55
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472D50	4_2_01472D50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01522D07	4_2_01522D07
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01450D20	4_2_01450D20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015225DD	4_2_015225DD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146D5E0	4_2_0146D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014865A0	4_2_014865A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151D466	4_2_0151D466
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146841F	4_2_0146841F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472430	4_2_01472430
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097AAC7	4_2_0097AAC7

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 0145B150 appears 121 times
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 014E5720 appears 62 times

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilename vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245565115.0000000007680000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000000.217395296.0000000000942000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameReadBufferAsyncd97.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240654193.0000000002CE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245113568.0000000006E30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilename vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000000.238479725.0000000000972000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameReadBufferAsyncd97.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.241413507.000000000154F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilenameReadBufferAsyncd97.exe4 vs Quotation-4834898943949883.pdf.exe

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation-4834898943949883.pdf.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\uwviaTyAYnlyFJcXtcTQZZrdZh

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: Quotation-4834898943949883.pdf.exe	Virustotal: Detection: 26%
Source: Quotation-4834898943949883.pdf.exe	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe 'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe'
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Quotation-4834898943949883.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation-4834898943949883.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094D65F push es; retn 0001h	1_2_0094D6BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094DC4E push 00000000h; iretd	1_2_0094DC98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716E6F pushfd ; retf	1_2_07716E78
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0D2 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0DB push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D085 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D13C push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040B3F8 push ebx; iretd	4_2_0040B3FB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041766B push eax; ret	4_2_0041766E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040DF92 push ebp; retf	4_2_0040DF93
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041AFBA pushad ; retf	4_2_0041AFBE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097DC4E push 00000000h; iretd	4_2_0097DC98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097D65F push es; retn 0001h	4_2_0097D6BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014AD0D1 push ecx; ret	4_2_014AD0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.61748315782

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: Quotation-4834898943949883.pdf.exe

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-4834898943949883.pdf.exe PID: 5956, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 5952	Thread sleep time: -100018s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 6028	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 100018			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Code function: 4_2_01499860 NtQuerySystemInformation,LdrInitializeThunk,

4_2_01499860

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511951 mov eax, dword ptr fs:[00000030h]	4_2_01511951
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B944 mov eax, dword ptr fs:[00000030h]	4_2_0147B944
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B944 mov eax, dword ptr fs:[00000030h]	4_2_0147B944
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145395E mov eax, dword ptr fs:[00000030h]	4_2_0145395E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145395E mov eax, dword ptr fs:[00000030h]	4_2_0145395E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145C962 mov eax, dword ptr fs:[00000030h]	4_2_0145C962
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151E962 mov eax, dword ptr fs:[00000030h]	4_2_0151E962
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B171 mov eax, dword ptr fs:[00000030h]	4_2_0145B171
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B171 mov eax, dword ptr fs:[00000030h]	4_2_0145B171
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528966 mov eax, dword ptr fs:[00000030h]	4_2_01528966
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459100 mov eax, dword ptr fs:[00000030h]	4_2_01459100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459100 mov eax, dword ptr fs:[00000030h]	4_2_01459100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459100 mov eax, dword ptr fs:[00000030h]	4_2_01459100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01460100 mov eax, dword ptr fs:[00000030h]	4_2_01460100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01460100 mov eax, dword ptr fs:[00000030h]	4_2_01460100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01460100 mov eax, dword ptr fs:[00000030h]	4_2_01460100
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov eax, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov eax, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov eax, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov eax, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120 mov ecx, dword ptr fs:[00000030h]	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148513A mov eax, dword ptr fs:[00000030h]	4_2_0148513A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148513A mov eax, dword ptr fs:[00000030h]	4_2_0148513A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453138 mov ecx, dword ptr fs:[00000030h]	4_2_01453138
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014699C7 mov eax, dword ptr fs:[00000030h]	4_2_014699C7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014699C7 mov eax, dword ptr fs:[00000030h]	4_2_014699C7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014699C7 mov eax, dword ptr fs:[00000030h]	4_2_014699C7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014699C7 mov eax, dword ptr fs:[00000030h]	4_2_014699C7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015119D8 mov eax, dword ptr fs:[00000030h]	4_2_015119D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0145B1E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0145B1E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0145B1E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014531E0 mov eax, dword ptr fs:[00000030h]	4_2_014531E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E41E8 mov eax, dword ptr fs:[00000030h]	4_2_014E41E8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015289E7 mov eax, dword ptr fs:[00000030h]	4_2_015289E7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147C182 mov eax, dword ptr fs:[00000030h]	4_2_0147C182
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148A185 mov eax, dword ptr fs:[00000030h]	4_2_0148A185
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482990 mov eax, dword ptr fs:[00000030h]	4_2_01482990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484190 mov eax, dword ptr fs:[00000030h]	4_2_01484190
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151A189 mov eax, dword ptr fs:[00000030h]	4_2_0151A189
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151A189 mov ecx, dword ptr fs:[00000030h]	4_2_0151A189
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145519E mov eax, dword ptr fs:[00000030h]	4_2_0145519E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145519E mov ecx, dword ptr fs:[00000030h]	4_2_0145519E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152F1B5 mov eax, dword ptr fs:[00000030h]	4_2_0152F1B5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152F1B5 mov eax, dword ptr fs:[00000030h]	4_2_0152F1B5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014861A0 mov eax, dword ptr fs:[00000030h]	4_2_014861A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014861A0 mov eax, dword ptr fs:[00000030h]	4_2_014861A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D69A6 mov eax, dword ptr fs:[00000030h]	4_2_014D69A6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D51BE mov eax, dword ptr fs:[00000030h]	4_2_014D51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D51BE mov eax, dword ptr fs:[00000030h]	4_2_014D51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D51BE mov eax, dword ptr fs:[00000030h]	4_2_014D51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D51BE mov eax, dword ptr fs:[00000030h]	4_2_014D51BE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015149A4 mov eax, dword ptr fs:[00000030h]	4_2_015149A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015149A4 mov eax, dword ptr fs:[00000030h]	4_2_015149A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015149A4 mov eax, dword ptr fs:[00000030h]	4_2_015149A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015149A4 mov eax, dword ptr fs:[00000030h]	4_2_015149A4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148C9BF mov eax, dword ptr fs:[00000030h]	4_2_0148C9BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148C9BF mov eax, dword ptr fs:[00000030h]	4_2_0148C9BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov eax, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov eax, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov eax, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov ecx, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF mov eax, dword ptr fs:[00000030h]	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511843 mov eax, dword ptr fs:[00000030h]	4_2_01511843
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01457057 mov eax, dword ptr fs:[00000030h]	4_2_01457057
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455050 mov eax, dword ptr fs:[00000030h]	4_2_01455050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455050 mov eax, dword ptr fs:[00000030h]	4_2_01455050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455050 mov eax, dword ptr fs:[00000030h]	4_2_01455050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01470050 mov eax, dword ptr fs:[00000030h]	4_2_01470050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01470050 mov eax, dword ptr fs:[00000030h]	4_2_01470050
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512073 mov eax, dword ptr fs:[00000030h]	4_2_01512073
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01521074 mov eax, dword ptr fs:[00000030h]	4_2_01521074
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147F86D mov eax, dword ptr fs:[00000030h]	4_2_0147F86D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01456800 mov eax, dword ptr fs:[00000030h]	4_2_01456800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01456800 mov eax, dword ptr fs:[00000030h]	4_2_01456800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01456800 mov eax, dword ptr fs:[00000030h]	4_2_01456800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01524015 mov eax, dword ptr fs:[00000030h]	4_2_01524015
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01524015 mov eax, dword ptr fs:[00000030h]	4_2_01524015
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D7016 mov eax, dword ptr fs:[00000030h]	4_2_014D7016
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D7016 mov eax, dword ptr fs:[00000030h]	4_2_014D7016
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D7016 mov eax, dword ptr fs:[00000030h]	4_2_014D7016
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148002D mov eax, dword ptr fs:[00000030h]	4_2_0148002D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484020 mov edi, dword ptr fs:[00000030h]	4_2_01484020
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B02A mov eax, dword ptr fs:[00000030h]	4_2_0146B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B02A mov eax, dword ptr fs:[00000030h]	4_2_0146B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B02A mov eax, dword ptr fs:[00000030h]	4_2_0146B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B02A mov eax, dword ptr fs:[00000030h]	4_2_0146B02A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830 mov eax, dword ptr fs:[00000030h]	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830 mov eax, dword ptr fs:[00000030h]	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830 mov eax, dword ptr fs:[00000030h]	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830 mov eax, dword ptr fs:[00000030h]	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014570C0 mov eax, dword ptr fs:[00000030h]	4_2_014570C0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014570C0 mov eax, dword ptr fs:[00000030h]	4_2_014570C0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015118CA mov eax, dword ptr fs:[00000030h]	4_2_015118CA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov ecx, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EB8D0 mov eax, dword ptr fs:[00000030h]	4_2_014EB8D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B8E4 mov eax, dword ptr fs:[00000030h]	4_2_0147B8E4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B8E4 mov eax, dword ptr fs:[00000030h]	4_2_0147B8E4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014540E1 mov eax, dword ptr fs:[00000030h]	4_2_014540E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014540E1 mov eax, dword ptr fs:[00000030h]	4_2_014540E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014540E1 mov eax, dword ptr fs:[00000030h]	4_2_014540E1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014558EC mov eax, dword ptr fs:[00000030h]	4_2_014558EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628FD mov eax, dword ptr fs:[00000030h]	4_2_014628FD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628FD mov eax, dword ptr fs:[00000030h]	4_2_014628FD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628FD mov eax, dword ptr fs:[00000030h]	4_2_014628FD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459080 mov eax, dword ptr fs:[00000030h]	4_2_01459080
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453880 mov eax, dword ptr fs:[00000030h]	4_2_01453880
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453880 mov eax, dword ptr fs:[00000030h]	4_2_01453880
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D3884 mov eax, dword ptr fs:[00000030h]	4_2_014D3884
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D3884 mov eax, dword ptr fs:[00000030h]	4_2_014D3884
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014990AF mov eax, dword ptr fs:[00000030h]	4_2_014990AF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0 mov eax, dword ptr fs:[00000030h]	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov ecx, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014628AE mov eax, dword ptr fs:[00000030h]	4_2_014628AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F0BF mov ecx, dword ptr fs:[00000030h]	4_2_0148F0BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F0BF mov eax, dword ptr fs:[00000030h]	4_2_0148F0BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F0BF mov eax, dword ptr fs:[00000030h]	4_2_0148F0BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145DB40 mov eax, dword ptr fs:[00000030h]	4_2_0145DB40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528B58 mov eax, dword ptr fs:[00000030h]	4_2_01528B58
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B5A mov eax, dword ptr fs:[00000030h]	4_2_01483B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B5A mov eax, dword ptr fs:[00000030h]	4_2_01483B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B5A mov eax, dword ptr fs:[00000030h]	4_2_01483B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B5A mov eax, dword ptr fs:[00000030h]	4_2_01483B5A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145F358 mov eax, dword ptr fs:[00000030h]	4_2_0145F358
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145DB60 mov ecx, dword ptr fs:[00000030h]	4_2_0145DB60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E6365 mov eax, dword ptr fs:[00000030h]	4_2_014E6365
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E6365 mov eax, dword ptr fs:[00000030h]	4_2_014E6365
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E6365 mov eax, dword ptr fs:[00000030h]	4_2_014E6365
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B7A mov eax, dword ptr fs:[00000030h]	4_2_01483B7A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483B7A mov eax, dword ptr fs:[00000030h]	4_2_01483B7A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146F370 mov eax, dword ptr fs:[00000030h]	4_2_0146F370
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146F370 mov eax, dword ptr fs:[00000030h]	4_2_0146F370
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146F370 mov eax, dword ptr fs:[00000030h]	4_2_0146F370
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151131B mov eax, dword ptr fs:[00000030h]	4_2_0151131B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309 mov eax, dword ptr fs:[00000030h]	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D53CA mov eax, dword ptr fs:[00000030h]	4_2_014D53CA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D53CA mov eax, dword ptr fs:[00000030h]	4_2_014D53CA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014853C5 mov eax, dword ptr fs:[00000030h]	4_2_014853C5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014803E2 mov eax, dword ptr fs:[00000030h]	4_2_014803E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01451BE9 mov eax, dword ptr fs:[00000030h]	4_2_01451BE9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147DBE9 mov eax, dword ptr fs:[00000030h]	4_2_0147DBE9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015023E3 mov ecx, dword ptr fs:[00000030h]	4_2_015023E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015023E3 mov ecx, dword ptr fs:[00000030h]	4_2_015023E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015023E3 mov eax, dword ptr fs:[00000030h]	4_2_015023E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148138B mov eax, dword ptr fs:[00000030h]	4_2_0148138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148138B mov eax, dword ptr fs:[00000030h]	4_2_0148138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148138B mov eax, dword ptr fs:[00000030h]	4_2_0148138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A mov ecx, dword ptr fs:[00000030h]	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A mov eax, dword ptr fs:[00000030h]	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A mov eax, dword ptr fs:[00000030h]	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A mov eax, dword ptr fs:[00000030h]	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01461B8F mov eax, dword ptr fs:[00000030h]	4_2_01461B8F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01461B8F mov eax, dword ptr fs:[00000030h]	4_2_01461B8F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150D380 mov ecx, dword ptr fs:[00000030h]	4_2_0150D380
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01454B94 mov edi, dword ptr fs:[00000030h]	4_2_01454B94
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148B390 mov eax, dword ptr fs:[00000030h]	4_2_0148B390
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151138A mov eax, dword ptr fs:[00000030h]	4_2_0151138A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147EB9A mov eax, dword ptr fs:[00000030h]	4_2_0147EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147EB9A mov eax, dword ptr fs:[00000030h]	4_2_0147EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482397 mov eax, dword ptr fs:[00000030h]	4_2_01482397
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528BB6 mov eax, dword ptr fs:[00000030h]	4_2_01528BB6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484BAD mov eax, dword ptr fs:[00000030h]	4_2_01484BAD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484BAD mov eax, dword ptr fs:[00000030h]	4_2_01484BAD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484BAD mov eax, dword ptr fs:[00000030h]	4_2_01484BAD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01529BBE mov eax, dword ptr fs:[00000030h]	4_2_01529BBE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01525BA5 mov eax, dword ptr fs:[00000030h]	4_2_01525BA5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511BA8 mov eax, dword ptr fs:[00000030h]	4_2_01511BA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151EA55 mov eax, dword ptr fs:[00000030h]	4_2_0151EA55
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459240 mov eax, dword ptr fs:[00000030h]	4_2_01459240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459240 mov eax, dword ptr fs:[00000030h]	4_2_01459240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459240 mov eax, dword ptr fs:[00000030h]	4_2_01459240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01459240 mov eax, dword ptr fs:[00000030h]	4_2_01459240
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511A5F mov eax, dword ptr fs:[00000030h]	4_2_01511A5F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014E4257 mov eax, dword ptr fs:[00000030h]	4_2_014E4257
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01495A69 mov eax, dword ptr fs:[00000030h]	4_2_01495A69
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01495A69 mov eax, dword ptr fs:[00000030h]	4_2_01495A69
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01495A69 mov eax, dword ptr fs:[00000030h]	4_2_01495A69
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150B260 mov eax, dword ptr fs:[00000030h]	4_2_0150B260
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150B260 mov eax, dword ptr fs:[00000030h]	4_2_0150B260
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528A62 mov eax, dword ptr fs:[00000030h]	4_2_01528A62
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149927A mov eax, dword ptr fs:[00000030h]	4_2_0149927A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151AA16 mov eax, dword ptr fs:[00000030h]	4_2_0151AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151AA16 mov eax, dword ptr fs:[00000030h]	4_2_0151AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01468A0A mov eax, dword ptr fs:[00000030h]	4_2_01468A0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145AA16 mov eax, dword ptr fs:[00000030h]	4_2_0145AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145AA16 mov eax, dword ptr fs:[00000030h]	4_2_0145AA16
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455210 mov eax, dword ptr fs:[00000030h]	4_2_01455210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455210 mov ecx, dword ptr fs:[00000030h]	4_2_01455210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455210 mov eax, dword ptr fs:[00000030h]	4_2_01455210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455210 mov eax, dword ptr fs:[00000030h]	4_2_01455210
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01473A1C mov eax, dword ptr fs:[00000030h]	4_2_01473A1C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01494A2C mov eax, dword ptr fs:[00000030h]	4_2_01494A2C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01494A2C mov eax, dword ptr fs:[00000030h]	4_2_01494A2C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01454A20 mov eax, dword ptr fs:[00000030h]	4_2_01454A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01454A20 mov eax, dword ptr fs:[00000030h]	4_2_01454A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A229 mov eax, dword ptr fs:[00000030h]	4_2_0147A229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236 mov eax, dword ptr fs:[00000030h]	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511229 mov eax, dword ptr fs:[00000030h]	4_2_01511229
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01458239 mov eax, dword ptr fs:[00000030h]	4_2_01458239
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01458239 mov eax, dword ptr fs:[00000030h]	4_2_01458239
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01458239 mov eax, dword ptr fs:[00000030h]	4_2_01458239
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482ACB mov eax, dword ptr fs:[00000030h]	4_2_01482ACB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455AC0 mov eax, dword ptr fs:[00000030h]	4_2_01455AC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455AC0 mov eax, dword ptr fs:[00000030h]	4_2_01455AC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01455AC0 mov eax, dword ptr fs:[00000030h]	4_2_01455AC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453ACA mov eax, dword ptr fs:[00000030h]	4_2_01453ACA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528ADD mov eax, dword ptr fs:[00000030h]	4_2_01528ADD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014512D4 mov eax, dword ptr fs:[00000030h]	4_2_014512D4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482AE4 mov eax, dword ptr fs:[00000030h]	4_2_01482AE4
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF mov eax, dword ptr fs:[00000030h]	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148DA88 mov eax, dword ptr fs:[00000030h]	4_2_0148DA88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148DA88 mov eax, dword ptr fs:[00000030h]	4_2_0148DA88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151129A mov eax, dword ptr fs:[00000030h]	4_2_0151129A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148D294 mov eax, dword ptr fs:[00000030h]	4_2_0148D294
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148D294 mov eax, dword ptr fs:[00000030h]	4_2_0148D294
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014552A5 mov eax, dword ptr fs:[00000030h]	4_2_014552A5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01451AA0 mov eax, dword ptr fs:[00000030h]	4_2_01451AA0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01485AA0 mov eax, dword ptr fs:[00000030h]	4_2_01485AA0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01485AA0 mov eax, dword ptr fs:[00000030h]	4_2_01485AA0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014812BD mov esi, dword ptr fs:[00000030h]	4_2_014812BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014812BD mov eax, dword ptr fs:[00000030h]	4_2_014812BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014812BD mov eax, dword ptr fs:[00000030h]	4_2_014812BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146AAB0 mov eax, dword ptr fs:[00000030h]	4_2_0146AAB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146AAB0 mov eax, dword ptr fs:[00000030h]	4_2_0146AAB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148FAB0 mov eax, dword ptr fs:[00000030h]	4_2_0148FAB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145354C mov eax, dword ptr fs:[00000030h]	4_2_0145354C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145354C mov eax, dword ptr fs:[00000030h]	4_2_0145354C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01493D43 mov eax, dword ptr fs:[00000030h]	4_2_01493D43
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D3540 mov eax, dword ptr fs:[00000030h]	4_2_014D3540
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01503D40 mov eax, dword ptr fs:[00000030h]	4_2_01503D40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01477D50 mov eax, dword ptr fs:[00000030h]	4_2_01477D50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01508D47 mov eax, dword ptr fs:[00000030h]	4_2_01508D47
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01494D51 mov eax, dword ptr fs:[00000030h]	4_2_01494D51
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01494D51 mov eax, dword ptr fs:[00000030h]	4_2_01494D51
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147C577 mov eax, dword ptr fs:[00000030h]	4_2_0147C577
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147C577 mov eax, dword ptr fs:[00000030h]	4_2_0147C577
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01478D76 mov eax, dword ptr fs:[00000030h]	4_2_01478D76
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01513518 mov eax, dword ptr fs:[00000030h]	4_2_01513518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01513518 mov eax, dword ptr fs:[00000030h]	4_2_01513518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01513518 mov eax, dword ptr fs:[00000030h]	4_2_01513518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528D34 mov eax, dword ptr fs:[00000030h]	4_2_01528D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151E539 mov eax, dword ptr fs:[00000030h]	4_2_0151E539
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F527 mov eax, dword ptr fs:[00000030h]	4_2_0148F527
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F527 mov eax, dword ptr fs:[00000030h]	4_2_0148F527
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148F527 mov eax, dword ptr fs:[00000030h]	4_2_0148F527
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01463D34 mov eax, dword ptr fs:[00000030h]	4_2_01463D34
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484D3B mov eax, dword ptr fs:[00000030h]	4_2_01484D3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484D3B mov eax, dword ptr fs:[00000030h]	4_2_01484D3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01484D3B mov eax, dword ptr fs:[00000030h]	4_2_01484D3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145AD30 mov eax, dword ptr fs:[00000030h]	4_2_0145AD30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014DA537 mov eax, dword ptr fs:[00000030h]	4_2_014DA537
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150FDD3 mov eax, dword ptr fs:[00000030h]	4_2_0150FDD3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov ecx, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6DC9 mov eax, dword ptr fs:[00000030h]	4_2_014D6DC9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014515C1 mov eax, dword ptr fs:[00000030h]	4_2_014515C1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01508DF1 mov eax, dword ptr fs:[00000030h]	4_2_01508DF1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014895EC mov eax, dword ptr fs:[00000030h]	4_2_014895EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146D5E0 mov eax, dword ptr fs:[00000030h]	4_2_0146D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146D5E0 mov eax, dword ptr fs:[00000030h]	4_2_0146D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0151FDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0151FDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0151FDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0151FDE2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014595F0 mov eax, dword ptr fs:[00000030h]	4_2_014595F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014595F0 mov ecx, dword ptr fs:[00000030h]	4_2_014595F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581 mov eax, dword ptr fs:[00000030h]	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581 mov eax, dword ptr fs:[00000030h]	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581 mov eax, dword ptr fs:[00000030h]	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581 mov eax, dword ptr fs:[00000030h]	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01452D8A mov eax, dword ptr fs:[00000030h]	4_2_01452D8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151B581 mov eax, dword ptr fs:[00000030h]	4_2_0151B581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151B581 mov eax, dword ptr fs:[00000030h]	4_2_0151B581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151B581 mov eax, dword ptr fs:[00000030h]	4_2_0151B581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151B581 mov eax, dword ptr fs:[00000030h]	4_2_0151B581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148FD9B mov eax, dword ptr fs:[00000030h]	4_2_0148FD9B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148FD9B mov eax, dword ptr fs:[00000030h]	4_2_0148FD9B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82 mov eax, dword ptr fs:[00000030h]	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01453591 mov eax, dword ptr fs:[00000030h]	4_2_01453591
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014865A0 mov eax, dword ptr fs:[00000030h]	4_2_014865A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014865A0 mov eax, dword ptr fs:[00000030h]	4_2_014865A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014865A0 mov eax, dword ptr fs:[00000030h]	4_2_014865A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014835A1 mov eax, dword ptr fs:[00000030h]	4_2_014835A1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01481DB5 mov eax, dword ptr fs:[00000030h]	4_2_01481DB5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01481DB5 mov eax, dword ptr fs:[00000030h]	4_2_01481DB5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01481DB5 mov eax, dword ptr fs:[00000030h]	4_2_01481DB5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015205AC mov eax, dword ptr fs:[00000030h]	4_2_015205AC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015205AC mov eax, dword ptr fs:[00000030h]	4_2_015205AC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528450 mov eax, dword ptr fs:[00000030h]	4_2_01528450
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148A44B mov eax, dword ptr fs:[00000030h]	4_2_0148A44B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EC450 mov eax, dword ptr fs:[00000030h]	4_2_014EC450
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014EC450 mov eax, dword ptr fs:[00000030h]	4_2_014EC450
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528C75 mov eax, dword ptr fs:[00000030h]	4_2_01528C75
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147746D mov eax, dword ptr fs:[00000030h]	4_2_0147746D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477 mov eax, dword ptr fs:[00000030h]	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148AC7B mov eax, dword ptr fs:[00000030h]	4_2_0148AC7B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01495C70 mov eax, dword ptr fs:[00000030h]	4_2_01495C70
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528C14 mov eax, dword ptr fs:[00000030h]	4_2_01528C14
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6C0A mov eax, dword ptr fs:[00000030h]	4_2_014D6C0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6C0A mov eax, dword ptr fs:[00000030h]	4_2_014D6C0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6C0A mov eax, dword ptr fs:[00000030h]	4_2_014D6C0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014D6C0A mov eax, dword ptr fs:[00000030h]	4_2_014D6C0A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511C06 mov eax, dword ptr fs:[00000030h]	4_2_01511C06
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152740D mov eax, dword ptr fs:[00000030h]	4_2_0152740D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152740D mov eax, dword ptr fs:[00000030h]	4_2_0152740D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152740D mov eax, dword ptr fs:[00000030h]	4_2_0152740D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148BC2C mov eax, dword ptr fs:[00000030h]	4_2_0148BC2C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B433 mov eax, dword ptr fs:[00000030h]	4_2_0146B433
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B433 mov eax, dword ptr fs:[00000030h]	4_2_0146B433
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B433 mov eax, dword ptr fs:[00000030h]	4_2_0146B433
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483C3E mov eax, dword ptr fs:[00000030h]	4_2_01483C3E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483C3E mov eax, dword ptr fs:[00000030h]	4_2_01483C3E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01483C3E mov eax, dword ptr fs:[00000030h]	4_2_01483C3E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472430 mov eax, dword ptr fs:[00000030h]	4_2_01472430
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472430 mov eax, dword ptr fs:[00000030h]	4_2_01472430
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01454439 mov eax, dword ptr fs:[00000030h]	4_2_01454439
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01528CD6 mov eax, dword ptr fs:[00000030h]	4_2_01528CD6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148CCC0 mov eax, dword ptr fs:[00000030h]	4_2_0148CCC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148CCC0 mov eax, dword ptr fs:[00000030h]	4_2_0148CCC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148CCC0 mov eax, dword ptr fs:[00000030h]	4_2_0148CCC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148CCC0 mov eax, dword ptr fs:[00000030h]	4_2_0148CCC0

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Memory written: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection111	Masquerading11	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	System Information Discovery112	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information14	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Quotation-4834898943949883.pdf.exe	27%	Virustotal		Browse
Quotation-4834898943949883.pdf.exe	23%	ReversingLabs	Win32.Trojan.AgentTesla
Quotation-4834898943949883.pdf.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://tempuri.org/HighScoresDataSet.xsd	0%	Avira URL Cloud	safe
www.mcgeefamilychildcare.com/nc6m/	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://tempuri.org/GridOneHSDataSet.xsd	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.mcgeefamilychildcare.com/nc6m/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/HighScoresDataSet.xsd	Quotation-4834898943949883.pdf.exe	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://tempuri.org/GridOneHSDataSet.xsd	Quotation-4834898943949883.pdf.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	Quotation-4834898943949883.pdf.exe, 00000001.00000002.240759928.0000000002D72000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://www.fonts.com	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quotation-4834898943949883.pdf.exe, 00000001.00000002.240759928.0000000002D72000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000001.00000002.240654193.0000000002CE1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383906
Start date:	08.04.2021
Start time:	12:11:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Quotation-4834898943949883.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.8% (good quality ratio 4.7%) Quality average: 79.7% Quality standard deviation: 23.6%
HCA Information:	Successful, ratio: 90% Number of executed functions: 49 Number of non-executed functions: 209
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:12:09	API Interceptor	1x Sleep call for process: Quotation-4834898943949883.pdf.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation-4834898943949883.pdf.exe.log Download File
Process:	C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.595750596480351
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Quotation-4834898943949883.pdf.exe
File size:	681472
MD5:	57055ad7429ef21caca78a9428e8a332
SHA1:	4df1aae070d95c2fd6c40ba3070a2af53462f3e6
SHA256:	f15085a9037c117355a6b500780d5df0530a6c6724e4506622565b4c13582876
SHA512:	afe126a28e09f69f5c4cb255a9baaa92ae94ca07ae7c93e257a4e7f9b1907d8c651b89bc938b11ba23244a1d32941e47b8ae1268a6ce342148d3653c16c5d7af
SSDEEP:	12288:kRRKtxL91LEPkJP/QHV6OcreeaAvV5vEqfkeH7zEfi/22A/4:kRREP1WkGV6/rxV5vEqfkiAq/e
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I{n`..............P.. ...D......N9... ...@....@.. ....................................@................................

File Icon


Icon Hash:	2b014c5a4a450127

Static PE Info

General
Entrypoint:	0x4a394e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x606E7B49 [Thu Apr 8 03:40:57 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
or eax, 0C000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
push es
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or al, byte ptr [eax]
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add eax, 00000000h
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or eax, dword ptr [eax]
add byte ptr [eax], al
or eax, dword ptr [eax]
add byte ptr [eax], al
or al, 00h
add byte ptr [eax], al
or eax, 02000000h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [00000000h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa38fc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x41a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa1e84	0xa2000	False	0.781325352045	data	7.61748315782	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x41a8	0x4200	False	0.222478693182	data	4.4812106987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xa4190	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xa45f8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xa56a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295
RT_GROUP_ICON	0xa7c48	0x30	data
RT_VERSION	0xa7c78	0x344	data
RT_MANIFEST	0xa7fbc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.0.0.0
InternalName	ReadBufferAsyncd97.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Codewords
ProductVersion	1.0.0.0
FileDescription	Codewords
OriginalFilename	ReadBufferAsyncd97.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Quotation-4834898943949883.pdf.exe PID: 5956 Parent PID: 5488

General

Start time:	12:12:01
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe'
Imagebase:	0x940000
File size:	681472 bytes
MD5 hash:	57055AD7429EF21CACA78A9428E8A332
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: Quotation-4834898943949883.pdf.exe PID: 4120 Parent PID: 5956

General

Start time:	12:12:11
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Imagebase:	0x970000
File size:	681472 bytes
MD5 hash:	57055AD7429EF21CACA78A9428E8A332
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Quotation-4834898943949883.pdf.exe PID: 5956 Parent PID: 5488 Quotation-4834898943949883.pdf.exeCOMMON

Executed Functions

Function 07715520, Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

0-Z, xrefs: 0771568F
0-Z, xrefs: 0771569D

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID: 0-Z$0-Z
API String ID: 0-3726613079
Opcode ID: 426ee2e8d07e340104b6426c381e51631f53a08946ddc1979c0f62ed3defc12c
Instruction ID: 2c0b43b950d78aa55a21483cc2647b395a8e1cc40afea116fde9458c06506378
Opcode Fuzzy Hash: 426ee2e8d07e340104b6426c381e51631f53a08946ddc1979c0f62ed3defc12c
Instruction Fuzzy Hash: 6E7105B8E10209DFCB08DFA9D4996EDBBB2FF89340F10842AE416A7354DB395945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0771A53F, Relevance: 1.7, APIs: 1, Instructions: 176threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0771A502

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cf7612a046d4b8ce86da5a99e326ea61d57834c79d90d8d05b01278e57b6aa53
Instruction ID: 2b7aac00dfba3e6aa92769dea5eb7c10bc588e6b2a1163c87ae0d73e271edb9a
Opcode Fuzzy Hash: cf7612a046d4b8ce86da5a99e326ea61d57834c79d90d8d05b01278e57b6aa53
Instruction Fuzzy Hash: 2A7180B4E152198FCB14CFA9C98069EFBF6BF89344F24C46AD408A7315DB309A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07716873, Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 077168F7

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 956ec02b41489cb59b246fbe2b37521829d71e0ea17cf71361cd3a58704e3a34
Instruction ID: ef7fb486586e5d5c941d245fe10a70e280063705c053888b1aa0cff5da546a1d
Opcode Fuzzy Hash: 956ec02b41489cb59b246fbe2b37521829d71e0ea17cf71361cd3a58704e3a34
Instruction Fuzzy Hash: 2021C3B5D00659EFCB10CF9AD984ADEBBF4FB48314F10842AE918A7610D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07716878, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 077168F7

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 7d1e1e5bc51820051cb62d6cf539bc4851f1aa64694cd2f7c178310215cd1eae
Instruction ID: ca7b17bff52ffdd1f9afc2d3872818b2e1568ce69c96e0c6da57c2a14e7a676c
Opcode Fuzzy Hash: 7d1e1e5bc51820051cb62d6cf539bc4851f1aa64694cd2f7c178310215cd1eae
Instruction Fuzzy Hash: 6D21CEB5D00259EFCB10CF9AD984ADEBBF4FB48324F10842AE918A7210D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07715510, Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

0-Z, xrefs: 0771569D

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID: 0-Z
API String ID: 0-1550469286
Opcode ID: a2c603fdfb4e5a5ad3c3147563a66ea457bc154ee1418e5c535f540e42dad664
Instruction ID: 1c7c17ee53759c77187814ea2ebf267baba6ad539f594577ed2ff1bcae4dec9f
Opcode Fuzzy Hash: a2c603fdfb4e5a5ad3c3147563a66ea457bc154ee1418e5c535f540e42dad664
Instruction Fuzzy Hash: B08117B4E10208DFCB08DFA8D8996DDBBB2FB89340F10846AE816A7354DB355955CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0771FBA8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d425fa055899c8aecdea779290bfd801a1136e0d91319acb944d64c87e5a371
Instruction ID: 75db2d89b41e57af352bf12b05600f77f49bcd60f7c99a806bbe6f6991814c57
Opcode Fuzzy Hash: 8d425fa055899c8aecdea779290bfd801a1136e0d91319acb944d64c87e5a371
Instruction Fuzzy Hash: 3A1179B0D05219CFDB14CFA9C458BEEBBF1AF4E341F18986AD405B3290CB788944DB68

Uniqueness

Uniqueness Score: -1.00%

Function 011B6B80, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 011B6BF0
GetCurrentThread.KERNEL32 ref: 011B6C2D
GetCurrentProcess.KERNEL32 ref: 011B6C6A
GetCurrentThreadId.KERNEL32 ref: 011B6CC3

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 889d70d0ba9a232561f913c8afa9531acf2b3155625a8bab4d88c07f685af007
Instruction ID: 34be84df545530d22e4bc81af67e95e1c45222c9250b4375cf203a396124abee
Opcode Fuzzy Hash: 889d70d0ba9a232561f913c8afa9531acf2b3155625a8bab4d88c07f685af007
Instruction Fuzzy Hash: 175134B4D006488FEB14CFA9DA89BDEBFF0EF48314F208459E419B7290DB745988CB65

Uniqueness

Uniqueness Score: -1.00%

Function 011B6B90, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 011B6BF0
GetCurrentThread.KERNEL32 ref: 011B6C2D
GetCurrentProcess.KERNEL32 ref: 011B6C6A
GetCurrentThreadId.KERNEL32 ref: 011B6CC3

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0554a8d1216cf263769df3277e3914ac1b5ad9ba810f750d5d229b2f891e9119
Instruction ID: 127e312fe3517fb27bd370dc3a7c34e4e64131fcfa3dadba5bcf5be4f9a90b3f
Opcode Fuzzy Hash: 0554a8d1216cf263769df3277e3914ac1b5ad9ba810f750d5d229b2f891e9119
Instruction Fuzzy Hash: 555113B4D006498FEB18CFA9D689BEEBFF0EF88314F208459E419B7250DB745984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0771AF88, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0771B1BE

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7ddc2287e138bc7b467fa980d75884ea0b1f49e5a2553faa77ab2755b17ad4f2
Instruction ID: 405d7104a207bcb408235fd1cd3d22b05bd0a0a846f16e424fd05c206d4d41a3
Opcode Fuzzy Hash: 7ddc2287e138bc7b467fa980d75884ea0b1f49e5a2553faa77ab2755b17ad4f2
Instruction Fuzzy Hash: 21915BB1D00259CFDB10CFA8CC81BDEBBB2BF48354F1589A9D819A7290DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011BBBB8, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011BBE0E

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 190681e9b9b3d855f6c16416ddfb5d83925d884e4b5b849cfffc01f4563c08d2
Instruction ID: 4e572d2da3b23ddaece72d2187134fafc042cf0bb9f69aa563d0e302f9c8668b
Opcode Fuzzy Hash: 190681e9b9b3d855f6c16416ddfb5d83925d884e4b5b849cfffc01f4563c08d2
Instruction Fuzzy Hash: 28715770A00B058FD728DF2AD4817AABBF1FF88204F008A2DE556DBB50DB35E9458F95

Uniqueness

Uniqueness Score: -1.00%

Function 011BDBE0, Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011BDD8A

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 21095fc6ad698ee3d3492743b35c70f123af7dab7d370ddc773fb047479390c3
Instruction ID: 48072c98f8e1cf846c10114dcb17a4597f525d10d09401c483cd2e50c9f5aa6b
Opcode Fuzzy Hash: 21095fc6ad698ee3d3492743b35c70f123af7dab7d370ddc773fb047479390c3
Instruction Fuzzy Hash: B76122B2C00249AFCF06CFA9D980ACDBFB1BF49304F15816AE918AB261D3759945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 011BDC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011BDD8A

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fdb9305ff7e2af9a86ae7c7f20e02fd689d188bf630a6c134813493aac5a550d
Instruction ID: c6d43d600b5ca7037b2bb70db44180434e92904678cdef08cba70fea14443bcc
Opcode Fuzzy Hash: fdb9305ff7e2af9a86ae7c7f20e02fd689d188bf630a6c134813493aac5a550d
Instruction Fuzzy Hash: 2141C1B1D003099FDF18CF99D884ADEBFB5BF48314F24812AE819AB250D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011B6D41, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011B6E3F

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c0918864f07d17aadabdb0ccf5be424cab6354636f19de17e273c24774f81c49
Instruction ID: c573cff7685f5d76b203b4ed8b74c67981cb9046d62015ff80f097cad7956f8d
Opcode Fuzzy Hash: c0918864f07d17aadabdb0ccf5be424cab6354636f19de17e273c24774f81c49
Instruction Fuzzy Hash: 9B414876900258AFCF01CF99D884ADEBFF9EB88320F05805AFA04A7351D735A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0771AD00, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0771AD90

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 357fdb9e3f46e68d50adc4aa2073e0085236524e350842f21676537fe52e0804
Instruction ID: 1f724604a99db0396e16934a0985f95aa725b4f06ab68e9d6052221b64498284
Opcode Fuzzy Hash: 357fdb9e3f46e68d50adc4aa2073e0085236524e350842f21676537fe52e0804
Instruction Fuzzy Hash: 422126B19003599FCF10CFA9C884BDEBBF5FF48314F10882AE959A7240D7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011B6DB0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011B6E3F

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c098af2fa73fde5cefb10280d37696304b5621db2f5982479c283279b9bb9fa4
Instruction ID: b85196ad6f65321066faa3a5243a9cfa19e1ac66852ed02389260e2e4a6b1dbd
Opcode Fuzzy Hash: c098af2fa73fde5cefb10280d37696304b5621db2f5982479c283279b9bb9fa4
Instruction Fuzzy Hash: D721E5B59002189FDB10CFA9D984ADEBBF4FF48314F14801AE914A7310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011BB0C0, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011BBE89,00000800,00000000,00000000), ref: 011BC09A

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 369cc3e45350a3c3c0cce31234b52e0bd42458ad7f9671d618d7a29eb86b6cb0
Instruction ID: 45ba2a673023d8271d821704e5b163258f7c3d71c3998fea62966a7afe09a307
Opcode Fuzzy Hash: 369cc3e45350a3c3c0cce31234b52e0bd42458ad7f9671d618d7a29eb86b6cb0
Instruction Fuzzy Hash: 442179B6C002488FDB24CFAAD884BDEBBF4EF49314F00851ED555A7200C774A904CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0771AB68, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0771ABE6

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 39e05b519f61cde1a0be34a7a1db8a71c30cee0320046e4b84aad4227984b960
Instruction ID: f98b6834643645fcf7a35f9dfe3e3c5d59ba6100d17b513ee0211ffdcd12631a
Opcode Fuzzy Hash: 39e05b519f61cde1a0be34a7a1db8a71c30cee0320046e4b84aad4227984b960
Instruction Fuzzy Hash: EB215EB1D003098FCB10DFAAC4847EEBBF5EF49354F148429D419A7240CB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0771ADF0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0771AE70

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 17edcb252a84c783a894041d3a2c8292caa917fd658bd5e660467e5e458a144a
Instruction ID: c3c3e666eebddae58bef60d8349382bd260ef175e982c10f89f86335acf870a5
Opcode Fuzzy Hash: 17edcb252a84c783a894041d3a2c8292caa917fd658bd5e660467e5e458a144a
Instruction Fuzzy Hash: 062128B1D002599FCB10CFAAD884BEEBBF5FF48314F10842AE919A7240C7349944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011B6DB8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011B6E3F

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 74554adefdafb48581915fde68ba71bcc2b99d863e04f79c1da18cccce3f25de
Instruction ID: 96f98ee690aae7cb212507c4422401e1ce824678284c492c6175770767d4b32d
Opcode Fuzzy Hash: 74554adefdafb48581915fde68ba71bcc2b99d863e04f79c1da18cccce3f25de
Instruction Fuzzy Hash: 5F21D5B5D002599FDB10CFA9D984ADEBFF8FB48324F14841AE914A7310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07715410, Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0771548B

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b943f2d3e01a4f7b6ae0ca4e824483953453665c2686b0d7028ba5d8e6f37a58
Instruction ID: 342e3636a09f26a3f8a715d5d69a47141d650ee65182891f9aeadcf9d8fb5f2d
Opcode Fuzzy Hash: b943f2d3e01a4f7b6ae0ca4e824483953453665c2686b0d7028ba5d8e6f37a58
Instruction Fuzzy Hash: 63211AB1D002099FCB10CF9AD884BDEFBF4FB48324F108429E869A7640D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07718AF8, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07718B70

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 270f730e23c20373e0ea7b3a3990b215ac66e1c877ffb6103ab7fa637131fa03
Instruction ID: 58957590e471b0e7d76f4d59ae5e5d544b8ce495f346d26c798c8b8c28821d26
Opcode Fuzzy Hash: 270f730e23c20373e0ea7b3a3990b215ac66e1c877ffb6103ab7fa637131fa03
Instruction Fuzzy Hash: E11117F1C006199BCB10CF9AD884BDEFBB4FB49324F14851AE419A7640D774AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011BB0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011BBE89,00000800,00000000,00000000), ref: 011BC09A

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0b676e050ef862b334e5701a913de016e5bbeede2f91421b83fc95de8235286c
Instruction ID: c539396ff38c78dd0a3491bbcd494701b43cfbf9865ab57c270597784de55b3c
Opcode Fuzzy Hash: 0b676e050ef862b334e5701a913de016e5bbeede2f91421b83fc95de8235286c
Instruction Fuzzy Hash: 801103B69002099FDB14CF9AD884BDEBBF4EB89314F00842AE915B7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07715418, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0771548B

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 67b4cc85235b4f2f1f0a82d073c10422cbf1d228d5cde16a5692181d61ba82d1
Instruction ID: 347556ff10572692b114802dbb42c960920899366c69688c7a7e87684dab603a
Opcode Fuzzy Hash: 67b4cc85235b4f2f1f0a82d073c10422cbf1d228d5cde16a5692181d61ba82d1
Instruction Fuzzy Hash: F521E7B1D006599FCB10CF9AD984BDEFBF4FB48324F108429E859A7240D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0771AC40, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0771ACAE

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ffbd465e6f9e4b05acd5332c4a01cdbbbd98a550990f4f41636e2a8642cd796
Instruction ID: eb8aed39a61aee3bc1e7449885a86a645201532f91e861effd3ebcf6b0f845cf
Opcode Fuzzy Hash: 8ffbd465e6f9e4b05acd5332c4a01cdbbbd98a550990f4f41636e2a8642cd796
Instruction Fuzzy Hash: 4E1126719002499BCB10DFAAD844BDEBBF5AF48324F148819E915A7250CB75A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011BC028, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011BBE89,00000800,00000000,00000000), ref: 011BC09A

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0c87a72b9238b0bc5f6a8e5e080a23b7659eab574587fca9012ab36bcd29539d
Instruction ID: 17ebb8c9c3b7e1a3c338c85d1541c6eeae8740a13b6e400025bd746acaed1a58
Opcode Fuzzy Hash: 0c87a72b9238b0bc5f6a8e5e080a23b7659eab574587fca9012ab36bcd29539d
Instruction Fuzzy Hash: 9D1123B6D002098FDB14CFAAD984BDEFBF4AF48314F15851AD919B7600C375A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0771A498, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0771A502

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0d25adb20f8c315b35bfa0616971c55c4ef587e08b1383172c9f87c71350d48a
Instruction ID: f3ae194b964ae942489e3781673cd18b01118e3cd4b61ac683a0c8099f3a5356
Opcode Fuzzy Hash: 0d25adb20f8c315b35bfa0616971c55c4ef587e08b1383172c9f87c71350d48a
Instruction Fuzzy Hash: A4115BB1E042498FDB10DFA9D4447EEBBF5AF88214F14882AD415A7200C7349945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07718B00, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07718B70

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: a64f728f13e6007badc10f4b1d4e2bc0614fb9d788d91a1a55c27492c9aa5805
Instruction ID: 105e9572d971b263c02c49509a6ac7d0d89f2abfad556a36cadcad7135a82125
Opcode Fuzzy Hash: a64f728f13e6007badc10f4b1d4e2bc0614fb9d788d91a1a55c27492c9aa5805
Instruction Fuzzy Hash: 7C1134B1C0061A9BCB10CF9AD884BDEFBF4FB49324F00852AD819B7640C734AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0771A4A0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0771A502

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1aa04c72b114f8f265ffb28a4263d0ee18312ec8aaa7a374ceead1231d045a5b
Instruction ID: 5aa0099a56105e558b5bded03659c71458a81d58fbb1d0cd7a8e175ba3313643
Opcode Fuzzy Hash: 1aa04c72b114f8f265ffb28a4263d0ee18312ec8aaa7a374ceead1231d045a5b
Instruction Fuzzy Hash: FC113AB1D042498BCB10DFAAD8447EEFBF5AF88224F148829D519A7640CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011BBDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011BBE0E

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: add54de441e31430ee095b0660587703ddbdd12d99a3f3a3a89ee8740cda187c
Instruction ID: 3a83f7b13ae110d3ff63e810cacbcbe29d25a89af576daf7282ba41556ecffef
Opcode Fuzzy Hash: add54de441e31430ee095b0660587703ddbdd12d99a3f3a3a89ee8740cda187c
Instruction Fuzzy Hash: 421110B2C006498FDB14CF9AD884BDEFBF4EF88224F10841AD929A7600C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011BDEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 011BDF1D

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6938e42f403e5b3c2de8546706d2591bdffee446bc74757f232730d874be177a
Instruction ID: 5e6a16d32ea5cbb0132940da46e24f0a6d1a6394e0dff25d24181a4fa9fd6dc8
Opcode Fuzzy Hash: 6938e42f403e5b3c2de8546706d2591bdffee446bc74757f232730d874be177a
Instruction Fuzzy Hash: C311E5B6900649DFDB10CF99D588BDEBBF4EB88324F15841AE919B7700C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011BDEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 011BDF1D

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: efde9ca1ebae668e17819fe348cba6babbf405353f763118dbbe6fb044c0f386
Instruction ID: db28e43c3f8ce4587c868b80c0bc1f68004d4eca0ed18c58fdc5d534d89ade1f
Opcode Fuzzy Hash: efde9ca1ebae668e17819fe348cba6babbf405353f763118dbbe6fb044c0f386
Instruction Fuzzy Hash: 9611E5B59006499FDB10CF9AD584BDEBBF8EB48324F10841AE915A7700C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0771E808, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0771E865

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1c68146379049c4094a56994b6b25d34614ab4bcc2e009cff166782baaa1b9be
Instruction ID: e22410362038a371c3a48f778ab482c5273f2a8123cfd8f068e6ceb184738ce3
Opcode Fuzzy Hash: 1c68146379049c4094a56994b6b25d34614ab4bcc2e009cff166782baaa1b9be
Instruction Fuzzy Hash: 9411E5B58003499FDB10CF9AD884BDEBFF8EB48324F108419E915A7600C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D70EEC, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.241604046.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ac652ca620649615f4f1d4355c1ff71c2ac690394cf205ec52c9106516bec8
Instruction ID: 444c888c3f67005b184cad8c7509f9570778a7b27c00f24294db1e0e105464d7
Opcode Fuzzy Hash: a8ac652ca620649615f4f1d4355c1ff71c2ac690394cf205ec52c9106516bec8
Instruction Fuzzy Hash: 96F05EB1D482499FD741DF7888452AABFF0FF0A300F1584EAD041D76A1F3B492059B51

Uniqueness

Uniqueness Score: -1.00%

Function 04D70E99, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.241604046.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f882d884c0e07fceedccf3b1f8a3e963a8a829e52aa132c8d55bb9645d5d013
Instruction ID: 24ac9f67152a1c29fafbaad6a75018570147bc96141c86642d20b0f75dabe018
Opcode Fuzzy Hash: 3f882d884c0e07fceedccf3b1f8a3e963a8a829e52aa132c8d55bb9645d5d013
Instruction Fuzzy Hash: 46E092749002099FDB11CF69C48068A7FB1EB05614F95459AD0159BAA0D73A514BCF80

Uniqueness

Uniqueness Score: -1.00%

Function 04D70EA8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.241604046.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecebfbfadfd29d434ccbb55040825236b2896811bc06162476debf245a7b405
Instruction ID: bb40eb137b77768cb0e16a6af2cbd16bab261a533939b2fbb9bccb282fbbf102
Opcode Fuzzy Hash: 6ecebfbfadfd29d434ccbb55040825236b2896811bc06162476debf245a7b405
Instruction Fuzzy Hash: FAE092B0D44209DFD740EFA9C90565EBBF0BF08200F1188AAD115E7361E7B4A6048F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0094A9EA, Relevance: 5.2, Instructions: 5200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.239457046.0000000000942000.00000002.00020000.sdmp, Offset: 00940000, based on PE: true

Associated: 00000001.00000002.239446990.0000000000940000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d197e6be298e9d09e1e69edb736edba26feb11ac150aafb1412c40a64b3b39bd
Instruction ID: 0c166cc550eddeed2823aae10080917cf2d39da1accddd658adfae8cb8baad70
Opcode Fuzzy Hash: d197e6be298e9d09e1e69edb736edba26feb11ac150aafb1412c40a64b3b39bd
Instruction Fuzzy Hash: E1937D6280F7C29FC7538B749DB55D1BFB1AE6721431E08CBD0C08F1A3E219596ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 07718BB0, Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

&Cw, xrefs: 07718E7D
&Cw, xrefs: 07718E9B
&Cw, xrefs: 07718E76

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID: &Cw$&Cw$&Cw
API String ID: 0-958894360
Opcode ID: 720638a192703e1cc4c5c7ff9204129ffcfcef358fb08e2c1f12ae0a843c713c
Instruction ID: f1929ab44da373c8b455f911dde0dee6527dc0d89a5692fb73e4caf16acbf23f
Opcode Fuzzy Hash: 720638a192703e1cc4c5c7ff9204129ffcfcef358fb08e2c1f12ae0a843c713c
Instruction Fuzzy Hash: 7891F3B4E052198BCB08CFE9C5855DEFBF2BF89364F18C569D408AB204E7749942CB62

Uniqueness

Uniqueness Score: -1.00%

Function 07718BA3, Relevance: 4.0, Strings: 3, Instructions: 227COMMON

Download Yara Rule

Strings

&Cw, xrefs: 07718E7D
&Cw, xrefs: 07718E9B
&Cw, xrefs: 07718E76

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID: &Cw$&Cw$&Cw
API String ID: 0-958894360
Opcode ID: ee08c03360c37d2b97b3c36a2f6c70e0203b8ccd166681c555224d2217e309fd
Instruction ID: 0e9ff4f3e45f23ff6dbafa82ef0df9d1d42b34d0732e9c58dab0aaddd69897d1
Opcode Fuzzy Hash: ee08c03360c37d2b97b3c36a2f6c70e0203b8ccd166681c555224d2217e309fd
Instruction Fuzzy Hash: AD9105B4E052198FCB04CFA9C5855DEFBF2BF89364F18C56AD404A7205D7349942CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07719170, Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

TY, xrefs: 0771937B
;6, xrefs: 07719251

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID: ;6$TY
API String ID: 0-1935084293
Opcode ID: f14128b29c0e2dc9b978118c4322c0115ef541c62cb72e39ec494f55083f56d0
Instruction ID: a7d299d56144c29da3ee22316e6c9a259a59a9853a5cd6b3358311ba91df520d
Opcode Fuzzy Hash: f14128b29c0e2dc9b978118c4322c0115ef541c62cb72e39ec494f55083f56d0
Instruction Fuzzy Hash: D4816DB4E1524A9FCB08CFA9C4455EEFBF2BF89390F14D826D915A7254D334EA428F90

Uniqueness

Uniqueness Score: -1.00%

Function 07719180, Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

TY, xrefs: 0771937B
;6, xrefs: 07719251

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID: ;6$TY
API String ID: 0-1935084293
Opcode ID: c72b79ae00d50e2e95beb2b22aecc25cce9869bc9cbf54ecbb751b31b8a8f9b1
Instruction ID: 2753d44c27956add362eaad31dc57d8f8e13d7ec46fdbe47048308134c2acdb9
Opcode Fuzzy Hash: c72b79ae00d50e2e95beb2b22aecc25cce9869bc9cbf54ecbb751b31b8a8f9b1
Instruction Fuzzy Hash: 55715CB4E1524A8FCB08CFAAC5855EEFBF2BF89350F14D825D915A7254D334EA428F90

Uniqueness

Uniqueness Score: -1.00%

Function 0094DCE7, Relevance: 1.2, Instructions: 1208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.239457046.0000000000942000.00000002.00020000.sdmp, Offset: 00940000, based on PE: true

Associated: 00000001.00000002.239446990.0000000000940000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68624d02bfccc0ccb70499e8775523a5aac1e6e9ce01b15f45a4d13ea44b806
Instruction ID: a4319813f10bd1949e27bd8589426bbe9558db74d685da5276e19c604bdd3da4
Opcode Fuzzy Hash: b68624d02bfccc0ccb70499e8775523a5aac1e6e9ce01b15f45a4d13ea44b806
Instruction Fuzzy Hash: F0A23A7540E7C29FDB534B7889B56D1BFB0AE5722471E08DBC0C0CF5A3E229195ADB22

Uniqueness

Uniqueness Score: -1.00%

Function 011BC2B0, Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7045008c81be1dc4324e553d620f22e55de1f4d7a60af109cf02bb4f657167e
Instruction ID: 4466f9e3242bcd87525eb2142bab51cc039b55fc741c894dbb7baafab3e935e3
Opcode Fuzzy Hash: d7045008c81be1dc4324e553d620f22e55de1f4d7a60af109cf02bb4f657167e
Instruction Fuzzy Hash: 72524AB15207068FE714CF16E8CA2997FF2FB41318B924208E1615BBD1DBB6B586CF84

Uniqueness

Uniqueness Score: -1.00%

Function 04D70448, Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.241604046.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1b256608ef5382d9f8c2bf15efafa885098e3772194925d39e0a9ece13b2a8
Instruction ID: 557005a1f7503fc5cc20fd42d1b777fc9452b83cb6347b74ca05c157c233a3c2
Opcode Fuzzy Hash: 4f1b256608ef5382d9f8c2bf15efafa885098e3772194925d39e0a9ece13b2a8
Instruction Fuzzy Hash: 2BD1AE707006058FEB2AEB75C4907AE77FAAF89708F14846DD545DB2D0EB39E902CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04D71770, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.241604046.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4af98684f2ed7ac56abd467fc1cca7b10d05e93b07da99657d3dcd1c006766f
Instruction ID: 60bdb6cf1913ea8c9fef89df022df9a5c0aeae78de06152e86892ca2891edb69
Opcode Fuzzy Hash: e4af98684f2ed7ac56abd467fc1cca7b10d05e93b07da99657d3dcd1c006766f
Instruction Fuzzy Hash: A4D1B134A00605CFDB08DF69C598AADB7F1BF49701F6981A8E409AB361EB31ED45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011B9990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.240397074.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854b1035c5a4e01c0258a1e8fcc4c0f1fe9a3a7dae556070f3e9c6019bc0dbe1
Instruction ID: e211ffb31f03a68a94b4fe12d5140045acfb6b85e571b00eff2038866e78151f
Opcode Fuzzy Hash: 854b1035c5a4e01c0258a1e8fcc4c0f1fe9a3a7dae556070f3e9c6019bc0dbe1
Instruction Fuzzy Hash: 53A17372E1061A8FCF09DFB9C8845DDBBB2FF85304B15856AE905BB261EB31E945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07710929, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61bee2b351d209b600bf0ab1e28175040c73464a182b8580d2b70f5104730a0
Instruction ID: 606089fd9c8815419e45fc672c3311d2c9f5441ab66d7216954eea54d4956f64
Opcode Fuzzy Hash: b61bee2b351d209b600bf0ab1e28175040c73464a182b8580d2b70f5104730a0
Instruction Fuzzy Hash: 389106B4A1421ADFCB04CFA9C5859AEFBF1FF89350F248566D415AB720D334AA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07710938, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95a9c52044aaea268a23be018d223b7641843861468a1bed6fa84b949907c7b
Instruction ID: 53ac5c18f305baec657e9e88fbea587d0a60d2288e8167010f732247106d8ea2
Opcode Fuzzy Hash: c95a9c52044aaea268a23be018d223b7641843861468a1bed6fa84b949907c7b
Instruction Fuzzy Hash: DA91E3B4A1421ACFCB04CF99C5859AEFBF1FF89350F14946AD419AB324D334AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07710740, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a290519b55f415e752863b3387018f67a31eb35ad20720e74f27b23b84a3e94
Instruction ID: 8003f71f8d1050d10759d65f400979cdd5217934e0728b82402d93ce20630805
Opcode Fuzzy Hash: 0a290519b55f415e752863b3387018f67a31eb35ad20720e74f27b23b84a3e94
Instruction Fuzzy Hash: 0F618DB0E1020ADFCB04CFA9C5814AEFBB2FF89384F24C56AC516A7215D7349A81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07711D51, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46e8d2520d15be0f8b65619e36a44946a249a53f262789bc21a6defaf768dfe
Instruction ID: c37916232b5ff23ec93b3b4924d1d049487fbd73f12f6f7bd6583152caed79f6
Opcode Fuzzy Hash: b46e8d2520d15be0f8b65619e36a44946a249a53f262789bc21a6defaf768dfe
Instruction Fuzzy Hash: C16115B4E152099FCB04CFA9C9808DEFBF2FF89250F24946AD505BB324D3349A418B65

Uniqueness

Uniqueness Score: -1.00%

Function 077114D1, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50342d575d73f2dea9e8a637349048dfe5ec0bc4255bb520bde40faa1db6fa27
Instruction ID: 815ea7e52a42ce3a60f97ccaa689dcd71baebc01bffce1ca3b9d7518537f57cb
Opcode Fuzzy Hash: 50342d575d73f2dea9e8a637349048dfe5ec0bc4255bb520bde40faa1db6fa27
Instruction Fuzzy Hash: 9C6133B4E1121ECFCB04CF99D9909EEFBF2FB49340F548556D506AB215C730AA82CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 077114E0, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b4ae9bd15ed3411024cb989d392d7c8a06f8e7d5159d60d62ee38b00cc8b61
Instruction ID: 36400a22a2a9af5f2b4a33382f8e5a8bba239d11347aefc6019a20134611fbc2
Opcode Fuzzy Hash: a9b4ae9bd15ed3411024cb989d392d7c8a06f8e7d5159d60d62ee38b00cc8b61
Instruction Fuzzy Hash: 876112B4E1121DCFCB04CF99D5909AEFBF2FB49340F64855AD506BB214C730AA42CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07711D60, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee27e3ae1eec5624f62e1897c38c30737363b7cd4ca96df23b7290b46adfe22c
Instruction ID: 7aa22295fbbab962a7444c0a3a132b6745dd7a6150a517484d022346e19fc208
Opcode Fuzzy Hash: ee27e3ae1eec5624f62e1897c38c30737363b7cd4ca96df23b7290b46adfe22c
Instruction Fuzzy Hash: 0F61E2B4E15219DFCB08CFA9C5808DEFBF2FF89250F24952AD505BB324D7349A418B65

Uniqueness

Uniqueness Score: -1.00%

Function 0771A550, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e01c98e22bdd62f7eedd5fc58075363cdd6ed332a6426f75d73f402c02bb5c
Instruction ID: 08590161c35904af6f5cdeea86e12d3aa3663ef936da494740b1b0d1716a3b86
Opcode Fuzzy Hash: 36e01c98e22bdd62f7eedd5fc58075363cdd6ed332a6426f75d73f402c02bb5c
Instruction Fuzzy Hash: 6D614EB4E151198BCB14CFA9C980AAEFBB6BF89344F24C565D408A7319D7309A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07712D40, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240b5b069a0509fec7d24886698fb1095f759cc2797da00f3c44cc6c0c478dc2
Instruction ID: a5300325a7666d36a35f1195f640b2c3893bbe49ff410a4f10983f59c1d7a2d8
Opcode Fuzzy Hash: 240b5b069a0509fec7d24886698fb1095f759cc2797da00f3c44cc6c0c478dc2
Instruction Fuzzy Hash: 3B5148B1E016188BDB68DF6B9D4579EFAF7BFC9204F14C1BA990CA6214DB300A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 07711B48, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2a723b4d6044b4f115d08bd1e048c82c75e3f9695da838d60b94826341dc03
Instruction ID: 8b03c09b46c17226c297ee526c16027952e22c4f83281d324f037f8dbd97361a
Opcode Fuzzy Hash: 6f2a723b4d6044b4f115d08bd1e048c82c75e3f9695da838d60b94826341dc03
Instruction Fuzzy Hash: 084116B4E0460E8FCB48CFAAD5815EEFBF2AF89340F54C46AD515AB250E3349A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07711F99, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc69bee510fd960afd870268be39886dd48e127dc57de5b7e0e30d9513b1cf2
Instruction ID: e8bbe1aa48cf3766f9de26fbd5759ecb7e56d8a2e3b38f76a8aedbbc389991c3
Opcode Fuzzy Hash: afc69bee510fd960afd870268be39886dd48e127dc57de5b7e0e30d9513b1cf2
Instruction Fuzzy Hash: 2F4125B0E1520ACFCB48CFAAC5405AEFBF2FF89380F24C16AC905A7255D7319A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 07711FA8, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a38f864deb92472f06a2c56fa184af2ac2c76ada2391fee652cd12b5e2a14e
Instruction ID: ab4c8d8457e4278a03f7893d640c15b5ab6f2763a744ecbb1f7979860731b49d
Opcode Fuzzy Hash: 53a38f864deb92472f06a2c56fa184af2ac2c76ada2391fee652cd12b5e2a14e
Instruction Fuzzy Hash: 7E41E4B4E1520ACFCB44CFAAC5805AEFBF2FB89340F24C16AC505B7215D7319A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07711B58, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4636a478e43f544a16ce44b1f9af01dc461ac5d4eeef988738040a1a44c502ed
Instruction ID: d641f308ccbaf2d7470ce5ea2ea20d7296c06e86f3a2a12bef64dc01cc47eb8d
Opcode Fuzzy Hash: 4636a478e43f544a16ce44b1f9af01dc461ac5d4eeef988738040a1a44c502ed
Instruction Fuzzy Hash: 3A41E6B4E1460ECBCB48CFAAC5815AEFBF2BF89240F64D469C515AA254E3349A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07716A10, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3edde655fadecf07c104bb1c37d839fd58041ed64c8abb79e5ef8eddc337dc
Instruction ID: d77d9dcf1ab13ce41f5d488e0b09200e8d6f8ae9b5f10f717928527e7b65be23
Opcode Fuzzy Hash: 2b3edde655fadecf07c104bb1c37d839fd58041ed64c8abb79e5ef8eddc337dc
Instruction Fuzzy Hash: 0E1129B1E116199BDB18CFAAD941AEEFBF7EFC8210F14C07AD418B7254DB304A018B91

Uniqueness

Uniqueness Score: -1.00%

Function 04D71B98, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.241604046.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0b8c97bdc770d5a6be9de29d80398fa4e62b49b910ce10bcaf7279ecc7fcda
Instruction ID: edc4ce6ead932f2f62bfbf0a06326634ec8781c7274b1882c93be6c93e225ee6
Opcode Fuzzy Hash: 6f0b8c97bdc770d5a6be9de29d80398fa4e62b49b910ce10bcaf7279ecc7fcda
Instruction Fuzzy Hash: E911AC30E042188FDB048FA4D549BEDBFF0BB0E305F09916AD441B7280EB749A45DB34

Uniqueness

Uniqueness Score: -1.00%

Function 07712170, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939e6d69f4a575b6ffd51fcc9c9f0fedf5d03b5241a5acd4a8afcd98b41d0573
Instruction ID: 0e0be5ad64e849a08f4291b8bd9a1bfa85d9e014f8292f377386c11e00d91c66
Opcode Fuzzy Hash: 939e6d69f4a575b6ffd51fcc9c9f0fedf5d03b5241a5acd4a8afcd98b41d0573
Instruction Fuzzy Hash: 3A110AB1E006189BEB1CCFABD8406DEFAF7BFC8240F04C17AC908A6214EB3416568F51

Uniqueness

Uniqueness Score: -1.00%

Function 07712163, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.246560570.0000000007710000.00000040.00000001.sdmp, Offset: 07710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb318e0c006476e1a1f3cd0e7c25baf69f346bc942efacedb0656b135f8638f
Instruction ID: 24dc39251cfb37e2dba07e146c7b8e66e3172ef9d92f43bd15cb2e07422f10cb
Opcode Fuzzy Hash: 3fb318e0c006476e1a1f3cd0e7c25baf69f346bc942efacedb0656b135f8638f
Instruction Fuzzy Hash: AC110DB1E046589BEB1CCF6BDC446DEFAF7AFC9240F08C57AC808A6255EB7405468F51

Uniqueness

Uniqueness Score: -1.00%

Function 04D71BA8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.241604046.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164ef69f5bb7be83ade9fd8ca3abb3ddc20b544f5b4fa702aed77902ad5f75e5
Instruction ID: a0695d36fd28344da368d396733954c7d153b26b3d534bf24c2b4440e180a92f
Opcode Fuzzy Hash: 164ef69f5bb7be83ade9fd8ca3abb3ddc20b544f5b4fa702aed77902ad5f75e5
Instruction Fuzzy Hash: 71114830D042188BDB148FA5C448BEEFEF1AB4E304F08916AD041B3290EB749944DA68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Quotation-4834898943949883.pdf.exe PID: 4120 Parent PID: 5956 Quotation-4834898943949883.pdf.exeCOMMON

Executed Functions

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB30(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419fe3
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A01D, 0041A024
BMA, xrefs: 0041A002, 0041A010

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F82, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Strings

HA, xrefs: 00419FAC, 00419FB8

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: HA
API String ID: 823142352-3712622743
Opcode ID: e6def85dd244e6f00c86dcf4bd7623596246ce6f3fe0c4ba39b3080679d7feb1
Instruction ID: 7a6a9a0d0bdac0b0523380b790474678bd4a5031e88514085c01f96e071c11c7
Opcode Fuzzy Hash: e6def85dd244e6f00c86dcf4bd7623596246ce6f3fe0c4ba39b3080679d7feb1
Instruction Fuzzy Hash: F2014BB2214104AFCB08DFA9DC94CEB77E9EF8C364711874AF95D93241C634E852CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2A, Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5c202e8f990d4a0d26a684ca8da9d1e1b1ff8c4ad7a712f99febd9e5942d4e19
Instruction ID: 2823664fc8ac65699f9a90064539094d3ef20efc8e82b032014781e4ecb66427
Opcode Fuzzy Hash: 5c202e8f990d4a0d26a684ca8da9d1e1b1ff8c4ad7a712f99febd9e5942d4e19
Instruction Fuzzy Hash: 6F11F2B2200108AFCB18DF98DC95EEB77A9EF8C354F158649FA0D97241C634E852CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01499860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0149986A

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0751c29557b99b23309c568b5d126fcc8a9d5db010f3f7ae83ec97bcf861dca4
Instruction ID: 9cd976e50118ac1e7553b7cbc2c36ef6c06d8be227c876243c70065662e96d98
Opcode Fuzzy Hash: 0751c29557b99b23309c568b5d126fcc8a9d5db010f3f7ae83ec97bcf861dca4
Instruction Fuzzy Hash: 8B90027160100423D111619945047070009A7E0281FD2C413A0414599DDBA68952B161

Uniqueness

Uniqueness Score: -1.00%

Function 01499660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0149966A

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 43c003c12bd91407923f187ba67aab63b542ea7abf90136da1d2a300689c59d4
Instruction ID: d81d22387c8b41578ff457962711c3fbbd25d7cb43d2531e580cd1a3a7557743
Opcode Fuzzy Hash: 43c003c12bd91407923f187ba67aab63b542ea7abf90136da1d2a300689c59d4
Instruction Fuzzy Hash: 4890027160100812D1807199440464A0005A7E1341FD2C016A0015695DCF658A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 014996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014996EA

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: addf5a2d29bb82757ff9784cdca26ac6f4c4304038948ea2ee21bd832cd8f452
Instruction ID: 46f8991b4938115a7b6f418dcb66c3c2f50ef5b377b93e9905155747b7599a37
Opcode Fuzzy Hash: addf5a2d29bb82757ff9784cdca26ac6f4c4304038948ea2ee21bd832cd8f452
Instruction Fuzzy Hash: CC90027160108812D1106199840474A0005A7E0341FD6C412A4414699DCBE588917161

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c5ef8e944cab25d8eb143591a8e1e58eaf9dd172324d68f82961ead0c2a810
Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
Opcode Fuzzy Hash: 88c5ef8e944cab25d8eb143591a8e1e58eaf9dd172324d68f82961ead0c2a810
Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A232, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d4a8484280c5c3cc4c00fd03a97789b48d99398bd863a55d0b4f5649834a3aa3
Instruction ID: fe5d3886b99bc33a4c5d67cb5637ca3219be824b1f395093fbec5b34452c988a
Opcode Fuzzy Hash: d4a8484280c5c3cc4c00fd03a97789b48d99398bd863a55d0b4f5649834a3aa3
Instruction Fuzzy Hash: 13F0A0752002046FCB14DFA5DC08EE7776CEF88760F00455AFA1C5B241C630F9528BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D

Memory Dump Source

Source File: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0149967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01499694

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf648d572bc0da0c2e22b3a0a61025992d35bed910f2b1c2bc1dda3743a46fe4
Instruction ID: 680854af1646cdd190a9bcf321dcf2d157018722dc48e09fd6fc6846967ae1ab
Opcode Fuzzy Hash: cf648d572bc0da0c2e22b3a0a61025992d35bed910f2b1c2bc1dda3743a46fe4
Instruction Fuzzy Hash: F8B09B71D014C5D5DB11D7A546087177D0077D0745F57C057D1060692B4778C491F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0150B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0150B484
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0150B2F3
The critical section is owned by thread %p., xrefs: 0150B3B9
write to, xrefs: 0150B4A6
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0150B476
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0150B314
Go determine why that thread has not released the critical section., xrefs: 0150B3C5
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0150B2DC
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0150B38F
*** enter .cxr %p for the context, xrefs: 0150B50D
read from, xrefs: 0150B4AD, 0150B4B2
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0150B323
The resource is owned exclusively by thread %p, xrefs: 0150B374
The instruction at %p referenced memory at %p., xrefs: 0150B432
an invalid address, %p, xrefs: 0150B4CF
The instruction at %p tried to %s , xrefs: 0150B4B6
*** then kb to get the faulting stack, xrefs: 0150B51C
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0150B53F
<unknown>, xrefs: 0150B27E, 0150B2D1, 0150B350, 0150B399, 0150B417, 0150B48E
*** Resource timeout (%p) in %ws:%s, xrefs: 0150B352
This failed because of error %Ix., xrefs: 0150B446
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0150B47D
The resource is owned shared by %d threads, xrefs: 0150B37E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0150B3D6
*** An Access Violation occurred in %ws:%s, xrefs: 0150B48F
*** Inpage error in %ws:%s, xrefs: 0150B418
a NULL pointer, xrefs: 0150B4E0
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0150B305
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0150B39B
*** enter .exr %p for the exception record, xrefs: 0150B4F1

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 88dda382ad9c0dec06f0d55e9369fe2bb83c0c2c1ffaaeb978c396f42f846a09
Instruction ID: a4e58e78f88eccd977bfd99ed2e53d65ba38dda7bff1e713f44836f658d5e46b
Opcode Fuzzy Hash: 88dda382ad9c0dec06f0d55e9369fe2bb83c0c2c1ffaaeb978c396f42f846a09
Instruction Fuzzy Hash: 5A8124BDA80200FFEB225E8A9C89D6F3B66FF76A56F51004EF5042F1B2D2758511C672

Uniqueness

Uniqueness Score: -1.00%

Function 01511C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON

Download Yara Rule

Strings

heap_failure_listentry_corruption, xrefs: 01511CD0
heap_failure_virtual_block_corruption, xrefs: 01511C91
heap_failure_invalid_allocation_type, xrefs: 01511CB4
HEAP[%wZ]: , xrefs: 01511C30, 01511CF7, 01511D42, 01511D8B, 01511DD4, 01511E25, 01511E6D
heap_failure_invalid_argument, xrefs: 01511CAD
Error code: %d - %s, xrefs: 01511D12
heap_failure_block_not_busy, xrefs: 01511CA6
Parameter2: %p, xrefs: 01511DA5
Parameter3: %p, xrefs: 01511DEE
heap_failure_generic, xrefs: 01511C7C
heap_failure_buffer_underrun, xrefs: 01511C9F
heap_failure_freelists_corruption, xrefs: 01511CC9
Last known valid blocks: before - %p, after - %p, xrefs: 01511E45
heap_failure_cross_heap_operation, xrefs: 01511CC2
heap_failure_multiple_entries_corruption, xrefs: 01511C8A
Parameter1: %p, xrefs: 01511D5C
Stack trace available at %p, xrefs: 01511E86
HEAP: , xrefs: 01511C16, 01511C3D, 01511D04, 01511D4F, 01511D98, 01511DE1, 01511E32, 01511E7A
heap_failure_internal, xrefs: 01511C6E
heap_failure_entry_corruption, xrefs: 01511C83
heap_failure_usage_after_free, xrefs: 01511CBB
Heap error detected at %p (heap handle %p), xrefs: 01511C50
heap_failure_buffer_overrun, xrefs: 01511C98
heap_failure_unknown, xrefs: 01511C75
heap_failure_lfh_bitmap_mismatch, xrefs: 01511CD7

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 4f2c1919c526b3743e373aa3610adb2dfd53f84ef72060a57f2ea2d22643ac8f
Instruction ID: 3e51efc0b61d897c4cca4e5b04efaf4740078a16f9fea0dfef49a24958423aa3
Opcode Fuzzy Hash: 4f2c1919c526b3743e373aa3610adb2dfd53f84ef72060a57f2ea2d22643ac8f
Instruction Fuzzy Hash: 5061363A520905DFF792A7BAD4C5D2473E1FB14974B1A80AFFA0D6F265D6388C408F49

Uniqueness

Uniqueness Score: -1.00%

Function 0148C9BF, Relevance: 14.2, Strings: 11, Instructions: 412COMMON

Download Yara Rule

Strings

SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 014CA8EC
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 014CAC0A
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 014CAC2C
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 014CAB0E
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 014CAAA0
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 014CAA11
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 014CAA1A
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 014CABF3
RtlpResolveAssemblyStorageMapEntry, xrefs: 014CAC27
@, xrefs: 014CABA3
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 014CAAC8

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: e371d8d87ae5c8c46bfd99288f17d17148913ea3a1032fb0222480b898e7a04e
Instruction ID: fb3e4ca7008b807be3cab5f2c6271d005297f04b38dec214928cb42fbfbf109e
Opcode Fuzzy Hash: e371d8d87ae5c8c46bfd99288f17d17148913ea3a1032fb0222480b898e7a04e
Instruction Fuzzy Hash: C4028FF5D002299BDB71DB18CD80BEEB7B8AB14704F1041DFA609A7261E7309E85CF69

Uniqueness

Uniqueness Score: -1.00%

Function 01514AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMON

Download Yara Rule

Strings

Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0151508C
Heap block at %p is not last block in segment (%p), xrefs: 01514FD6
Heap block at %p has incorrect segment offset (%x), xrefs: 0151503B
Free Heap block %p modified at %p after it was freed, xrefs: 01514F2F
HEAP: , xrefs: 01514F1A, 01514F6A, 01514FC7, 0151502A, 0151506E, 015150B6, 01515107
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 015150C6
HEAP[%wZ]: , xrefs: 01514EE1, 01514F0D, 01514F5D, 01514FBA, 0151501D, 01515061, 015150FA
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 01515119
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 01514F81

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 60390edfa42f9fd02676027d3e7e043dcef375f20e8746233e21a9bce067a85a
Instruction ID: 2c809c57de41adcb32c7cbdc6c4b3abd1368e9e7121d683e71ec4976217fea11
Opcode Fuzzy Hash: 60390edfa42f9fd02676027d3e7e043dcef375f20e8746233e21a9bce067a85a
Instruction Fuzzy Hash: B712C1302006429FEB26DF69C485BBABBF1FF59704F14885EE4868F695D734E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0147A309, Relevance: 8.2, Strings: 6, Instructions: 687COMMON

Download Yara Rule

Strings

(!TrailingUCR), xrefs: 014C2274
(UCRBlock != NULL), xrefs: 014C1EA0
((LONG)FreeEntry->Size > 1), xrefs: 014C1F89
(LONG)FreeEntry->Size > 1, xrefs: 014C213C
HEAP: , xrefs: 014C1E95, 014C1F7E, 014C2131, 014C2269
HEAP[%wZ]: , xrefs: 014C1E88, 014C1F71, 014C2124, 014C225C

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: b2ed2f61389cc3e508db78b6043a92670499da122449b1388551783790c1ddfc
Instruction ID: d30c799ca3c01f568189cb1e29e6299412194fc44e44a2f00917832cb467f785
Opcode Fuzzy Hash: b2ed2f61389cc3e508db78b6043a92670499da122449b1388551783790c1ddfc
Instruction Fuzzy Hash: A54220342043429FD711DF29C884B6FBBE1FF98A04F28496EE5868B362D774D946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01512D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0151305E
Just allocated block at %p for %Ix bytes, xrefs: 01512F5F
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 01513015
HEAP: , xrefs: 01512F4B, 01512FF8, 0151304F
HEAP[%wZ]: , xrefs: 01512F3E, 01512FEB, 01513042
RtlAllocateHeap, xrefs: 01512DCA

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 5c57d73c774be9d86ccc04133fb1d9cee91df9391ce346b6dcd4f6f4410cdc64
Instruction ID: 7f2a168f6e6fe5bf6cb9bf4ecf31d37cb40bc0674338c4412ac699eeff5af8e0
Opcode Fuzzy Hash: 5c57d73c774be9d86ccc04133fb1d9cee91df9391ce346b6dcd4f6f4410cdc64
Instruction Fuzzy Hash: 26912335500681DFEB63DF69C450AADBBF2FF99710F29841EE5455F2A6C7329982CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0148CCC0, Relevance: 7.7, Strings: 6, Instructions: 218COMMON

Download Yara Rule

Strings

\WinSxS\, xrefs: 0148CDF3
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 014CAD78
.Local\, xrefs: 0148CD61
@, xrefs: 0148CE1D
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 014CAD06
SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 014CAD9C

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
API String ID: 0-3926108909
Opcode ID: 9693fed951dcfdf4fbd62ff0b63eb1ffcc2fe6a633097a2d278aa19f1c1325d9
Instruction ID: 57d962bf876127185a7c9f7872043313039cfa38c53fca83fb486da7f67307d0
Opcode Fuzzy Hash: 9693fed951dcfdf4fbd62ff0b63eb1ffcc2fe6a633097a2d278aa19f1c1325d9
Instruction Fuzzy Hash: D581CC755043029BD711EF29C884A6FBBE8EF95B14F14895FF8848B361E370D945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01472430, Relevance: 6.7, Strings: 5, Instructions: 461COMMON

Download Yara Rule

Strings

, xrefs: 014724C0
Internal error check failed, xrefs: 014BD3DB
Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 014BD3CC
minkernel\ntdll\sxsisol.cpp, xrefs: 014BD3D6
, xrefs: 014724E4

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: 0ad60e7d104a1782f28605701e70d2a459f5f5cddc4a991290cc8e1f7c299d9d
Instruction ID: 9adce9ff2560bff766a761ec5e959109059eaa975f937e7199f8a49f18f58352
Opcode Fuzzy Hash: 0ad60e7d104a1782f28605701e70d2a459f5f5cddc4a991290cc8e1f7c299d9d
Instruction Fuzzy Hash: F9028D719083518BD725DF68C180BEBBBE4BF88714F14492FEA9997361D3B0D845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01463D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-SKU, xrefs: 01463F70
WindowsExcludedProcs, xrefs: 01463D6F
Kernel-MUI-Language-Disallowed, xrefs: 01463E97
Kernel-MUI-Language-Allowed, xrefs: 01463DC0
Kernel-MUI-Number-Allowed, xrefs: 01463D8C

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 6c9bd75f3dbb21b29e821c41e8f155e1dafb39796df01941e1e8e8bc7548e344
Instruction ID: 0f2f67e626a5fc50403877c91253c6bf811dbaedba780867f8b64f32ef941f03
Opcode Fuzzy Hash: 6c9bd75f3dbb21b29e821c41e8f155e1dafb39796df01941e1e8e8bc7548e344
Instruction Fuzzy Hash: 3BF129B2D0065AEBCF15DF99C980AEEBBBDFF58650F15006BE505A7260D7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014540E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

, passed to %s, xrefs: 014B0469
HEAP: , xrefs: 014B044C
HEAP[%wZ]: , xrefs: 014B043F
RtlAllocateHeap, xrefs: 014B0468
Invalid heap signature for heap at %p, xrefs: 014B0458

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 8c95d093d2005b7dd6ac3c32d6a02fac883d7cd73d600dd960d3b5a41862533e
Instruction ID: 3a45cca3433d2ef7c59626d1f3e074573b3b800bb6c41c1efb05180006f46f12
Opcode Fuzzy Hash: 8c95d093d2005b7dd6ac3c32d6a02fac883d7cd73d600dd960d3b5a41862533e
Instruction Fuzzy Hash: 19012D32110191AED369977A944DF9377B4DB51B71F2AC02FF4044B7B28AB89440C931

Uniqueness

Uniqueness Score: -1.00%

Function 0147A830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 014C22F3
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 014C2403
HEAP: , xrefs: 014C22E6, 014C23F6
HEAP[%wZ]: , xrefs: 014C22D7, 014C23E7

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 0f5eb67ba32958179192aa1dae5f03c729eabb12008363d9a4710598daf58b1b
Instruction ID: a5c6ea67dfe05aaf5833c76276503e93e5295602420d5e7b79ae8d3cdf9f3d9c
Opcode Fuzzy Hash: 0f5eb67ba32958179192aa1dae5f03c729eabb12008363d9a4710598daf58b1b
Instruction Fuzzy Hash: 74D1E074A002069FDB19DF68C590BBEB7F1FF48300F29856ED9569B362E370A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0147A229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

`, xrefs: 014C1C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 014C1DF9
HEAP: , xrefs: 014C1DE4
HEAP[%wZ]: , xrefs: 014C1DD7

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: fae6164d6e89aa41757af69919809f58885a0f5cbebfa1d15e4a75fbdf092687
Instruction ID: d1e124217af573081f2ef9f41e318427a143e42ffb20f3d505288afcd48b25e1
Opcode Fuzzy Hash: fae6164d6e89aa41757af69919809f58885a0f5cbebfa1d15e4a75fbdf092687
Instruction Fuzzy Hash: A351F6322056819FE312DB69C844F6B7BE8FB90B50F19046EF9518B3B2D634E801CB61

Uniqueness

Uniqueness Score: -1.00%

Function 015149A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01514A61
This is located in the %s field of the heap header., xrefs: 01514AD6
HEAP: , xrefs: 01514A4A, 01514A5D, 01514A5F, 01514AC4
HEAP[%wZ]: , xrefs: 01514A3D, 01514AB7

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 129fd5f1907c2d0918d667d0583786669f6c100547f7983c06ba1907850330fa
Instruction ID: 39c1a3de763872518c52174ec637a7aa81db041f78a09290875a232a96f8f2af
Opcode Fuzzy Hash: 129fd5f1907c2d0918d667d0583786669f6c100547f7983c06ba1907850330fa
Instruction Fuzzy Hash: B1311532100101EFE752DB5AC884F6B77EAFB14B60F16845AF5059F2A5D7B0E984CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01513518, Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

May not destroy the process heap at %p, xrefs: 01513561
RtlDestroyHeap, xrefs: 01513571
HEAP: , xrefs: 01513555
HEAP[%wZ]: , xrefs: 01513548

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: 93a0b8135297dcd328a1367c07da8d25474bfa36da744362414e36e02da3f283
Instruction ID: 421343652d0be7114c775fece8241cb771979d58875abf6c606545b957f6dfd1
Opcode Fuzzy Hash: 93a0b8135297dcd328a1367c07da8d25474bfa36da744362414e36e02da3f283
Instruction Fuzzy Hash: A50166321102019FEBA2EB6E8440B9A73E9FB55E20F11845FE8068F2A6DA70E944CA50

Uniqueness

Uniqueness Score: -1.00%

Function 014799BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 014C1572, 014C1639, 014C17DE, 014C1927
HEAP: , xrefs: 014C155D, 014C1624, 014C17C9, 014C1912
HEAP[%wZ]: , xrefs: 014C1550, 014C1617, 014C17BC, 014C1905

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 7809105b3ee40d6de7f098621f1dafd4fc227cfc6b3bf7a7943c662111bc998c
Instruction ID: c7eee81025d394267bda2c22a61e89c43110152259f8923e4a29038ec56994b7
Opcode Fuzzy Hash: 7809105b3ee40d6de7f098621f1dafd4fc227cfc6b3bf7a7943c662111bc998c
Instruction Fuzzy Hash: A222F274600242DFEB65DF29C484B7BBBB5EF55B04F28856EE8468B3A2D731D881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0147B477, Relevance: 4.2, Strings: 3, Instructions: 405COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 014C2980
HEAP[%wZ]: , xrefs: 014C2973
(UCRBlock->Size >= *Size), xrefs: 014C298B

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: ae9a56102a578f385440f796e10a5f410d5dbbd09814e83e9f006aede323246d
Instruction ID: 55e8ef8add96f6b68f9fa11b86e72f5e26eeaff751a259aa5e4e58a7d3529856
Opcode Fuzzy Hash: ae9a56102a578f385440f796e10a5f410d5dbbd09814e83e9f006aede323246d
Instruction Fuzzy Hash: 99E19C746006069FDB1ACF68C884FBABBB5FF44704F1481AEE5169B3A1D7B0E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01458239, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 01458263
\??\, xrefs: 014B2E2A
FilterFullPath, xrefs: 014B2F2C

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 131d5d2d7e43c0093adddfb16f2d9b7da2503a3334fe4c5febbfc1128704f0b5
Instruction ID: 128f8a0dc6a41a88cb892e6b4b5d0ddad496262a1d293e206fde2a832510c26d
Opcode Fuzzy Hash: 131d5d2d7e43c0093adddfb16f2d9b7da2503a3334fe4c5febbfc1128704f0b5
Instruction Fuzzy Hash: 4FA17C7590162A9BDB31DF19CC88BEAB7B8EF54714F1001EAE90CA7260D734AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0148AC7B, Relevance: 4.0, Strings: 3, Instructions: 205COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 014CA0BA
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 014CA0CD
HEAP[%wZ]: , xrefs: 014CA0AD

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: ec8cd1739b94a52aa47a90ed8e02a26882678a81aa52e407b64ced79ada5895b
Instruction ID: a9db89bc7ae655f081d7e0476e1c8d8e6f2572822c3709cc6443d7e00c06b39b
Opcode Fuzzy Hash: ec8cd1739b94a52aa47a90ed8e02a26882678a81aa52e407b64ced79ada5895b
Instruction Fuzzy Hash: B681E535200645AFE726DF68C894BAABBF4FF04714F2441ABE541CB7A2E7B4E941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 015023E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 0150256F
HEAP: , xrefs: 0150255C
HEAP[%wZ]: , xrefs: 0150254F

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: d8498ba63c7a103f71e1efff7ec74a71ccc641ce478ef3d986b6e67d290f9fe2
Instruction ID: 60eee3ac45f1ec30a06254d0a1a6300a38bf813d80e8fb7ef35d80d9a0ba746f
Opcode Fuzzy Hash: d8498ba63c7a103f71e1efff7ec74a71ccc641ce478ef3d986b6e67d290f9fe2
Instruction Fuzzy Hash: 645124341002508AE776CEAEC89C7767BF1FB48644F568C5EE8C28F2C1D236D846DB21

Uniqueness

Uniqueness Score: -1.00%

Function 0147EB9A, Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 014C42BA
HEAP: , xrefs: 014C42AF
HEAP[%wZ]: , xrefs: 014C42A2

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: 8f5895fe8dc163a02af24a0456f479d53563e6b38874b1849bb28764d55306d6
Instruction ID: 5f6de57451cef2fde96fea5971a65dc77b2ea35d7a00478d4d2c8be1d83134db
Opcode Fuzzy Hash: 8f5895fe8dc163a02af24a0456f479d53563e6b38874b1849bb28764d55306d6
Instruction Fuzzy Hash: 7751D035A00515DFDB14DF69C584ABABBB2FF85310F1982AAD805AF362D731A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0147B8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 014C2C8A
HEAP: , xrefs: 014C2C7F
HEAP[%wZ]: , xrefs: 014C2C72

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 215ef2a835b91a3ca1902a13d0f92a25cbd4235085fda58d2ddd9b5af39f7523
Instruction ID: 14b21ea9a316e435983bdd57621767b1f13129966377d7d780b25d42686060ec
Opcode Fuzzy Hash: 215ef2a835b91a3ca1902a13d0f92a25cbd4235085fda58d2ddd9b5af39f7523
Instruction Fuzzy Hash: F91100313041029FE769DB2AC484FB6B3A2EB90A20F29802FE45ACF371E770D845DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0151E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`, xrefs: 0151E670
`, xrefs: 0151E5D7

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 1431c274dc2b3bb1023813ae8834d53a5bab2da4c4b878489c441abf9be125c3
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: FA916C316043429BF726CE29C942B1BBBE5FF84714F14892DFA95CB294E774E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 014699C7, Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 01469A04
LdrResFallbackLangList Enter, xrefs: 014699F2

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-1720564570
Opcode ID: 7aa3fbc1b14427a2dfa677da75c157b2b5fc8f5e0b59742f16263a2b8d8adbd7
Instruction ID: 26cad697c0a1cb6d0666dd97b87dcddae2aa032e18507aea3dd7f807b8e7f1b6
Opcode Fuzzy Hash: 7aa3fbc1b14427a2dfa677da75c157b2b5fc8f5e0b59742f16263a2b8d8adbd7
Instruction Fuzzy Hash: C961E1712083828FD725CF28C4807AABBE8FF95758F18856FE9859B3A1E374C845C756

Uniqueness

Uniqueness Score: -1.00%

Function 014D51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

UEFI, xrefs: 014D521D
Legacy, xrefs: 014D5226

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 91d192c57a1c377a14fcea99bc8dc32143451711f13166cd76550c5149b33133
Instruction ID: 03a9766c6a422bda7af174a5b145a34b7e389040be67c3253900cc06eb2822b1
Opcode Fuzzy Hash: 91d192c57a1c377a14fcea99bc8dc32143451711f13166cd76550c5149b33133
Instruction Fuzzy Hash: A3515D71A006099FDF25DFA9C990AAEBBF8FB58740F14402EE649EB261DB71D901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01454439, Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

Flst, xrefs: 01454476
0, xrefs: 014544A3

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 5671aed1341b27dd24a9c435e2d3c05a9d8335f22c99106b2056dd48f142f52d
Instruction ID: d6f82a722ac5bcbee2fcf184fed5dad8073c66e18787a1edb3fb9f2d101feb86
Opcode Fuzzy Hash: 5671aed1341b27dd24a9c435e2d3c05a9d8335f22c99106b2056dd48f142f52d
Instruction Fuzzy Hash: C441BBB1A00248CFDB25CF99C5807AEFBF5EF54315F18802ED50A9F662E7319982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014FEB8A, Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

@, xrefs: 014FF10A

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4d94390dfc9b7e56296b1f816ad8705417f4f5479f0e430af0d978cb26b95dcc
Instruction ID: 4934053e7d339ed4f222c4aef9dc44c9da6cbdc9c008b0d97f166627b9594cce
Opcode Fuzzy Hash: 4d94390dfc9b7e56296b1f816ad8705417f4f5479f0e430af0d978cb26b95dcc
Instruction Fuzzy Hash: 2432EE752046519BEB24CF2DC090372BBE1AF45301F09849FEB869B3B6D335E85ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 0147B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0147B9A5

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 381cc02db6da804587fdbbc546ac292b0ffdb9b891f824a251e4bd3465f99b03
Instruction ID: e06132f929ee00851f310030db7b0ec39c736ff86a10b212d0c4b12d3cc41925
Opcode Fuzzy Hash: 381cc02db6da804587fdbbc546ac292b0ffdb9b891f824a251e4bd3465f99b03
Instruction Fuzzy Hash: 30516771A08301CFC721EF69C48096BBBE5FB98610F14896FFA959B365D770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014865A0, Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

}7?Y, xrefs: 014867FE, 01486818, 01486822, 01486834, 014C7D34, 014C7DA2, 014C7DB0, 014C7E21

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: }7?Y
API String ID: 0-3546060580
Opcode ID: 583381e939669a790a1e073b081c560506671ce8f8d95410cff25b5c78b3ed63
Instruction ID: 2230cbf6f27a94d2db88ec577511370e6813611edfe1d89052288375612ec6a7
Opcode Fuzzy Hash: 583381e939669a790a1e073b081c560506671ce8f8d95410cff25b5c78b3ed63
Instruction Fuzzy Hash: 49E19175A00205CFCB58CF59C480AAEBBF1FF48314F19816EE959AB3A5D734E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01482581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 01482642, 01482691

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 3796189bc2163fbaa2cbdb980970ed57fb90076eb718736edfe5723a185c8096
Instruction ID: 18a6667411ca7eecc8c5718e74273c87187007977fa5d03a6158d148532b1570
Opcode Fuzzy Hash: 3796189bc2163fbaa2cbdb980970ed57fb90076eb718736edfe5723a185c8096
Instruction Fuzzy Hash: EBC1A275E00215EBDB25EF99D880EAEBBB1FF58704F44402EE905BB360D774A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0148FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 014CBE0F

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: dd146805eccde092318c31a34a39e66b0c8e881190165f9d9f1a9919a16b40a4
Instruction ID: 23ee04fe42f07fa0730c4e4ce4b6d8606acdb0753add08149495cb35b217139b
Opcode Fuzzy Hash: dd146805eccde092318c31a34a39e66b0c8e881190165f9d9f1a9919a16b40a4
Instruction Fuzzy Hash: A3A11435B006068BEB25EF69C45076FB7A4FF58B64F04456FDA06CB7A0DB30D94A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 01452D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 014AFA4A

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: ea55ba374a64d722f15790652fd2e9c47b9b9e30e431246128d5099f31bc46dd
Instruction ID: 503ee03d4c5f1577b355575246b4b86e5bcaa8cf413e63f640226a961c1e9553
Opcode Fuzzy Hash: ea55ba374a64d722f15790652fd2e9c47b9b9e30e431246128d5099f31bc46dd
Instruction Fuzzy Hash: 6E614531A00205DFEB22DF6CC890BBF7BA4EB64324F55025BD911AB3F2D7B099068781

Uniqueness

Uniqueness Score: -1.00%

Function 0148F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 0148F124

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 545a79d34bf76b5ce73496ce2278c9f7e2bee4a6e111ccc41e00db4f5cf315df
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: AF51A071504711AFC320DF19C841A6BBBF8FF58750F00892EFA95876A0E7B4E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 014D358F

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 9f241bd8e60993909e74950e8f5832d204add4b40ffe183d7c9b6796e5993cca
Instruction ID: 292e6c5d43830d0808f7845eb846947972826569b26f9127a083507e3c7e6485
Opcode Fuzzy Hash: 9f241bd8e60993909e74950e8f5832d204add4b40ffe183d7c9b6796e5993cca
Instruction Fuzzy Hash: 534134F1D0052D9BDF21DE51CC94FAEB77CAB54714F0045AAEA09AB250DB309E88CF95

Uniqueness

Uniqueness Score: -1.00%

Function 015205AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01520633

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 67ea6c5cbe20082d9601e6d9be5ac886930fd50dc09c3fb8491e33b8030bda84
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 563113322003666BE720DE29CD84F9B7BD9BBC5754F144229FA44AF2C0D770E905C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01484020, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 014840E8

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
API String ID: 0-996340685
Opcode ID: 6414b0439fcb039cf71dce56493029c8958bfe6c0a59c2e8b25d7475118489ea
Instruction ID: 248e8f16ee7c1af0d9c3dfbdd920a58a42d8586fbebbf7530436929d7382e4b6
Opcode Fuzzy Hash: 6414b0439fcb039cf71dce56493029c8958bfe6c0a59c2e8b25d7475118489ea
Instruction Fuzzy Hash: 3D416F75A0074A9AD725AFA9C4407EBFBF8EF19700F04482FD6AAC3650E334A545CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014D3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 014D38B4

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 2d7506726ca45386f0891a4ed23f3c43e98b6c6654d234d2cb427c9e7bf6f5d1
Instruction ID: c63607dd366a98ec3c08295e40f355f0187209fd1b7be624c04f51f36a816f23
Opcode Fuzzy Hash: 2d7506726ca45386f0891a4ed23f3c43e98b6c6654d234d2cb427c9e7bf6f5d1
Instruction Fuzzy Hash: BD31D4B290151AAFDF15DF59C955D7FBBB4FB90B20F0141AAE914A7360D7309E00C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0148D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0148D303

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9873e56ebca1cd9beb4fb411af7e0ac13e46b3dc644a78b06fc1a67d9dada892
Instruction ID: 449c8a9fb1da78f9880680f54a332ac3301fad6e72830d58d7b27eb661b0fb76
Opcode Fuzzy Hash: 9873e56ebca1cd9beb4fb411af7e0ac13e46b3dc644a78b06fc1a67d9dada892
Instruction Fuzzy Hash: 4E31C2B19093059FC721EFA9C9809AFBBE8EB95654F00092FF994933A0D634DD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01461B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 01461BC5

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: f79205efee78bde9d391c63d692edda48c4764396c6ba05ad89fe853aa870f9e
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: B121F876501519ABDB229E5A8880FAFBB6DEFD0E55F054427FA048B324D630DC0197B1

Uniqueness

Uniqueness Score: -1.00%

Function 01508DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01508E21

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 3a58e1b4c2e1da52492499f6fd0098a041e8d734d659c28bdf25fd46c0f466d3
Instruction ID: 732752944c2e4f95f48e84c1222e1ac541b83d5426415d1fa3758eb6db457fc9
Opcode Fuzzy Hash: 3a58e1b4c2e1da52492499f6fd0098a041e8d734d659c28bdf25fd46c0f466d3
Instruction Fuzzy Hash: 8E1139B5D54348DADB29CFE98905BDDBBB0BB24314F24425ED5696B3D2C3340A01CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01525BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24a58c8aef69761376a32db5e0351534d02773695dd9e481f8be2a94073f978
Instruction ID: e690a15c261abcd0d2d5f72781f12b23a1c3e4216126f38e6f8aead2b6cc6f86
Opcode Fuzzy Hash: f24a58c8aef69761376a32db5e0351534d02773695dd9e481f8be2a94073f978
Instruction Fuzzy Hash: 3C424076910229CFDB24CF68C880BADBBB1FF56304F1581AAD95DEB281E7349985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01474120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0f589d64f46d026c7c897d7c279a9f147e40621a2df2b484363312159e483b
Instruction ID: eb83f46fb6b5e75f6f46e0ac059b426683abe3bcd705f6729362af880e1c088b
Opcode Fuzzy Hash: ce0f589d64f46d026c7c897d7c279a9f147e40621a2df2b484363312159e483b
Instruction Fuzzy Hash: 67F16B706082118BC724CF59C480ABBBBE1EF98754F19492FF58ACB361E734D896CB52

Uniqueness

Uniqueness Score: -1.00%

Function 014820A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7450b72b95db65ef13b11c790d39ed0c7310a5c8600de169f2c89fc619aa36
Instruction ID: a8942557ef54b3359a0c09fea0d7ce72b8f336f94933dbc178bf0e7ae5e9de25
Opcode Fuzzy Hash: ef7450b72b95db65ef13b11c790d39ed0c7310a5c8600de169f2c89fc619aa36
Instruction Fuzzy Hash: ECF101386083019FD766DB2CC440B6F7BE1AB95724F04851FE9999B3A1D7B4E842CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01456800, Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4421b5b68efe9c1bf5cb1690e0264e1268690c9f32a8582c1f7122532390eb32
Instruction ID: 566300f9aeb23b92716df261271dc9edcfd8247d292520671fcab00778080396
Opcode Fuzzy Hash: 4421b5b68efe9c1bf5cb1690e0264e1268690c9f32a8582c1f7122532390eb32
Instruction Fuzzy Hash: 9BD1D071A002169BCB54CF69C890AFBBBB4EF14714F45822FED16DB2A1E734D945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0146D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6b2df9d29aad648fc27cf2fbaffac206f307bb017734649d5411311e7dd936
Instruction ID: 9fa971acdb4e26e0f4d5a47d12dfee60295141a21c05b108dbe6644f65c8e230
Opcode Fuzzy Hash: ec6b2df9d29aad648fc27cf2fbaffac206f307bb017734649d5411311e7dd936
Instruction Fuzzy Hash: 49E1E134F003598FEB25CF59C884BAAB7B9BF55308F0501ABD9499B3A0D734AD45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01453ACA, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20169e7c630bad46e8d29cf17bd7204fb9f0412ac993db8899a6eab12f49befb
Instruction ID: 827e927db523e9ba6f5d7efa99bbdb41a0b07ba75f8d0bf85e30c4dd6a6c0190
Opcode Fuzzy Hash: 20169e7c630bad46e8d29cf17bd7204fb9f0412ac993db8899a6eab12f49befb
Instruction Fuzzy Hash: 11E10071D00608DFCB66CFA9C984AAEFBF1BF48354F10452AE946A7762D731A846DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0147B236, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: 24eb3b971efd6c3aebb45a84939e309815de6fb136863fc17942a00e9f500756
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: 19B1D135B006069FDB25DBA9C894BBFBBA5EF84600F14426FE642D73A1D7B0D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0148513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403dee50bc856d671a46aecc27e9945a70307bd128dcf4f44cbae5d9e0901515
Instruction ID: 17ac5f62455d7eafe6e24734f01821dcc4c55d9e2ca31585fcda8aef8c896d00
Opcode Fuzzy Hash: 403dee50bc856d671a46aecc27e9945a70307bd128dcf4f44cbae5d9e0901515
Instruction Fuzzy Hash: B2C102755083818FD354CF28C580A6AFBE1BF88714F14896EF9998B362D771E945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 014803E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf56bf3c13a65dd257afd139c0b03473c9e00de6e7a5fa4c7436538b3d3b322
Instruction ID: 8cf6d3589f04bf80540a15dd0a4e1464f96d559c508bf3276a9cc4c748d52e83
Opcode Fuzzy Hash: ebf56bf3c13a65dd257afd139c0b03473c9e00de6e7a5fa4c7436538b3d3b322
Instruction Fuzzy Hash: 79915B35E002159FEB31EB6CC954BAE7BA4AB01B24F0A026BF910AB3F1D7749C05C791

Uniqueness

Uniqueness Score: -1.00%

Function 0148DA88, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b692b2e081e6dbb9e320c1d1cd465b42b759ee696b26427da2d18d2f0242af
Instruction ID: 1085082722dc53f9d6021b05f9d035f846510cc229e888a7d0804f276fa03f0a
Opcode Fuzzy Hash: 92b692b2e081e6dbb9e320c1d1cd465b42b759ee696b26427da2d18d2f0242af
Instruction Fuzzy Hash: 4AA16A78E02205CFDB25EFA8C4407AABBA1BF19358F18455BD8619B3E2D770D882CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01455AC0, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8414ccb0d46163f7b2ab352c1f861763950f61a647e541949ce62bdecefb3371
Instruction ID: 02201ee74ea9b45f68167c53aaad0bdc6f2a6ab134c9e993ff01f6edb80de0f2
Opcode Fuzzy Hash: 8414ccb0d46163f7b2ab352c1f861763950f61a647e541949ce62bdecefb3371
Instruction Fuzzy Hash: 478118B1A0011A8BDB24CB18DD90BFA77B8EF54704F0445ABDA15E72A1E774DEC1CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0148138B, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: b446bdce6edda8a8862a63038496e6028129d71a6d597aa99f0d713209f65e85
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: B1819B75A002459FDB25DF68C580AAEBBF5FF58700F14856EE946CB761D330EA42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014EB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dc323adf145dcb0d3098490e50d678e487cb6e8ba327297a47f42fb6050f32
Instruction ID: a155e9153b6b6b9e8311bbd390b50ed010293bc8acc5550a87ac240bf926e3f7
Opcode Fuzzy Hash: b7dc323adf145dcb0d3098490e50d678e487cb6e8ba327297a47f42fb6050f32
Instruction Fuzzy Hash: 09711E32200B02EFEB32DF19C848F66BBE5EB50722F14452EE6559B6B0DB70E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014D6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 05cde26e6bf28d3fd3299db7c55e753dfe064c1a730d3eebc0add8a8c215371b
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 0C719071A0021AEFDF11DFA9C954EEEBBB8FF58314F10446AE504E7260D734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0146F370, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bdddaf47217d50a695e3efc0a7e9578b7b04bf8e367a158e3fcbb04d35544c3
Instruction ID: d868e75aad35be2fba35b4eb8a5c214f1e78c8058249e616d965bd7f1cda5d30
Opcode Fuzzy Hash: 8bdddaf47217d50a695e3efc0a7e9578b7b04bf8e367a158e3fcbb04d35544c3
Instruction Fuzzy Hash: 65613232A012118BCB25CF5CD4903BABBB5EF95304B1480BAE895DF765DB34D94AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0145395E, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5604bfdaeb7b27608b8b346a868110904da74f36fc91c2a4a54deb2e5959782
Instruction ID: 58767218c41e5e6561c10fdd718ddf40c68325c459f72779ca566e47288ea43d
Opcode Fuzzy Hash: a5604bfdaeb7b27608b8b346a868110904da74f36fc91c2a4a54deb2e5959782
Instruction Fuzzy Hash: DF51B071A007419FDB21DF9AC484A6BB7B9FB64309F00482FE54287632D774E849CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0145B171, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8528a658bad4a77b55526a1c1de9021d4a5d40482db33e9af0992116057d1c
Instruction ID: 8530044209ba948bb2284f01535db3712bc35aac87dee77a782a96b014bdbd51
Opcode Fuzzy Hash: 7d8528a658bad4a77b55526a1c1de9021d4a5d40482db33e9af0992116057d1c
Instruction Fuzzy Hash: A251A075D002598EDF25CF788884BEEBBB1EF14710F1841AED85AAB3A3D7704945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014895EC, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08df083bab1150f70f0c927643766352d123b85d1f8eb9ce534554ac03a946c9
Instruction ID: 2d275f64c2d862382a6403646bca0b0592111530208910dca0acf67d526bd01e
Opcode Fuzzy Hash: 08df083bab1150f70f0c927643766352d123b85d1f8eb9ce534554ac03a946c9
Instruction Fuzzy Hash: 4951D235A00A0AEFDB15EF68C8447BEBBB4BF9471DF04412ED51AA76B0DB749911CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0151B581, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe769e270e9ffd5851ad0a8a62160affe62dc3bb7709795595e6b230306ee63
Instruction ID: 19242b61aacef904bef0e1729fb16f244ef151e0ab67902a55900a4dac6faeea
Opcode Fuzzy Hash: 1fe769e270e9ffd5851ad0a8a62160affe62dc3bb7709795595e6b230306ee63
Instruction Fuzzy Hash: 6551DF326047438BF312DF28C594BAABBF5BFA4714F19096DA9458F294EB35E805CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014552A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9c22e9055d4741bb9b1aadaa8c6994d07636518fd5079bdf376e92302b7901
Instruction ID: 34b92e7128d07076e03d0ffc220e3331fe12bef2758adbfd1065318c6cee2034
Opcode Fuzzy Hash: 5b9c22e9055d4741bb9b1aadaa8c6994d07636518fd5079bdf376e92302b7901
Instruction Fuzzy Hash: 3651E071104742ABD721DF69C840B6BBBE4FF64714F14091FF4958B662E770E805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01482AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419126f17279e9b6c9cfa73a8377077fd527734f82d02aebaac9b6ac28880b0a
Instruction ID: a1ec8f5dfb07169a01829a5bb489f0122a70241e5b3089d93525734e6c099606
Opcode Fuzzy Hash: 419126f17279e9b6c9cfa73a8377077fd527734f82d02aebaac9b6ac28880b0a
Instruction Fuzzy Hash: 7C51D17AB011258FCB14EF5CC880DBEB7F1FB88704716845BE8569B325E770AA45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01483C3E, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e03a38c14509b47428c9570a23cbd47eb8194a35297b977edeb5dbdcc69c6a
Instruction ID: cbdf969c6f22263a6d8324f93c5797b4785924d8b5be43a81a91620027671b0f
Opcode Fuzzy Hash: 00e03a38c14509b47428c9570a23cbd47eb8194a35297b977edeb5dbdcc69c6a
Instruction Fuzzy Hash: E351BE71208341AFC740EF29C844A6FBBE9FF94614F14492EF998CB2A1D730D906CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0147DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a070e73cf43f18815eeb8562a27ef260a8fbc89e37acd53f4404f073dd089d9
Instruction ID: 8fed86595e9dad2d904e81289d517a8235be4540ae9c2d3ea032b652148eda85
Opcode Fuzzy Hash: 2a070e73cf43f18815eeb8562a27ef260a8fbc89e37acd53f4404f073dd089d9
Instruction Fuzzy Hash: AA51BDB5E00206CFCB14CFACC480AAEBBF5BF58310F25815BD955AB361EB71A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0152740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: ac3c64993ff0eeee46dbe1f20816ead8e83aa539bc8ba2b226df7890ecf113d5
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 7A518E72600646EFDB16CF18C580A96FBF5FF5A304F15C1AAE9089F262E371E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01494D51, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction ID: b7e1a821b882ead2b8d700bc3b05761b4e75c8198b1322f42687bb1ab2e2f891
Opcode Fuzzy Hash: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction Fuzzy Hash: 91514A79A00515CFCF55CF99C580AAAFBB2FF84724F1842AAD915A7361D730AE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01482990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ca4b627f89c5ed78d4124a8071cbe381298fa609e8dc0e01225b048b0935e6
Instruction ID: cac7b6292c11ad171d491020bcaadc898c8596214a9f022d052ba0be68405da9
Opcode Fuzzy Hash: a5ca4b627f89c5ed78d4124a8071cbe381298fa609e8dc0e01225b048b0935e6
Instruction Fuzzy Hash: BF515971A0020ADFDF25EF99C880EDEBBB5BF58710F05811AE914AB330C3B19952CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01455050, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27eeda9aa84b1b470a916341528c42459296be959cc959ceff8fa25aa602bc05
Instruction ID: ab9caa4108bc16c6f0fac5177b62b9634d0b3a41747af0e3efdcb92bd2fe89c7
Opcode Fuzzy Hash: 27eeda9aa84b1b470a916341528c42459296be959cc959ceff8fa25aa602bc05
Instruction Fuzzy Hash: 3241C3366043129BD324EF29C880BABBBB4AF54751F10492EFD555B362D730DC46C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01484BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f11de76e98d6a8dee067fe9f735a430a5129ae9182a3065d81ed3e62e22b74a
Instruction ID: e3455454560b23b63cadc5df5c8ac518ac3129c688334cbd0ba47e5ef846c857
Opcode Fuzzy Hash: 4f11de76e98d6a8dee067fe9f735a430a5129ae9182a3065d81ed3e62e22b74a
Instruction Fuzzy Hash: 8A41D835A002299BCB61EF68C940FEE77B8EF55700F0644ABE908AB361D774DE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01484D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b25872fecf6957ab5648add343c5c457f6ae1b8c0f438d6ec5dafeffd99e9c
Instruction ID: 394e67ef511ac606cee36a2f1eb3920553ea75add00f4e03e7de7aeb9ad43ca2
Opcode Fuzzy Hash: a8b25872fecf6957ab5648add343c5c457f6ae1b8c0f438d6ec5dafeffd99e9c
Instruction Fuzzy Hash: CF41C375A403199FEB32EF19C880F6BB7A9EB54610F04409FE9499B3A1D770DD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0147F86D, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59fd1e23adeb1e89fff4ba302f5bd5fc4a81c8965f4aed63816f0948bcfcd52
Instruction ID: 9ca0b5284af7c047f2580b6c7f3a2dca35dbb56025049d2469759d3b62288e67
Opcode Fuzzy Hash: e59fd1e23adeb1e89fff4ba302f5bd5fc4a81c8965f4aed63816f0948bcfcd52
Instruction Fuzzy Hash: 2841D3B1A00216AFEB629FADC840BEEB6B5BF68714F14001FE561EB371D77498448B50

Uniqueness

Uniqueness Score: -1.00%

Function 014E6365, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction ID: 48fb2216d18060d2c7edbe9148facff0111f1262d13cfd2934bcce550293f4d3
Opcode Fuzzy Hash: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction Fuzzy Hash: 9541E236600105EBDB259F68C854BAF7BA9EF60711F0A407EEA069B360D634DD02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01451AA0, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction ID: c10c52ecc9bc568b9e41389aaf93c2e3ced9dd49c3e3c79c2e128423823dcc08
Opcode Fuzzy Hash: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction Fuzzy Hash: E9414F71A00605EFDB65CF99C980BAABBF5FF18700B10456EE956DB761E330EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01460100, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3ce7bd1d1871c6e68df6814927d4893c6227d8da9a624fad51c0383442a7e2
Instruction ID: dd532b77f9aa719dfc14b7032e7065160f8ef1acf0717eb36e5e1972e2171dc3
Opcode Fuzzy Hash: ee3ce7bd1d1871c6e68df6814927d4893c6227d8da9a624fad51c0383442a7e2
Instruction Fuzzy Hash: EE41EE35944205DFCF61DF68C8807EA7BB4BF25318F0A011BE821AB3B2C3319985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0151AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 56dccbfc77b7ee8851e2aefa6deb8e934481ea2bfdbc9381e6c91522dd0e8969
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: D3310432F021C96BFB179B69C945BAFFBBBFF80210F05446AE905AB255DA74DD00C650

Uniqueness

Uniqueness Score: -1.00%

Function 01468A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c586bc8ec559416421886223d63b219d64525b08f5ded5ac54d2e825f328aaa
Instruction ID: d25205b2caacf40940c9ebe35d4c61ec0868f277790f3d9b888987921e98d473
Opcode Fuzzy Hash: 8c586bc8ec559416421886223d63b219d64525b08f5ded5ac54d2e825f328aaa
Instruction Fuzzy Hash: 504185B0A0032D9BDB24DF59C888AAAB7F8FB54704F1041EBE91997362D7709E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0151FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 29b60e4a7b50642a77872b017861ff9ef7b186deaaed35edffdcca611696bc5e
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: C8312632200A416FF7239B68C884F6ABBEAFBC5650F08465AE9468F74ADA74DC45C750

Uniqueness

Uniqueness Score: -1.00%

Function 0151EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: d45b0097861cff233aaff0a35b35144b40d8e511d06d529ca287af518c0b87ce
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: F331D6726047069BD71BDF28C885A5BB7E9FBD4310F04492EF9528B645DE30E809C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0146B433, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction ID: c900d7d60377649366c7c1ac1b7d62e5e6f65bb3a8853f594a06acc8883e3719
Opcode Fuzzy Hash: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction Fuzzy Hash: 87413432604245AFDB12CBA8CC84BDABBECEF10744F0481B7E454D7362C6749945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014D69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8036e208956bb19214c169d0a375c0fe820a9231f7f1c6d870b3966f42705b7
Instruction ID: e7c4df2247e4af3b6ac5b925201abc83eb4133c7c63b9db1bb0d00d7d0d644ff
Opcode Fuzzy Hash: e8036e208956bb19214c169d0a375c0fe820a9231f7f1c6d870b3966f42705b7
Instruction Fuzzy Hash: 6C418CB1D002099FDB24CFAAD840BEEBBF4EF58714F15812EE954A7360DB709905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01455210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c316044de976fbf2fad34e12e76f73af1c00b11df685fa9f9e194ded183abc
Instruction ID: ad0e0c4543121807ec931c462b2cf76e989c1a8d0ca7f25165d75076ba03ffd0
Opcode Fuzzy Hash: c2c316044de976fbf2fad34e12e76f73af1c00b11df685fa9f9e194ded183abc
Instruction Fuzzy Hash: 3531D531241601ABCB629B19C881BBB7BB9BF20761F11461FF9154B6F1E770E842CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01493D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a5c9cbe541c201b22e6f7331c4f8ff981a6c78ec0caf869d3962f93416408a
Instruction ID: c043f26f96fbfbe945a456c8e26ce6c598db6e1fbe23cd294024c643464aff68
Opcode Fuzzy Hash: e5a5c9cbe541c201b22e6f7331c4f8ff981a6c78ec0caf869d3962f93416408a
Instruction Fuzzy Hash: C431CB35A012119BCB258F2EC851A6BBFA5FF86B10B05816FE949DB370E7309842C790

Uniqueness

Uniqueness Score: -1.00%

Function 0147C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 56d1a36ba107fdb9cc2c629756815385c09b5db1bec30bad9552882d446a6f51
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 25311272A01547BAD709EBB5D490BEAFB98FF62204F08416FC41C57321DB746A4ACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 014D7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abac1f8c1a3382fef38f0d419291e673af8cae20ef578562da08a92cc3ec23c9
Instruction ID: 614937378044d5b4863c06761b3e9f29f2739cd4beaeec245d23ed188eec40b7
Opcode Fuzzy Hash: abac1f8c1a3382fef38f0d419291e673af8cae20ef578562da08a92cc3ec23c9
Instruction Fuzzy Hash: C431E2726047919BC721DF28C850A6BB7E9FF98704F044A2EF995977A0E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 014853C5, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c2b4764fbcd25e7e5e8c6afd24d376e0ef051846f00dea3654191e584b831a
Instruction ID: 413e909e496cc8dd9ffe79197e8d335013f35ad2191d468f1d3bec75da6f7c93
Opcode Fuzzy Hash: 15c2b4764fbcd25e7e5e8c6afd24d376e0ef051846f00dea3654191e584b831a
Instruction Fuzzy Hash: 5341F378A047458FDB61EFB9C4003AFBAF2AF21704F14052FC096AB361DB755905CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 01503D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f1cf5188de48425faf2ac617f87449d4689bcf5cc5f88d177d9c1393f34253
Instruction ID: 1de93622fcc33ec987a9a879ff00679a7bfaea557425a97879b22cb7c44ffe6d
Opcode Fuzzy Hash: 95f1cf5188de48425faf2ac617f87449d4689bcf5cc5f88d177d9c1393f34253
Instruction Fuzzy Hash: 5A31AB71609302CFC711DF99D58095ABBE1FF85618F044A6EE4989F291D370ED08CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01453880, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b045f6d030349c79b9b852f5a6a537135b6ba9e0bcaac8f3c02a3db80c7e7a
Instruction ID: dba2ca4f02f555b09a525d29ce54315bec9a707f82b8783d11ce942f32b0581a
Opcode Fuzzy Hash: f9b045f6d030349c79b9b852f5a6a537135b6ba9e0bcaac8f3c02a3db80c7e7a
Instruction Fuzzy Hash: 2E31A472E01219AFDB61DFAAC840AAFBBF8FB14350F01456BF915E7261D6709E018BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0151A189, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b24bbbea1fdb43f8ba0383467a326aeba64c920542583ea17475070a3df30a5
Instruction ID: e3c2eaa2434b15dfecd1b7c5d46eefd8a35d1d068d804fc04bcd2ed0f1a819de
Opcode Fuzzy Hash: 9b24bbbea1fdb43f8ba0383467a326aeba64c920542583ea17475070a3df30a5
Instruction Fuzzy Hash: 52313231A01212EBEB139FA9D840BAEBBF9BB54714F10006AE515DF254EAB0DD008790

Uniqueness

Uniqueness Score: -1.00%

Function 014861A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f18fbbd7bb3a3282e01c17e6da3da0477aaab10a3cccfe0bcc87e29974025a
Instruction ID: de692ce1163303258afe285797e7f7dbc64da28c27c970e4847d113b521b4cf4
Opcode Fuzzy Hash: b3f18fbbd7bb3a3282e01c17e6da3da0477aaab10a3cccfe0bcc87e29974025a
Instruction Fuzzy Hash: BC316F716157018FE3A0DF1DC940B2BBBE5FB98B10F05496EE9989B362E770D904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0145AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb8faab35587970648c22a50d1f6018b855ad49043617f02a0c617b8ecbc08f
Instruction ID: 1f0be3fd392b492b8c7e2627b063d3104eb092f6bc89d48aec6869886af1db89
Opcode Fuzzy Hash: 9eb8faab35587970648c22a50d1f6018b855ad49043617f02a0c617b8ecbc08f
Instruction Fuzzy Hash: 5A31D471A00219ABCF11AF69CD81ABFB7B9EF18700B15406FF902EB261E7749D11D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01494A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc0d51a0b4f2f60e7b09dde52ed5ddc0b6a55a37b327b992de32945872853ae
Instruction ID: 28dad6c5a7ba3418f501f23332146bb271037b74d18f08ebcbfb0d3a178fb5bc
Opcode Fuzzy Hash: 6dc0d51a0b4f2f60e7b09dde52ed5ddc0b6a55a37b327b992de32945872853ae
Instruction Fuzzy Hash: 813124322013119BCB61DF59CA44B2BBFA5FF91B14F09452FE8560B361C7B4E806CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0148BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a356ec937d904dc0fbd85845570ea950cc87e3018b4436ddcfd2c68f5bc621
Instruction ID: f01760baccc34947ede261d7165983c8c04cba6a1fd469459f6a8aef3ad55f34
Opcode Fuzzy Hash: 13a356ec937d904dc0fbd85845570ea950cc87e3018b4436ddcfd2c68f5bc621
Instruction Fuzzy Hash: 0F31E3366006169FDB21EF58D4807AA77B4FB19314F05407ADD58DF315E774DA0A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 01459100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a1707f31b4928283f88fe6dde8c0963b7be1311bbca816d438e20406a4f2f7
Instruction ID: 243a9bea653d89f41b3a1b6c328d3fc60507d4c2c6decfbfb18df57dd4197ff6
Opcode Fuzzy Hash: 21a1707f31b4928283f88fe6dde8c0963b7be1311bbca816d438e20406a4f2f7
Instruction Fuzzy Hash: F531EA75900255DFEBA1DFADC088B9DBBF1BB55358F18854FC8146B362C334A940C751

Uniqueness

Uniqueness Score: -1.00%

Function 0148F527, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: 81dd6d1751d092b8fa8acd274894603af9d8e4e5fea7beece69c2c6a843b7601
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: 89319C31600645EFD721DF69C884F6AB7B8FF44350F1005AAE9158B2A1EB30EE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01481DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 56ce017a7c07ad482377ad4c949c2cfe65700f421756b0a68146f93ac621ec78
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 54219171600119EFD721EF59CC84EBFBBB9FF95A50F11405BE60597660D634AD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01478D76, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bb880f202995efe010d3394c93c0ea5625e034346b058b5a2247eab0db08ad
Instruction ID: b31ab5abf263f598c414168634f3e4d5f8310113abcf949cef72e9819272fc07
Opcode Fuzzy Hash: c4bb880f202995efe010d3394c93c0ea5625e034346b058b5a2247eab0db08ad
Instruction Fuzzy Hash: 7421A539241682CFE365CB2DC098BB777E4FB51704F184497E98187761D739D883C620

Uniqueness

Uniqueness Score: -1.00%

Function 01470050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b97cfdb85e6da7b1ab2598d6fc78fbf462bea37f6f7d5de0300dcaf7c9bf853
Instruction ID: 75c48bccb2b188bf827fcb371055c446669eb917494b4ec1aa5668e19adaf112
Opcode Fuzzy Hash: 4b97cfdb85e6da7b1ab2598d6fc78fbf462bea37f6f7d5de0300dcaf7c9bf853
Instruction Fuzzy Hash: 0C318171202B44CFD722CF28D880B97B7E5FF89724F14456EE596877A0DB75A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9ff50b264521ad43d91a7df5c7eebe5ab00d8ca211a28e266fcd5ad642ff83
Instruction ID: a4181c643331f9bf7b707ee7dbae89698640efd21cf133f7e695ec3b73d8bc30
Opcode Fuzzy Hash: 5c9ff50b264521ad43d91a7df5c7eebe5ab00d8ca211a28e266fcd5ad642ff83
Instruction Fuzzy Hash: 8C21ADB1A00645AFDB11DB6DD844E6AB7B8FF58700F05006AF904D77A1E634ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0152F1B5, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8012e6f27d6175d96a19c3618efe473e96fe290b45a50ea8368f8d132fe515
Instruction ID: f75feb479dcc60539ca27784acb7b02860482cae4d47a3d1d7dc82f099c20504
Opcode Fuzzy Hash: fe8012e6f27d6175d96a19c3618efe473e96fe290b45a50ea8368f8d132fe515
Instruction Fuzzy Hash: 5321CF3BA00625ABDB219F49EC84F9EBBB4FF47710F014066E9049B2A0D334AD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01454A20, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b04478c5e58060e3f09dd97b3a13f32a830b7f170a447a5c1b6d3691834570a
Instruction ID: 385cf44fd1480b31f02c00380acdfea113d820cdfafd3fea2609a54864767658
Opcode Fuzzy Hash: 2b04478c5e58060e3f09dd97b3a13f32a830b7f170a447a5c1b6d3691834570a
Instruction Fuzzy Hash: D921D8311006019BCBF2AA69C840B6777B5FB74225F184B1BE8564F6F3F630AC82DB95

Uniqueness

Uniqueness Score: -1.00%

Function 014990AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: d3b5fbf37bc23578f310244388f829fc02554eb820dfe542f08d53b2a5fecc78
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: E32183B1A00205EFEB21DF59C545AAAFBF8EB54714F14847FE985A7260D330ED00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01483B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fba6bc106575ccfbb3f32f575c1e091cd824f1e65f0908225fa355acbeadb17
Instruction ID: a714a2289346607081dee2298e87e2c3f09c8d36613426ec4ab355954d891d51
Opcode Fuzzy Hash: 1fba6bc106575ccfbb3f32f575c1e091cd824f1e65f0908225fa355acbeadb17
Instruction Fuzzy Hash: 2C219272600105AFC710EF98CD81B6EBBBDFB44708F160069EA08AB261D371ED05DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01454B94, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction ID: c3f36cb259b1d165bd5aafbdfe2b987c6e400648fab7d30819bb397169bc1ec5
Opcode Fuzzy Hash: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction Fuzzy Hash: F531C131900625DFD769CF69C48067AF7F4FF84211F1A866ACC699B762F770A981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014628AE, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f017387f3e231ec893754f61c0101a9ccac31d6459bbfc026146d0d72b44a1b7
Instruction ID: 20664fb9c4b087a48dea6c35b9a3ea843d545e0e6a2f84cdc51d623f89f495e5
Opcode Fuzzy Hash: f017387f3e231ec893754f61c0101a9ccac31d6459bbfc026146d0d72b44a1b7
Instruction Fuzzy Hash: 86212C31605781ABF722576D8C48F653B98AB41778F180767FA249B7F2E7B898018221

Uniqueness

Uniqueness Score: -1.00%

Function 0145519E, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98a38fc6d8e6bb415b457bd22a8b4713bec49114dc988b14f4871bcf778390e
Instruction ID: e4e68ac0f10f9f34803e844a2ed1c0bf22a7cbce2f5ab1a0235a707da671f7ce
Opcode Fuzzy Hash: d98a38fc6d8e6bb415b457bd22a8b4713bec49114dc988b14f4871bcf778390e
Instruction Fuzzy Hash: CE11E135901301ABCB749F69C580AFBBFF5EF24620F14056BF8469B7A1EB31D842C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 014512D4, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction ID: f32a1e933ee1b230989a51ae90dd7bccc1b1b4bd45488c2e64f91a02664e212e
Opcode Fuzzy Hash: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction Fuzzy Hash: F211E672600605EFE7229F55C841FAABBA8EB94B50F10402BFE058F661D671EE44C754

Uniqueness

Uniqueness Score: -1.00%

Function 0148FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 3e2cac95926b657e6dfbbbf4cb5f5544f82a240864c33bad50c0c6bfe9e91113
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: FD217C72600641DBD731DF4EC540A6AF7E5EB94A11F24816FEA4A87B21D730AC06CB80

Uniqueness

Uniqueness Score: -1.00%

Function 014812BD, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fda250bc62006b1c600568b1128a19bd7a1c3b723a30e2803ee74f8a06c504e
Instruction ID: b5d5dd788bd04c51bdb69ae0b7d4bb01cabac09adab4fbb1384e786862aa721d
Opcode Fuzzy Hash: 3fda250bc62006b1c600568b1128a19bd7a1c3b723a30e2803ee74f8a06c504e
Instruction Fuzzy Hash: 08215E75600600DFE734DF69C880B6AB7E9FF44650F14882FE59ECB761DA30A841DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01495A69, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6d5834ef0659f72ae027e171ff02643596731e05f475a35fa69b291801f81a
Instruction ID: b6d934871befa5bf09984ba8768bb05d77c06f28c54a9267077a204a738ccf25
Opcode Fuzzy Hash: 3b6d5834ef0659f72ae027e171ff02643596731e05f475a35fa69b291801f81a
Instruction Fuzzy Hash: 031121392416418FE7268B2DC0E07B27BE5EB01708F28005FE9828B361E37DDC86C754

Uniqueness

Uniqueness Score: -1.00%

Function 0148B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c71a30733ee342f23191465c11804b45f1fd0a8b3a3924d6f60127174e85dd6
Instruction ID: 06ad107583105e4fc9fecb73d13b3946c631ea8716ca30a43ef95b286d48deff
Opcode Fuzzy Hash: 2c71a30733ee342f23191465c11804b45f1fd0a8b3a3924d6f60127174e85dd6
Instruction Fuzzy Hash: 19116B373011109FCB19DA598D81A6F7296FBD5730B38013FDD1ACB3A0D931AC02C694

Uniqueness

Uniqueness Score: -1.00%

Function 01459240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02310a44c7cbc39dabb7ce2ccc63aa4cd21649466a16462d7b286aaf810bec95
Instruction ID: ac8672606cbd87991d0aa5541e64a090bfc15b536d1290dcad3c78a58543d31a
Opcode Fuzzy Hash: 02310a44c7cbc39dabb7ce2ccc63aa4cd21649466a16462d7b286aaf810bec95
Instruction Fuzzy Hash: 3D215772040601DFC762EF69CA00F5AB7B9FF28709F06456EE04A8A6B2CB34E941DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0151E962, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction ID: 54c05ef3c4541ff1eeeea3ef0084e67d438baa9a7a4fed662936b70c758af926
Opcode Fuzzy Hash: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction Fuzzy Hash: B011C83660051AAFDB1ACF58C805AADBBF6FF84310F048269EC459B354DA35AD51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01453138, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction ID: d6355d2cde8269ad56dff2180df223b01824400264c55e372cdcf13cf0d6659e
Opcode Fuzzy Hash: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction Fuzzy Hash: 51118131901305AFDB26CF64C804F6AB7B5FB95354F14869ED8029B361EA71AC07CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76b51f4530f3e706f865d6c49be55e7369448dbf5647f5a9438fa00a5a69189
Instruction ID: d8b9848911933cced65f4839e3a3e429a5d8de6ff649f7727dc69a1992f0a591
Opcode Fuzzy Hash: c76b51f4530f3e706f865d6c49be55e7369448dbf5647f5a9438fa00a5a69189
Instruction Fuzzy Hash: EF219D74600601CFCB29DFA9D014624BBF0FBA535AB5A826FC125CF7A5EB32C455DB00

Uniqueness

Uniqueness Score: -1.00%

Function 014628FD, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31aacc847270f204ef9c617d9db3ffbe29cfbab01897f98952df835dbb3be5d
Instruction ID: f1dd3570e8eb0a6312703293ae83cf3ff6afb6037d63341d72e36374bae98cc7
Opcode Fuzzy Hash: a31aacc847270f204ef9c617d9db3ffbe29cfbab01897f98952df835dbb3be5d
Instruction Fuzzy Hash: 8311A535744640ABE322976A8D84F673A9CDBD0B95F14006BA9419B3F1E9B4AC018162

Uniqueness

Uniqueness Score: -1.00%

Function 01482397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615124eb15c89b325b807325977e2339cca2bfef033b821bd993b0e3a5ca71f1
Instruction ID: ab7c28ce2e0feba3736c6566bea22e8da5a499fac8b28b2fc00b32a421005519
Opcode Fuzzy Hash: 615124eb15c89b325b807325977e2339cca2bfef033b821bd993b0e3a5ca71f1
Instruction Fuzzy Hash: 5F11047174030167E770BA7E9C90F1AB6D8BBB0624F14442FEA029B2B1D6F0E809D764

Uniqueness

Uniqueness Score: -1.00%

Function 0145C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5529da5b67efcd84549fcdcb050d839718bc3fe303af4a390b71992dbcba6a7
Instruction ID: 6dd79a307a1e0f2ef70b857844cc62a401354a8529ecb372f1323597d789c581
Opcode Fuzzy Hash: b5529da5b67efcd84549fcdcb050d839718bc3fe303af4a390b71992dbcba6a7
Instruction Fuzzy Hash: 6011C6353006079BCB60AF2ADC8592B7BF5BB98919B00052EE94697661DB30EC15CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0148002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 05d4d02bdac1ac19459d4a9e8ee6de9eb9b4e631f06c921fcdc77878267de6d0
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 041125766116818FE363972CD668B3A3794AB02B44F0D00ABED04977B2F338C843C220

Uniqueness

Uniqueness Score: -1.00%

Function 01459080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6831ade3235a49c31837872d6663e56e1a63d58421bb5b13df53ca4c23188da
Instruction ID: f63b5dcfdf7b5e52732c0b86af96565333fc56f7d02536f1403c76f829318a2d
Opcode Fuzzy Hash: e6831ade3235a49c31837872d6663e56e1a63d58421bb5b13df53ca4c23188da
Instruction Fuzzy Hash: 6501D1B2511201DFC3258F08D840B227BE9FB41B28F25442BE9018F7A2D270DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014EC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 1b2eb3dcecc9a6e4326ce58e3d34e8ef861815856f790df10ecb9c7f8b642a13
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 2C019672140506BFEB21AF6ACC84E63FB7DFF64355F00452AF21442670C731ACA1C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01483B5A, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4278adc4c6271048f28121e6263c217441483d9eaa441c6605c5b0c6f2549d02
Instruction ID: ad93829b7720dd07a844cbb3c6075f92e626d84f01ea97bde63f04d379027cb5
Opcode Fuzzy Hash: 4278adc4c6271048f28121e6263c217441483d9eaa441c6605c5b0c6f2549d02
Instruction Fuzzy Hash: 0211283A5015509FCB65EF89CA40F6AB7B9FF18A05F06006DE405A7762C738FC01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01511A5F, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e93e9a404fecce4f7cdb9fbdfa514add6a500d91b71a20d214f14c675b12623
Instruction ID: c9cad32a45520b1f8fb54487db325093b9e4aed5a526a5ebe1cd9cd429d93347
Opcode Fuzzy Hash: 5e93e9a404fecce4f7cdb9fbdfa514add6a500d91b71a20d214f14c675b12623
Instruction Fuzzy Hash: 1E116D71A01249ABDB10DFA9D845EAEBBF8EF54710F44446AF914EB390D674AA04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014531E0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction ID: 4fa519be7cf8efd16fb0ffc59f5e2abc386fc5f5cf414593d0aef57561e89fb8
Opcode Fuzzy Hash: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction Fuzzy Hash: E201DD32200B059FDB62DBAAD500A6B77E9FFE17A0F45441FAF468B661DA30E805C750

Uniqueness

Uniqueness Score: -1.00%

Function 01524015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489cc108fc6ebec91920da96a1a4dd491ebe430e2ab58a72195ef147ee1bb374
Instruction ID: f66279d852401570af630008e675c0136c62583e492688b29cb6ba12c06742f0
Opcode Fuzzy Hash: 489cc108fc6ebec91920da96a1a4dd491ebe430e2ab58a72195ef147ee1bb374
Instruction Fuzzy Hash: D601DF722019467FC251AB6ACE80E57B7ACFB65664B00022AF5088BA21CB74EC11C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 01511951, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7cddac78fbb0d239a7c9ca9581b7ea3f78658750ad4d2d689e7f5c9e6a4ed2
Instruction ID: 7ac24a1f730b1e4b65ae984d674a3081ec8ca1cbb8eea44d4acd0747e04746d2
Opcode Fuzzy Hash: fa7cddac78fbb0d239a7c9ca9581b7ea3f78658750ad4d2d689e7f5c9e6a4ed2
Instruction Fuzzy Hash: 9D019E71A01209ABDB10DFA9D845EAFBBB8EF54710F00406AB910EB390DA74AA04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 015119D8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b113f2e852a52bf60969b325297da5a46499102a8563cf4568192086cdfaca
Instruction ID: 871035d755a9d1210825dbb7c1e968c2ab46bc510ab2a099fa2a4ae60b5dffc9
Opcode Fuzzy Hash: 58b113f2e852a52bf60969b325297da5a46499102a8563cf4568192086cdfaca
Instruction Fuzzy Hash: 2F019271A01259ABDB10DFA9D845EAEBBB8EF54710F40405BF900EB390D6749A01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01511843, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4288e1d556a9db4293265a69c0acad63d5e11cff6ecf6d1f14c4d270df17e9f3
Instruction ID: f4f70ed7d7d13b42442fcf49e9a2e27c67a932373f7942aa49c99880dd2d53bf
Opcode Fuzzy Hash: 4288e1d556a9db4293265a69c0acad63d5e11cff6ecf6d1f14c4d270df17e9f3
Instruction Fuzzy Hash: BD019E71E01249ABDB14EFA9D845EAEBBB8EF54710F00406AF900EB390DA749A00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014570C0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction ID: 7f71f613368f20952e1547affb98e720f5014f10936b14813e543fe3b5c007dd
Opcode Fuzzy Hash: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction Fuzzy Hash: 93117C72410B029FD7719E19C880B22B7E1BB20B23F15C86ED9894A663C778E881CB10

Uniqueness

Uniqueness Score: -1.00%

Function 015118CA, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b81f3b3d68d344d211f86c2f6b4ab90aa8cf1f84fa60d652c5040bf7c560c2
Instruction ID: a6e9ca6fadc089b69d770ac9d690e1b17a7a5f2e44538b4767063040a36be7fd
Opcode Fuzzy Hash: 13b81f3b3d68d344d211f86c2f6b4ab90aa8cf1f84fa60d652c5040bf7c560c2
Instruction Fuzzy Hash: 7701B571A01209AFDB10DFA9D845EAFBBB8EF54710F00405BF915EB390D674DA01C790

Uniqueness

Uniqueness Score: -1.00%

Function 0151138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08ec1cfef5dc07e0537433ae8b186ba0350cc41c8733262cedf2b20466b7ac0
Instruction ID: c4e443ce47993cee6415c0aeb7258454f0d406bae3e45439743d9648dbd9fe3d
Opcode Fuzzy Hash: c08ec1cfef5dc07e0537433ae8b186ba0350cc41c8733262cedf2b20466b7ac0
Instruction Fuzzy Hash: 9C019271A01209AFDB14DFA9D885EAEBBB8EF54700F00405AB904EB290D6749A41C794

Uniqueness

Uniqueness Score: -1.00%

Function 01528450, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction ID: d13ebf3f28e4b36fdc9c6ed0f56aa72bff86e9f066f7e5bb327921db5485b2d0
Opcode Fuzzy Hash: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction Fuzzy Hash: FD0188332007119FD7259AA9D844F6AB7EAFFD6614F08485DE6468F690DA70F841C790

Uniqueness

Uniqueness Score: -1.00%

Function 014558EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0ef1816a91320fbdfef45b0d999623aab1de0a3f67eb1b913744aaf7859c23
Instruction ID: a46582102fde329b742eecf003ad0a7d3ee4f5984e774e10d3815f8306e08874
Opcode Fuzzy Hash: dd0ef1816a91320fbdfef45b0d999623aab1de0a3f67eb1b913744aaf7859c23
Instruction Fuzzy Hash: 17018F31A001059BDB14EF6AE8149BF7BB8EB95528F95006FAE059F365EE30DD068790

Uniqueness

Uniqueness Score: -1.00%

Function 014595F0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction ID: 79b2a8d311a06ff3ef7268373a4b6a81f57cb09a4b8d89337e3fc83e73944c3e
Opcode Fuzzy Hash: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction Fuzzy Hash: EE014732A00141EBDB119B99C840F663799EBA5A38F10411BEE0D8F3B2DB34ED05C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01528966, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c09de63c3619415ba33b8735537f4051e4c921287736b034b56a08b3aac346a
Instruction ID: f065230d2d838799d9e6c573def6ca9bb3d856f6b30a927abdd04e047c348240
Opcode Fuzzy Hash: 6c09de63c3619415ba33b8735537f4051e4c921287736b034b56a08b3aac346a
Instruction Fuzzy Hash: BB0140B1A0021D9BCF00DFA9D8459AEBBF8FF58300F10445AE905E7390D7749A00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01521074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52f88a89e332bce8fcdcd3d01112a7002d2d1259d1e5e735edcae9398252e89
Instruction ID: 8bc61e0eee78ca9f7af42f91c59326263536ec582e463a45171a4fa745772127
Opcode Fuzzy Hash: b52f88a89e332bce8fcdcd3d01112a7002d2d1259d1e5e735edcae9398252e89
Instruction Fuzzy Hash: 25016873604B429FC321DF69C884B1B7BD5BBC0310F008919F8818B2D0EE34D940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0146B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 7aeed56e29e8fd386aa36e23a7acd45285279eb6fa3765bfc0a478a433ddfb6d
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 7B0171B2300684DFE726871DC988FA77BDCEB95654F0940A2EA19CB771D638DC41C621

Uniqueness

Uniqueness Score: -1.00%

Function 0151129A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aaa7398a6cf968a339175b401edf924e0b3ef088ac07f157d779bb2fa4a8bfe
Instruction ID: f2ecaf0e14f8b553d14f788857ca1fa192d68c4cac0369a4a1174d5fd0c855eb
Opcode Fuzzy Hash: 0aaa7398a6cf968a339175b401edf924e0b3ef088ac07f157d779bb2fa4a8bfe
Instruction Fuzzy Hash: 84018471A00259ABDB10DFAAD845EAFBBB8EF64700F00406AF915EB290D674D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 015289E7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629c301f769122555918ae8228f3e85837275e56774a7062697fe6596d4f30f2
Instruction ID: d47b73b40ba2e06ec46297881ee6930ab2facad59008f6c286b9fe65b268000f
Opcode Fuzzy Hash: 629c301f769122555918ae8228f3e85837275e56774a7062697fe6596d4f30f2
Instruction Fuzzy Hash: 83015E71A002199FCB00DFA9D9419AEBBF8FF58310F10405AE904EB350D634AA018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01528A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1256314126486545a52b0ae5a964cc753679120f82b2ec2fe2638d373fb06e0c
Instruction ID: 45f5b8662b78e3ded9307998b5c6b4b9b82608d385ae72e779d54743b2126898
Opcode Fuzzy Hash: 1256314126486545a52b0ae5a964cc753679120f82b2ec2fe2638d373fb06e0c
Instruction Fuzzy Hash: F1011E71A002199FCB00DFA9D9459AEBBF8FF59710F14405AF904EB351DA74A9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01528ADD, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207f8c3dfb4febad3af3163d9ee0b29f31efd2f93b8f421537550eecab5bf05d
Instruction ID: 5e41d4c280d9710e267f87025a9ef36bfd47c766377ae911a6befd23daa05066
Opcode Fuzzy Hash: 207f8c3dfb4febad3af3163d9ee0b29f31efd2f93b8f421537550eecab5bf05d
Instruction Fuzzy Hash: 3D011EB2A002199BDB00DFA9D9459EEBBF8FF59710F10405AF904EB350D634AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0145DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 1b2f40b43ad295baec2c1a7338b250993ed3b73d9216b49fc94db4c1ca706be7
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 91F0F2335015239BD3725BD944C4F57F6578FE1551F150037FA0557366C9708C0346D0

Uniqueness

Uniqueness Score: -1.00%

Function 0145B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 58f0f78c5f2904ca40b3a7e8470d8224beb23ae20c33b047561dad88d484804a
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 4501D6322005849BD722975DC848FAA7B99EF55794F0C0063FE158B7B3D674C801C235

Uniqueness

Uniqueness Score: -1.00%

Function 01457057, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0bdc32596bcb9fc8134feaa32d50f1efc608250cb4bf1bf7bf4ce5bc412a32
Instruction ID: b5822f3e0eec58c7af9238fde94ccc6a17c1c0efe77f3ce12ce0fbfe92be8d0c
Opcode Fuzzy Hash: eb0bdc32596bcb9fc8134feaa32d50f1efc608250cb4bf1bf7bf4ce5bc412a32
Instruction Fuzzy Hash: 4E01AD35200608ABD731DF69DC05FABBBF9EF54A00F11016EE905832A1CAB1BA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01529BBE, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3c0fb79680e2eae6026bb314833a1e74601b5ba5cd9664092de6a716e2090f
Instruction ID: 454b442f687f971e1524cb8e96f1cf55a5ecbab3f6feef6d231685fb035fa628
Opcode Fuzzy Hash: df3c0fb79680e2eae6026bb314833a1e74601b5ba5cd9664092de6a716e2090f
Instruction Fuzzy Hash: F7017C72A002199BCB00DFA9D845AAEBBF8FF58310F14005AE904AB390D734AA01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 01511229, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0893141a7e2406a5f37d4d44f9b938fef3a6d12d98209d9a5f396c3f586959e
Instruction ID: aca4de50f3924ec7961df38aef10fc6d98e02472eb2a24adeda54b7100283b5e
Opcode Fuzzy Hash: e0893141a7e2406a5f37d4d44f9b938fef3a6d12d98209d9a5f396c3f586959e
Instruction Fuzzy Hash: F001A972A00658ABDB14DBFAD4459EFB7B8EF64710F00809AE511EB290E97599018791

Uniqueness

Uniqueness Score: -1.00%

Function 01485AA0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction ID: 27c6ab9fcfd1891c6b365c0c4da39d6a2bcb1ce1070a13630cf36ba03a5ddbb8
Opcode Fuzzy Hash: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction Fuzzy Hash: 3A01D6325406469FDB21AB18C8C4F5EB798AB61720F008147FD149F3B1DBB4DD408B51

Uniqueness

Uniqueness Score: -1.00%

Function 01453591, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction ID: 53fa30ce4ef3d1a54dc530502d6d579a63f100aacaf244e20c7249433d6cefe3
Opcode Fuzzy Hash: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction Fuzzy Hash: 2EF04C71A0120D9BEB60DFA98410FAB7BE8FF90754F04819BDE01D7312DA31D8409390

Uniqueness

Uniqueness Score: -1.00%

Function 0150FDD3, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02445a3888e01a6ffdc108a5fb43e0eee4b1cf344748020dd452dd9473277a65
Instruction ID: 85e9ab1453a6a15645fbbac5dcb55a620fe7df659368abe49127ce84e2958813
Opcode Fuzzy Hash: 02445a3888e01a6ffdc108a5fb43e0eee4b1cf344748020dd452dd9473277a65
Instruction Fuzzy Hash: E6F0AF31B00248ABDF14EBEAD805E7EB7B4FF54A00F44006AA901EF690EA31AD01C745

Uniqueness

Uniqueness Score: -1.00%

Function 01451BE9, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction ID: f6d196a37c1531cf8bd760136c8868f8090dc61826f903f6deed1ff06f82dd03
Opcode Fuzzy Hash: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction Fuzzy Hash: 62F0F631614208ABD759DB29CC00B56B7EDEF98701F14807E9949C7261EAB2ED01D354

Uniqueness

Uniqueness Score: -1.00%

Function 0151131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa39bbc9f923a68dc51461ba2846d77f06fbb3a93dc7ca558b0328eec277ee3
Instruction ID: 1157279eabda37dfa5ddb3188e07ed1483927e8769e1c628751c65dae7436fc1
Opcode Fuzzy Hash: eaa39bbc9f923a68dc51461ba2846d77f06fbb3a93dc7ca558b0328eec277ee3
Instruction Fuzzy Hash: 65013C71A01649AFDB04EFA9D545AAEBBF4FF18700F40409AB905EB391E634AA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0147C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3627cb6ab99fb95deb98d4d01393fe55fe5b81a8576d5b3e0881d150947d84
Instruction ID: 4019301e25e3a53366b5962412f649fce26c67b023506ce75411c7c621fd186d
Opcode Fuzzy Hash: 2d3627cb6ab99fb95deb98d4d01393fe55fe5b81a8576d5b3e0881d150947d84
Instruction Fuzzy Hash: 51F090B2915AB3DEE7368B5C80C4BA37FD49B45770F444867D50587372C6B6DC84C250

Uniqueness

Uniqueness Score: -1.00%

Function 01512073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ea9aa07f9cd6c17be248aeea059dea8fdc3ec30f2f76480f0b81d9899766e2
Instruction ID: e17447a9aea8099f63c32d274ffd1354d64d3bf9bbca86822bd212df657b46ff
Opcode Fuzzy Hash: 72ea9aa07f9cd6c17be248aeea059dea8fdc3ec30f2f76480f0b81d9899766e2
Instruction Fuzzy Hash: 8CF0A76F41518A4BFE379B7861112D93BD1F795118F2A0585D5601F20DC5358897EB10

Uniqueness

Uniqueness Score: -1.00%

Function 0149927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: b675c6781ad88e081664532c0f227df124f9faeee7a1deb50f4b0b78475c6b93
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 5EE02B323405016BEB119F0ACC80F533B5DDFA2724F0440BEB5045E252C6F5DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01528D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f25cab5098624f1abdff77bbd611e72e26be41fab6df2f375388f9b47d1221d
Instruction ID: 6f032b66c7dc6f359476ed9b6673479b680b807cb95476a1802612b6a445c772
Opcode Fuzzy Hash: 1f25cab5098624f1abdff77bbd611e72e26be41fab6df2f375388f9b47d1221d
Instruction Fuzzy Hash: 8DF0B471A046199FDB14EFB9D445B6E77F4FF24700F50809AE905EB290EA34D904C794

Uniqueness

Uniqueness Score: -1.00%

Function 01528C75, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d7323ee3c32593de9b8c9f22fc8f25ac6bacb4075cca4582d58cba129bbd22
Instruction ID: 21452c1475672573372c6ab77711cd9a9f31e21c16c8cfc9950e8a17b0278233
Opcode Fuzzy Hash: 97d7323ee3c32593de9b8c9f22fc8f25ac6bacb4075cca4582d58cba129bbd22
Instruction Fuzzy Hash: B0F09071A142599BDB14EFA9D905E6E77B4FB24200F004499A905EF290EA349900C784

Uniqueness

Uniqueness Score: -1.00%

Function 01528C14, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8f7b87bd94be40059c9481d9acd5fb379d32658ae7f91d31f8d3d837bffada
Instruction ID: 83e7075cc233a83da416a1a58dbdb3af268c6d4c8daa8922fdf1fb93f333a0a7
Opcode Fuzzy Hash: 0f8f7b87bd94be40059c9481d9acd5fb379d32658ae7f91d31f8d3d837bffada
Instruction Fuzzy Hash: 50F09071A042199BDB14EBA9D905A6E77F4FB24200F404459A915EF290EA349900C784

Uniqueness

Uniqueness Score: -1.00%

Function 01528B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2382c544802e3b1c31237c14382e8a49776397bc71f867e715ba5f3bc3e43f9e
Instruction ID: 8c2075bde9dc5540930bf01a04c3ebe4a73a3a46afc32d23c54d727a9b9d96b5
Opcode Fuzzy Hash: 2382c544802e3b1c31237c14382e8a49776397bc71f867e715ba5f3bc3e43f9e
Instruction Fuzzy Hash: D8F05EB1A04259ABDF10EBA9D90AE6E77B4EB14604F44045DAA15AB2D0EA34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 01528BB6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4955738a5ef9d3ae9c80b4c3f3b9d27c372a186720ccaebb42b94a4d0db9f533
Instruction ID: 346b51cf59b5a833b296f3ea2e33ff0a9acf10302fc9e725f82041de6416681f
Opcode Fuzzy Hash: 4955738a5ef9d3ae9c80b4c3f3b9d27c372a186720ccaebb42b94a4d0db9f533
Instruction Fuzzy Hash: 6EF0BE71A04259ABDB10EBA9E905E6E77B4FB24200F40005DB905AB290EA34E900C788

Uniqueness

Uniqueness Score: -1.00%

Function 01511BA8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2232943e83db4c93afe8c8146112e287662455a69a204d7726d8e75a79ca5d
Instruction ID: 3e289bc4dfffefab7a13da1d9e765c69a863317d6b9fa3bf303be5ee89f7c56d
Opcode Fuzzy Hash: df2232943e83db4c93afe8c8146112e287662455a69a204d7726d8e75a79ca5d
Instruction Fuzzy Hash: AEF0BE71A05248ABDF14DBE9D44AAAE7BB4FF18204F00009AE605AB290E938D900C758

Uniqueness

Uniqueness Score: -1.00%

Function 0147746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c102c7fa3e0ead628afa586a85ec78bee4b6e9135f5a96ca04da0756723d8aee
Instruction ID: 6534c8b2333c6e7e1f8af411acca65694dc4507df931cca2dd427997a06a1f68
Opcode Fuzzy Hash: c102c7fa3e0ead628afa586a85ec78bee4b6e9135f5a96ca04da0756723d8aee
Instruction Fuzzy Hash: 1FF0E235900145ABDF02DB6CC884BFABFB9AF24216F84023BD851AB271E735D802C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 01528CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d5130dad4e5720932b8ada48152e22379c74f38f6adb7a4eabe955aceb1700
Instruction ID: 799b93a5673fb8bb6110c3a03ec075884d0f97c54f709087e6e7718f87fd095f
Opcode Fuzzy Hash: 86d5130dad4e5720932b8ada48152e22379c74f38f6adb7a4eabe955aceb1700
Instruction Fuzzy Hash: B6F0E271A04209ABCF00DBE9E845EAE7BF4EF29300F50019EE915EB2D0EA34E904C754

Uniqueness

Uniqueness Score: -1.00%

Function 0145354C, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726f8ba179828b237f52867d1ea5d2b4780321bb9dcb21e0c90f54872ee14c9c
Instruction ID: 4521830bc8e2bdbcca1a9dc0883f7ddb70e8bef8132473be01ac3bbbe6b1b192
Opcode Fuzzy Hash: 726f8ba179828b237f52867d1ea5d2b4780321bb9dcb21e0c90f54872ee14c9c
Instruction Fuzzy Hash: 94F0E2329116998FE722871CC040B17BBD8AB21B70FA64427EA0487AA3C338C888C380

Uniqueness

Uniqueness Score: -1.00%

Function 0148A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d1dc8053ab270cf2b08f062812f5e464855e9bd77b812605a02e5c43c5d0d7
Instruction ID: 3c9cee13ca2ee88ce68c902943f7a23ea96af3585d7538cb221f30acc446ae8d
Opcode Fuzzy Hash: 10d1dc8053ab270cf2b08f062812f5e464855e9bd77b812605a02e5c43c5d0d7
Instruction Fuzzy Hash: D1E092B2A01421ABD722AA19AC00F6B779DDBE4A51F1E403AE604C7234D678DD06C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0145F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 15e8a613cb5f73fb046439e55ab15bf62120cc65314b06696d2bff4083a1b3f6
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 22E0D832A41118FBDB61A6D99E05FABBFACDB54A60F040156FE04D7161D5749D04C2D1

Uniqueness

Uniqueness Score: -1.00%

Function 014515C1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction ID: b9ae183f78e5c946b84c4b0170d95ac4e87492ff6ba3b116f1173ebced8b3f16
Opcode Fuzzy Hash: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction Fuzzy Hash: D8E0657161014AA7DB62AA58C541FB7B799AB61B08F488177ED028B663D6709C42C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 01495C70, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315252d8d3e5e1fdd0d3f6bd8f50884039f61c830c14d95a10b54c942d48fd22
Instruction ID: ec241ff4a97382384cf513a252db6e4acc2953117764266851cde80bac11db28
Opcode Fuzzy Hash: 315252d8d3e5e1fdd0d3f6bd8f50884039f61c830c14d95a10b54c942d48fd22
Instruction Fuzzy Hash: CCE04F71140289AFFF12DB45C544F263FA9ABA4720F24C11BE619CF1B1C774E984CB45

Uniqueness

Uniqueness Score: -1.00%

Function 014E41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1264687261de62541883414a323123a98c8e38eb23ea505f6cefc7d17ee8ae15
Instruction ID: 30150540612dbcd7a5e7a45f2cde70465e06c65f23788bd4987a72420a7b0ad4
Opcode Fuzzy Hash: 1264687261de62541883414a323123a98c8e38eb23ea505f6cefc7d17ee8ae15
Instruction Fuzzy Hash: 0EF01C78850701CFCB74EFEAD5247283AE4F76435AF42411A91208B6A8D7354459EF01

Uniqueness

Uniqueness Score: -1.00%

Function 0150D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 3c8f6a98e8e4f269f7cfb141b793ae3d4173f25577a380d1f86150401e8c7fcd
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 6CE0C232280205BBDB235EC4CC00FA9BB6AEB607A1F104036FE086F6E1C671AD91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0148A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37804db84865fba90b99efafcf0820d290e48e60ebba65627b2166103f66b2e
Instruction ID: b399e33ac787f7be665f7e6d12252047c515d674f06fa38c6e86e9ee2076ef40
Opcode Fuzzy Hash: f37804db84865fba90b99efafcf0820d290e48e60ebba65627b2166103f66b2e
Instruction Fuzzy Hash: 74D02EB11610002BC72EB700DA18B393292F792B68F380C0FF2034F9B4EAF4D8D99208

Uniqueness

Uniqueness Score: -1.00%

Function 014D53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 3b4a02d742f0b2899620b7fe735ce0f89d5c6770409ff1c59f3f87e840f2ed1e
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 46E08C319006809BCF12DB49C660F4EBBF9FB54B00F14000AA1086F730CA34AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0146AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: d8c3e54994355bb471e1d57b889177f592137babde5ab941bc8062de2c9d2fd4
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: FAD0E975352D80CFD617CB1DC594B5677A8BB44B44FD504A1E501CB762E63CD944CA10

Uniqueness

Uniqueness Score: -1.00%

Function 014835A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: d8a6904d7777bd19c6592b276bb4c67601cf9aefe123ab3de511f057578bc755
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 54D0A931401181DAEB02FF14C21876D3BB2BB10E08F5824EB800206A72C33ACA0AC721

Uniqueness

Uniqueness Score: -1.00%

Function 0145DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 758d99c9c7ea7cb819fce5855ea83fe640cb5c3599a87d9752b8fed64cba485f
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: ACC08C30280A01EAEB222F20CE01B513AA1BB20B01F4800A16700DA4F0EB7CD801E600

Uniqueness

Uniqueness Score: -1.00%

Function 014DA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: e2c254e26223dadb13433abb8594710a61119fe243f0aff58c85519f8c650715
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 11C08C33080248BBCB126F82CC00F467F2AFBA4B70F108415FA080B570C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 01473A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 32b337f5668df6ba66e40444f669e6c258193d9b33dee91ebfc9f0ae4da17907
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 96C04C32180648FBC7126E46DD01F557B69E7A4B60F154025B6080A9718576ED61D598

Uniqueness

Uniqueness Score: -1.00%

Function 0145AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: aa0e7af577bf4d7c4374a103e22a2b5f7786ba80208df7db65cac23ba79e2176
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: E9C08C32080248BBC7126A46CD00F01BB29E7A0B60F000021B6040A671C932E861D588

Uniqueness

Uniqueness Score: -1.00%

Function 01484190, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction ID: 47b7b74fa0e995cff6fc843ce3004f0e4280f1b0c0d2c54437a325a3bc31ea25
Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction Fuzzy Hash: A9C04C397115418FCF15CB2AC284F5677E4B754B45F1508A5E805DB731E634E800DA14

Uniqueness

Uniqueness Score: -1.00%

Function 01508D47, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: a09f0c7b50f5471c6a35b80f2396d0b5c27f6a3f5c27fecb8b855518c3558d18
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: 41C09B1F5556C54DCD278F3443127D5BF60D7429D0F1D14C1D4D11F553C1144513D625

Uniqueness

Uniqueness Score: -1.00%

Function 01477D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: edc8fc9fb366640d0131d39f2aff98e8d951517bec64287c246fa91fc73e2de0
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: C8B092353019408FCE16DF18C084B5633E4BB48A40B8400D0E400CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01482ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: fe103c944ef41a5f4e12057186af68c3f1c8261a8b14904b569cc15f71f08077
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 48B01232C10441CFCF02EF40C610B197375FB10B50F054495900137930C239AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014540FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 014B05F1
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 014B04BF
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 014B0566
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 014B05AC
ExecuteOptions, xrefs: 014B050A
Execute=1, xrefs: 014B057D
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 014B058F

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: fe5538bc4eaba019fae9f1e93e757bca45c11fd193b97699ed949a02ccca737f
Instruction ID: 80eee365a75dc5a603600fbcbc8f96353264b147c82411b1b718ed04d30aafc7
Opcode Fuzzy Hash: fe5538bc4eaba019fae9f1e93e757bca45c11fd193b97699ed949a02ccca737f
Instruction Fuzzy Hash: 50612E757002197AEF10DA95DC89FEA77B8EF78305F18009FD905AB1A2F7709E858B60

Uniqueness

Uniqueness Score: -1.00%

Function 01491CC7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

$, xrefs: 01491D37
@, xrefs: 01491D1B

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 6e435b0016e8c2343a7ed77508076b2bcacfb8a7f770ff9e73a01ad02216f1f1
Instruction ID: 0d358548830f10189e0c78c48255f593e4f251554ff3ad7b66bbffcf6df7ae09
Opcode Fuzzy Hash: 6e435b0016e8c2343a7ed77508076b2bcacfb8a7f770ff9e73a01ad02216f1f1
Instruction Fuzzy Hash: 9D812975D0026A9BDB71DF94CC44BEEBAB8AB18714F0041EBAA1DB7250D7705E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 014EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014EFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014EFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014EFE2B

Memory Dump Source

Source File: 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: fbe1eb42824c7efc602c1bfd701f7d41ac58b0a1fff83c474687982500f43c59
Instruction ID: 0bb2af4ea9f15b131e5e9f2a2ff4491e7ee7519cf89d3379d6c95727ad5e868f
Opcode Fuzzy Hash: fbe1eb42824c7efc602c1bfd701f7d41ac58b0a1fff83c474687982500f43c59
Instruction Fuzzy Hash: F6F0FC761401017FEB201A86DC05F237F9ADB54731F24031AF624565F1D972F83086F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior